F-Secure SSH Password Authentication Policy Evasion

Medium Nessus Network Monitor Plugin ID 1966

Synopsis

The remote host may give an attacker information useful for future attacks.

Description

The remote host is running F-Secure SSH. This version contains a bug which may allow a user to log in using a password even though the server policy disallows it. An attacker may exploit this flaw to set up a dictionary attack against the remote SSH server and eventually get access to this host.

Solution

Upgrade F-Secure SSH to a version greater than 3.1.

Plugin Details

Severity: Medium

ID: 1966

Family: SSH

Published: 2004/08/20

Modified: 2016/01/22

Nessus ID: 12099

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:H/RL:W/RC:C

CVSSv3

Base Score: 5.3

Temporal Score: 5.2

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS3#E:H/RL:W/RC:C

Reference Information

BID: 9824