OpenSSH 2.5.x - 2.9 Multiple Vulnerabilities

high Nessus Plugin ID 10771
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote version of OpenSSH contains multiple vulnerabilities.

Description

According to its banner, the remote host appears to be running OpenSSH version between 2.5.x and 2.9. Such versions reportedly contain multiple vulnerabilities :

- sftp-server does not respect the 'command=' argument of keys in the authorized_keys2 file. (CVE-2001-0816)

- sshd does not properly handle the 'from=' argument of keys in the authorized_keys2 file. If a key of one type (e.g. RSA) is followed by a key of another type (e.g. DSA) then the options for the latter will be applied to the former, including 'from=' restrictions. This problem allows users to circumvent the system policy and login from disallowed source IP addresses. (CVE-2001-1380)

Solution

Upgrade to OpenSSH 2.9.9

See Also

http://www.openbsd.org/advisories/ssh_option.txt

http://www.nessus.org/u?759da6a7

http://www.openssh.com/txt/release-2.9.9

Plugin Details

Severity: High

ID: 10771

File Name: openssh_adv_option.nasl

Version: 1.30

Type: remote

Family: Misc.

Published: 9/28/2001

Updated: 11/15/2018

Dependencies: ssh_detect.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 5.3

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:openbsd:openssh

Exploit Ease: No known exploits are available

Patch Publication Date: 9/26/2001

Vulnerability Publication Date: 9/26/2001

Reference Information

CVE: CVE-2001-0816, CVE-2001-1380

BID: 3345, 3369

CERT: 905795