Unpassworded (Blank Password) 'root' Account (SSH)

# SPDX-FileCopyrightText: 2019 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.108587");
  script_version("2023-12-20T05:05:58+0000");
  # nb:
  # - Unlike other VTs we're using the CVEs line by line here for easier addition of new CVEs / to
  #   avoid too large diffs when adding a new CVE.
  # - The 1999 CVEs are a few generic ones for e.g. Unix accounts or accounts on network devices
  #   having e.g. guessable (a blank password is also guessable), blank or similar passwords.
  # - CVE-2018-0035 is SSH specific and hasn't been added to the related Telnet VT / counterpart
  script_cve_id("CVE-1999-0501",
                "CVE-1999-0502",
                "CVE-1999-0507",
                "CVE-1999-0508",
                "CVE-2018-0035",
                "CVE-2019-5021",
                "CVE-2020-29389",
                "CVE-2020-29564",
                "CVE-2020-29575",
                "CVE-2020-29576",
                "CVE-2020-29577",
                "CVE-2020-29578",
                "CVE-2020-29579",
                "CVE-2020-29580",
                "CVE-2020-29581",
                "CVE-2020-29589",
                "CVE-2020-29591",
                "CVE-2020-29601",
                "CVE-2020-29602",
                "CVE-2020-35184",
                "CVE-2020-35185",
                "CVE-2020-35186",
                "CVE-2020-35187",
                "CVE-2020-35188",
                "CVE-2020-35189",
                "CVE-2020-35190",
                "CVE-2020-35191",
                "CVE-2020-35192",
                "CVE-2020-35193",
                "CVE-2020-35194",
                "CVE-2020-35195",
                "CVE-2020-35196",
                "CVE-2020-35197",
                "CVE-2020-35462",
                "CVE-2020-35463",
                "CVE-2020-35464",
                "CVE-2020-35465",
                "CVE-2020-35466",
                "CVE-2020-35467",
                "CVE-2020-35468",
                "CVE-2020-35469");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_tag(name:"last_modification", value:"2023-12-20 05:05:58 +0000 (Wed, 20 Dec 2023)");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2022-06-13 18:45:00 +0000 (Mon, 13 Jun 2022)");
  script_tag(name:"creation_date", value:"2019-05-24 12:35:09 +0000 (Fri, 24 May 2019)");
  script_name("Unpassworded (Blank Password) 'root' Account (SSH)");
  script_category(ACT_ATTACK);
  script_family("Default Accounts");
  script_copyright("Copyright (C) 2019 Greenbone AG");
  script_dependencies("ssh_detect.nasl", "os_detection.nasl", "gb_default_credentials_options.nasl");
  script_require_ports("Services/ssh", 22);
  script_require_keys("Host/runs_unixoide");
  script_mandatory_keys("ssh/server_banner/available");
  script_exclude_keys("default_credentials/disable_default_account_checks");

  script_xref(name:"URL", value:"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0782");
  script_xref(name:"URL", value:"https://alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.html");
  script_xref(name:"URL", value:"https://github.com/koharin/CVE");

  script_tag(name:"summary", value:"The remote host has set no password for the 'root' account.");

  script_tag(name:"impact", value:"This issue may be exploited by a remote attacker to gain access
  to sensitive information or modify system configuration.");

  script_tag(name:"vuldetect", value:"Try to login with a 'root' username and without a password via
  SSH.");

  script_tag(name:"insight", value:"It was possible to login via SSH with the 'root' username and
  without passing a password.");

  script_tag(name:"affected", value:"The following official docker images are known to be affected:

  - Alpine Linux since version 3.3

  - haproxy before version 1.8.18-alpine

  - rabbitmq before version 3.7.13-beta.1-management-alpine

  - memcached before version 1.5.11-alpine

  - influxdb before version 1.7.3-meta-alpine

  - vault before version 0.11.6

  - drupal before version 8.5.10-fpm-alpine

  - plone before version of 4.3.18-alpine

  - kong before version 1.0.2-alpine

  - chronograf before version 1.7.7-alpine

  - telegraf before version 1.9.4-alpine

  - ghost before version 2.16.1-alpine

  - adminer before version 4.7.0-fastcgi

  - composer before version 1.8.3

  - sonarqube

  - irssi before version 1.1-alpine

  - notary before version signer-0.6.1-1

  - spiped before version 1.5-alpine

  - Express Gateway before version 1.14.0

  - storm before version 1.2.1

  - piwik

  - znc before version 1.7.1-slim

  - elixir before version 1.8.0-alpine

  - eggdrop before version 1.8.4rc2

  - Consul versions 0.7.1 through 1.4.2

  - Crux Linux versions 3.0 through 3.4

  - Software AG Terracotta Server OSS version 5.4.1

  - Appbase streams version 2.1.2

  - Docker Docs versions through 2020-12-14

  - Blackfire versions through 2020-12-14

  - FullArmor HAPI File Share Mount versions through 2020-12-14

  - Weave Cloud Agent version 1.3.0

  - Instana Dynamic APM version 1.0.0

  - CoScale agent version 3.16.0

  - registry versions through 2.7.0

  - kapacitor versions through 1.5.0-alpine

  In addition the following devices are / software is known to be affected as well:

  CVE-2018-0035: Juniper Junos OS QFX5200 and QFX10002 devices

  Other products / devices / images might be affected as well.");

  script_tag(name:"solution", value:"- Set a password for the 'root' account

  - For the Alpine Linux Docker image update to one of the following image releases:

  edge (20190228 snapshot), v3.9.2, v3.8.4, v3.7.3, v3.6.5

  - For other products / devices / images either see the 'affected' tag for fixed releases or
  contact the vendor for more information");

  script_tag(name:"solution_type", value:"Workaround");
  script_tag(name:"qod_type", value:"exploit");

  exit(0);
}

if(get_kb_item("default_credentials/disable_default_account_checks"))
  exit(0);

include("host_details.inc");
include("os_func.inc");
include("ssh_func.inc");
include("misc_func.inc");
include("port_service_func.inc");

port = ssh_get_port( default:22 );

if( ssh_dont_try_login( port:port ) )
  exit( 0 );

# nb: No need to continue/start if we haven't received any banner...
if( ! ssh_get_serverbanner( port:port ) )
  exit( 0 );

if( ! soc = open_sock_tcp( port ) )
  exit( 0 );

login = ssh_login( socket:soc, login:"root", password:"", priv:NULL, passphrase:NULL );
if( login == 0 ) {

  files = traversal_files( "linux" );

  foreach pattern( keys( files ) ) {

    file = "/" + files[pattern];

    cmd = ssh_cmd( socket:soc, cmd:"cat " + file, nosh:TRUE );

    if( egrep( string:cmd, pattern:pattern, icase:TRUE ) ) {
      if( soc )
        close( soc );
      report = 'It was possible to login as user `root` without a password and to execute `cat ' + file + '`. Result:\n\n' + cmd;
      security_message( port:port, data:report );
      exit( 0 );
    }
  }
}

if( soc )
  close( soc );

exit( 99 );