[Openvas-discuss] FP: OpenSSH 'auth_password' Denial of Service Vulnerability

Christian Fischer christian.fischer at greenbone.net
Sun Oct 2 13:20:24 CEST 2016


On 10/02/2016 01:02 PM, Reindl Harald wrote:
> besides that i doubt on a server responding with "Permission denied
> (publickey)" (means: no password auth) "The flaw exists due to the
> auth_password function in 'auth-passwd.c' script does not limit password
> lengths for password authentication" can be triggered

the linux NVT has a QoD of 30% which means it is not shown by default
unless you're configure your filter to show results from NVTs prone to
false positives.

Besides that you can configure your sshd_conf to contain something like:

PasswordAuthentication no

Match User foo
        PasswordAuthentication yes


which means that your server would be still vulnerable even if the
initial connection from OpenVAS has identified "Permission denied

Nothing to be done here from my PoV.



Christian Fischer | Greenbone Networks GmbH | http://greenbone.net
Neuer Graben 17, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner

More information about the Openvas-discuss mailing list