F-Secure SSH Password Authentication Policy Evasion

medium Nessus Network Monitor Plugin ID 1966

Synopsis

The remote host may give an attacker information useful for future attacks.

Description

The remote host is running F-Secure SSH. This version contains a bug which may allow a user to log in using a password even though the server policy disallows it. An attacker may exploit this flaw to set up a dictionary attack against the remote SSH server and eventually get access to this host.

Solution

Upgrade F-Secure SSH to a version greater than 3.1.

Plugin Details

Severity: Medium

ID: 1966

Family: SSH

Published: 8/20/2004

Updated: 3/6/2019

Nessus ID: 12099

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:H/RL:W/RC:C

Reference Information

BID: 9824