Lucene search
This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.SSH_STATIC_KEYS.NASLHistoryMay 08, 2014 - 12:00 a.m.
SSH Static Key Accepted
2014-05-0800:00:00
This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
460
CVSS2
7.8
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
CVSS3
8.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
0.293
Percentile
97.0%
The SSH server on the remote host accepts a publicly known static SSH private key for authentication. A remote attacker can log in to this host using this publicly known private key.
#
# (C) Tenable Network Security, Inc.
#
if (!defined_func("nasl_level") || nasl_level() < 5200 ) exit(0, "Nessus is older than 5.2");
include("compat.inc");
if (description)
{
script_id(73920);
script_version("1.24");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
script_cve_id("CVE-2012-1493", "CVE-2013-3619");
script_bugtraq_id(
53897,
66267,
66268,
66299
);
script_xref(name:"EDB-ID", value:"19091");
script_xref(name:"EDB-ID", value:"32372");
script_name(english:"SSH Static Key Accepted");
script_summary(english:"Checks if static SSH private keys are accepted.");
script_set_attribute(attribute:"synopsis", value:
"The SSH server on the remote host accepts a static SSH private key
for authentication.");
script_set_attribute(attribute:"description", value:
"The SSH server on the remote host accepts a publicly known static SSH
private key for authentication. A remote attacker can log in to this
host using this publicly known private key.");
script_set_attribute(attribute:"see_also", value:"https://packetstormsecurity.com/files/view/38537/lantronix.txt");
# https://packetstormsecurity.com/files/125754/Loadbalancer.org-Enterprise-VA-7.5.2-Static-SSH-Key.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2d97477f");
# https://packetstormsecurity.com/files/125801/Array-Networks-vAPV-vxAG-Code-Execution.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ac9db749");
script_set_attribute(attribute:"see_also", value:"https://www.trustmatta.com/advisories/MATTA-2012-002.txt");
# https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f7e3f14d");
script_set_attribute(attribute:"solution", value:
"Remove the vulnerable public keys from the SSH server.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-1493");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'F5 BIG-IP SSH Private Key Exposure');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/05/08");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Gain a shell remotely");
script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_detect.nasl");
script_exclude_keys("global_settings/supplied_logins_only");
script_require_ports("Services/ssh", 22);
exit(0);
}
include("global_settings.inc");
include("audit.inc");
include("ssh_func.inc");
include("misc_func.inc");
checking_default_account_dont_report = TRUE;
enable_ssh_wrappers();
if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);
# a list of usernames and ssh public keys to test for
keys = make_list2(
# from https://packetstormsecurity.com/files/view/38537/lantronix.txt
make_list("root", "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA9FZwKSNlfAl72aWewoXE1e8g099yCSqVKGTRWSkOBKV8oqVgX8ryj/adwSLbwxSi8HyLd9AfiNmyyTJ4/ITX4JgpNCcw8k6SNK3HrletSs7z4EGHiYcB25gIgX6fQrnjkm1AP3HXR0Wkeg7B5wFqwqKkNUd/aPhegLxjpufB0g0="),
# from https://packetstormsecurity.com/files/125754/Loadbalancer.org-Enterprise-VA-7.5.2-Static-SSH-Key.html
make_list("root", "ssh-dss AAAAB3NzaC1kc3MAAACBAKwKBw7D4OA1H/uD4htdh04TBIHdbSjeXUSnWJsce8C0tvoB01Yarjv9TFj+tfeDYVWtUK1DA1JkyqSuoAtDANJzF4I6Isyd0KPrW3dHFTcg6Xlz8d3KEaHokY93NOmB/xWEkhme8b7Q0U2iZie2pgWbTLXV0FA+lhskTtPHW3+VAAAAFQDRyayUlVZKXEweF3bUe03zt9e8VQAAAIAEPK1k3Y6ErAbIl96dnUCnZjuWQ7xXy062pf63QuRWI6LYSscm3f1pEknWUNFr/erQ02pkfi2eP9uHl1TI1ql+UmJX3g3frfssLNZwWXAW0m8PbY3HZSs+f5hevM3ua32pnKDmbQ2WpvKNyycKHi81hSI14xMcdblJolhN5iY8/wAAAIAjEe5+0m/TlBtVkqQbUit+s/g+eB+PFQ+raaQdL1uztW3etntXAPH1MjxsAC/vthWYSTYXORkDFMhrO5ssE2rfg9io0NDyTIZt+VRQMGdi++dH8ptU+ldl2ZejLFdTJFwFgcfXz+iQ1mx6h9TPX1crE1KoMAVOj3yKVfKpLB1EkA=="),
# from http://www.exploit-db.com/exploits/32372/
make_list("root", "ssh-dss AAAAB3NzaC1kc3MAAACBAISAE3CAX4hsxTw0dRc0gx8nQ41r3Vkj9OmG6LGeKWRmpy7C6vaExuupjxid76fd4aS56lCUEEoRlJ3zE93qoK9acI6EGqGQFLuDZ0fqMyRSX+ilf+1HDo/TRyuraggxp9Hj9LMpZVbpFATMm0+d9Xs7eLmaJjuMsowNlOf8NFdHAAAAFQCwdvqOAkR6QhuiAapQ/9iVuR0UAQAAAIBpLMo4dhSeWkChfv659WLPftxRrX/HR8YMD/jqa3R4PsVM2g6dQ1191nHugtdV7uaMeOqOJ/QRWeYM+UYwT0Zgx2LqvgVSjNDfdjk+ZRY8x3SmExFi62mKFoTGSOCXfcAfuanjaoF+sepnaiLUd+SoJShGYHoqR2QWiysTRqknlwAAAIBLEgYmr9XCSqjENFDVQPFELYKT7Zs9J87PjPS1AP0qF1OoRGZ5mefK6X/6VivPAUWmmmev/BuAs8M1HtfGeGGzMzDIiU/WZQ3bScLB1Ykrcjk7TOFD6xrnk/inYAp5l29hjidoAONcXoHmUAMYOKqn63Q2AsDpExVcmfj99/BlpQ=="),
# from https://packetstormsecurity.com/files/125801/Array-Networks-vAPV-vxAG-Code-Execution.html
make_list("sync", "ssh-dss AAAAB3NzaC1kc3MAAACBAJTDsX+8olPZeyr58g9XE0L8PKT5030NZBPlE7np4hBqx36HoWarWq1Csn8M57dWN9StKbs03k2ggY6sYJK5AW2EWar70um3pYjKQHiZq7mITmitsozFN/K7wu2e2iKRgquUwH5SuYoOJ29n7uhaILXiKZP4/H/dDudqPRSY6tJPAAAAFQDtuWH90mDbU2L/Ms2lfl/cja/wHwAAAIAMBwSHZt2ysOHCFe1WLUvdwVDHUqk3QHTskuuAnMlwMtSvCaUxSatdHahsMZ9VCHjoQUx6j+TcgRLDbMlRLnwUlb6wpniehLBFk+qakGcREqks5NxYzFTJXwROzP72jPvVgQyOZHWq81gCild/ljL7hmrduCqYwxDIz4o7U92UKQAAAIBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQOC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb+0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBg=="),
# from https://www.trustmatta.com/advisories/MATTA-2012-002.txt
make_list("root", "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvIhC5skTzxyHif/7iy3yhxuK6/OB13hjPqrskogkYFrcW8OK4VJT+5+Fx7wd4sQCnVn8rNqahw/x6sfcOMDI/Xvn4yKU4t8TnYf2MpUVr4ndz39L5Ds1n7Si1m2suUNxWbKv58I8+NMhlt2ITraSuTU0NGymWOc8+LNi+MHXdLk="),
# from https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities/
make_list("root", "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC1q1kR6chWLfwspD84Asyy6EFV6SYRGy/gILsYGtn9kCQi2RFobNxS5CvphbGWn9D9n5gJpTVWLWb3LwJxGuBKSRj2wrHLlejzw6kSmF+3xFCuMfxVFSj8TM8JqlOqM1c6lvH2MSXnN7pJBVcekNKbBUEfptakPSejStljbXecSw=="),
# from https://github.com/mitchellh/vagrant/blob/master/keys/vagrant.pub
make_list("vagrant", "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ=="),
# https://chromium.googlesource.com/chromiumos/chromite/+/master/ssh_keys/testing_rsa.pub
make_list("root", "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvsNpFdK5lb0GfKx+FgsrsM/2+aZVFYXHMPdvGtTz63ciRhq0Jnw7nln1SOcHraSz3/imECBg8NHIKV6rA+B9zbf7pZXEv20x5Ul0vrcPqYWC44PTtgsgvi8s0KZUZN93YlcjZ+Q7BjQ/tuwGSaLWLqJ7hnHALMJ3dbEM9fKBHQBCrG5HOaWD2gtXj7jp04M/WUnDDdemq/KMg6E9jcrJOiQ39IuTpas4hLQzVkKAKSrpl6MY2etHyoNarlWhcOwitArEDwf3WgnctwKstI/MTKB5BTpO2WXUNUv4kXzA+g8/l1aljIG13vtd9A/IV3KFVx/sLkkjuZ7z2rQXyNKuJw== ChromeOS test key")
);
port = get_service(svc:'ssh', default:22, exit_on_fail:TRUE);
unused_dsa_key = "ssh-dss AAAAB3NzaC1kc3MAAACBALU8qVWXxuX5AU02AfOcCntF0aWc27ORBkcoE4ZpwcIUZWOuEzII/u2eqjj5SsryOhCgersaU8c5nwqPDAatqKONr+jdPzfoSIVOexHMQ3jBtdmRiCS/E3jqjzUkEPck+aeme+9xtKSrii+pO5QkCNsCBfASAvW9bMEeadtp2zS/AAAAFQCmQCOuRSlApxWWUTebousceVBahwAAAIAesuQ1Rhq8yfTFqvzAmddk02iLpZB7tIQf0Lh1FPNhtSFC399hZ5x8vq4oy8BWJ614Rvlwm/3CBdkN+zriuCdFJPgc6SgGl4yvcMFRkQWBQvrJTD+LD8/5z2c6vXSLxj+y5WguiTupLoEu0ye6RM+RjGDUE2PWO/I97w93nggN7QAAAIBhFdlk0EYuwhX9VpwtZbCtQdZwyhUCg3gCJ8cGegOdk1iOd44AfQuGilIDjn8+aclUHKhDLLqZwgjPBCbERmQIguwE7Jlfjymc87BxKa8QSi9mymsGh4Qkub3f1iSEjkdcuYfJbl0PTea8lCNoTABdYupecAA0SCCZs42G+GWVjQ==";
unused_rsa_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrhKssa/f/kxvlkDM8po52qo/X8CMa4dFngbYbcHOR7ljH5kGwDS44OE9TZAa51bk+quhW8GPVQbRYz2QB7nxBhYDzmMBBQJS9/LGPCCg9HoEABpKAIb3aG2ZXAHi9rdtRG4GyGi1xxzzxfoBUQjMN4H/PiF+1TOXIW6+G2oGQInHlnHN5I8FVJu3hpXwPiiPWtYWf6hYE7BQ0q2T/sFEyNk3nxYBIQs5kWIxoMVV9Nv1Djp2e2rv9g88N6cj1IGggHhoZ6tv/r+I9svGw7Rf+NP176LRGkCwLb+2FSGkP6jw+u3UCdlkaK/WIb1IANcGPUB/7oj+EiFaY1F3Mzkq5";
sleep(2);
_ssh_socket = open_sock_tcp(port);
if (!_ssh_socket) audit(AUDIT_SOCK_FAIL, port);
ret1 = ssh_login_public_key_only(pub:unused_dsa_key, login:"root");
ssh_close_connection();
if (!ret1)
{
error = get_ssh_error();
if (error != "Server did not reply with SSH_MSG_USERAUTH_PK_OK.")
exit(0, "This SSH server cannot be checked since it is dropping SSH connections.");
}
sleep(2);
_ssh_socket = open_sock_tcp(port);
if (!_ssh_socket) audit(AUDIT_SOCK_FAIL, port);
ret2 = ssh_login_public_key_only(pub:unused_rsa_key, login:"root");
ssh_close_connection();
if (!ret2)
{
error = get_ssh_error();
if (error != "Server did not reply with SSH_MSG_USERAUTH_PK_OK.")
exit(0, "This SSH server cannot be checked since it is dropping SSH connections.");
}
if (ret1 || ret2)
exit(0, "This SSH server cannot be checked since it always responds with success to a public key user authentication request, regardless of whether or not it actually accepts the public key provided.");
works = "";
foreach pair (keys)
{
sleep(2);
# open a new connection for each key as some SSH servers don't let you test more than one key per connection
_ssh_socket = open_sock_tcp(port);
if (!_ssh_socket) audit(AUDIT_SOCK_FAIL, port);
user = pair[0];
key = pair[1];
ret = ssh_login_public_key_only(pub:key, login:user);
if (ret)
works += '\n User : ' + user +
'\n Key : ' + key +
'\n';
ssh_close_connection();
}
if (works == "") audit(AUDIT_LISTEN_NOT_VULN, "SSH server", port);
if (report_verbosity > 0)
{
report =
'Nessus was able to verify the following users and public SSH keys\n' +
'(with publicly known private keys) are accepted :\n';
report = report + works;
security_hole(port:port, extra:report);
}
else security_hole(port);
Related
nvd
nvd
CVE-2013-3619
2020-01-02 18:15:11
CVE-2012-1493
2012-07-09 22:55:00
cve
cve
CVE-2013-3619
2020-01-02 18:15:11
CVE-2012-1493
2012-07-09 22:55:00
metasploit
metasploit
Supermicro Onboard IPMI Static SSL Certificate Scanner
2013-11-06 19:45:40
F5 BIG-IP SSH Private Key Exposure
2012-06-15 17:23:34
packetstorm
packetstorm
Supermicro Onboard IPMI Static SSL Certificate Scanner
2024-09-01 00:00:00
F5 BIG-IP SSH Private Key Exposure
2012-06-12 00:00:00
F5 BIG-IP Remote Root Authentication Bypass
2012-06-12 00:00:00
checkpoint_advisories
checkpoint_advisories
prion
prion
Design/Logic Flaw
2020-01-02 18:15:00
Design/Logic Flaw
2012-07-09 22:55:00
f5
f5
SOL13600 - SSH vulnerability CVE-2012-1493
2012-06-06 00:00:00
K13600 : SSH vulnerability CVE-2012-1493
2013-06-26 00:00:00
zdt
zdt
F5 BIG-IP Remote Root Authentication Bypass Vulnerability
2012-06-11 00:00:00
F5 BIG-IP SSH Private Key Exposure
2012-06-13 00:00:00
saint
saint
F5 BIG-IP SSH private key
2012-07-03 00:00:00
F5 BIG-IP SSH private key
2012-07-03 00:00:00
F5 BIG-IP SSH private key
2012-07-03 00:00:00
seebug
seebug
F5 BIG-IP remote root authentication bypass Vulnerability(CVE-2012-1493)
2012-06-11 00:00:00
F5 BIG-IP Remote Root Authentication Bypass Vulnerability
2014-07-01 00:00:00
securityvulns
securityvulns
F5 BIG-IP authentication bypass
2012-06-17 00:00:00
cvelist
cvelist
CVE-2012-1493
2012-07-09 22:00:00
CVE-2013-3619
2020-01-02 17:51:46
openvas
openvas
Multiple F5 Networks Products - SSH vulnerability CVE-2012-1493
2012-06-14 00:00:00
F5 BIG-IP remote root authentication bypass Vulnerability
2012-06-14 00:00:00
Static SSH Key Used
2015-10-14 00:00:00
exploitpack
exploitpack
F5 BIG-IP - Authentication Bypass (PoC)
2012-06-11 00:00:00
exploitdb
exploitdb
F5 BIG-IP - SSH Private Key Exposure (Metasploit)
2012-06-13 00:00:00
F5 BIG-IP - Authentication Bypass (PoC)
2012-06-11 00:00:00
F5 BIG-IP - Authentication Bypass
2012-06-12 00:00:00
nessus
nessus
F5 Multiple Products Root Authentication Bypass
2012-06-13 00:00:00
CVSS2
7.8
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
CVSS3
8.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
0.293
Percentile
97.0%
Related for SSH_STATIC_KEYS.NASL