CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.1%
The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information.
Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(55992);
script_version("1.18");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/09/21");
script_cve_id(
"CVE-2000-0525",
"CVE-2000-1169",
"CVE-2001-0361",
"CVE-2001-0529",
"CVE-2001-0572",
"CVE-2001-0816",
"CVE-2001-0872",
"CVE-2001-1380",
"CVE-2001-1382",
"CVE-2001-1459",
"CVE-2001-1507",
"CVE-2001-1585",
"CVE-2002-0083",
"CVE-2002-0575",
"CVE-2002-0639",
"CVE-2002-0640",
"CVE-2002-0765",
"CVE-2003-0190",
"CVE-2003-0386",
"CVE-2003-0682",
"CVE-2003-0693",
"CVE-2003-0695",
"CVE-2003-0786",
"CVE-2003-0787",
"CVE-2003-1562",
"CVE-2004-0175",
"CVE-2004-1653",
"CVE-2004-2069",
"CVE-2004-2760",
"CVE-2005-2666",
"CVE-2005-2797",
"CVE-2005-2798",
"CVE-2006-0225",
"CVE-2006-4924",
"CVE-2006-4925",
"CVE-2006-5051",
"CVE-2006-5052",
"CVE-2006-5229",
"CVE-2006-5794",
"CVE-2007-2243",
"CVE-2007-2768",
"CVE-2007-3102",
"CVE-2007-4752",
"CVE-2008-1483",
"CVE-2008-1657",
"CVE-2008-3259",
"CVE-2008-4109",
"CVE-2008-5161"
);
script_bugtraq_id(32319);
script_xref(name:"CERT", value:"958563");
script_name(english:"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure");
script_summary(english:"Checks SSH banner");
script_set_attribute(
attribute:"synopsis",
value:
"The SSH service running on the remote host has an information
disclosure vulnerability."
);
script_set_attribute(
attribute:"description",
value:
"The version of SunSSH running on the remote host has an information
disclosure vulnerability. A design flaw in the SSH specification
could allow a man-in-the-middle attacker to recover up to 32 bits of
plaintext from an SSH-protected connection in the standard
configuration. An attacker could exploit this to gain access to
sensitive information.
Note that this version of SunSSH is also prone to several additional
issues but Nessus did not test for them." );
# http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt
script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?4984aeb9");
# http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH
script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b679208a");
script_set_attribute(attribute:"see_also",value:"http://blogs.oracle.com/janp/entry/on_sunssh_versioning");
script_set_attribute(
attribute:"solution",
value:"Upgrade to SunSSH 1.1.1 / 1.3 or later"
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399);
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:solaris");
script_set_attribute(attribute:"vuln_publication_date",value:"2008/11/17");
script_set_attribute(attribute:"patch_publication_date",value:"2008/12/11");
script_set_attribute(attribute:"plugin_publication_date",value:"2011/08/29");
script_set_attribute(attribute:"plugin_type",value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_detect.nasl");
script_require_ports("Services/ssh");
exit(0);
}
include('global_settings.inc');
include('misc_func.inc');
# Ensure the port is open.
port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE);
# Get banner for service.
banner = get_kb_item_or_exit("SSH/banner/" + port);
# Check that we're using SunSSH.
if ('sun_ssh' >!< tolower(banner))
exit(0, "The SSH service on port " + port + " is not SunSSH.");
# Check the version in the banner.
match = eregmatch(string:banner, pattern:"sun_ssh[-_]([0-9.]+)$", icase:TRUE);
if (isnull(match))
exit(1, "Could not parse the version string from the banner on port " + port + ".");
else
version = match[1];
# the Oracle (Sun) blog above explains how the versioning works. we could
# probably explicitly check for each vulnerable version if it came down to it
if (
ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 ||
version == '1.2'
)
{
if (report_verbosity > 0)
{
report =
'\n Version source : ' + banner +
'\n Installed version : ' + version +
'\n Fixed version : 1.1.1 / 1.3\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
}
else exit(0, "The SunSSH server on port "+port+" is not affected as it's version "+version+".");
blogs.oracle.com/janp/entry/on_sunssh_versioning
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0525
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1169
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0361
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0529
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0572
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0816
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0872
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1380
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1382
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1459
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1507
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1585
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0083
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0575
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0639
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0640
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0765
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0386
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0682
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0693
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0695
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0786
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0787
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1562
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0175
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1653
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2069
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2760
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2666
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2797
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2798
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4925
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5052
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5794
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2243
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2768
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3102
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1657
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3259
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4109
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5161
www.nessus.org/u?4984aeb9
www.nessus.org/u?b679208a
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.1%