[Openvas-discuss] FP: OpenSSH 'auth_password' Denial of Service Vulnerability

Christian Fischer christian.fischer at greenbone.net
Sun Oct 2 13:20:24 CEST 2016


Hi,

On 10/02/2016 01:02 PM, Reindl Harald wrote:
> besides that i doubt on a server responding with "Permission denied
> (publickey)" (means: no password auth) "The flaw exists due to the
> auth_password function in 'auth-passwd.c' script does not limit password
> lengths for password authentication" can be triggered

the linux NVT has a QoD of 30% which means it is not shown by default
unless you're configure your filter to show results from NVTs prone to
false positives.

Besides that you can configure your sshd_conf to contain something like:

*snip*
PasswordAuthentication no

Match User foo
        PasswordAuthentication yes

*snip*

which means that your server would be still vulnerable even if the
initial connection from OpenVAS has identified "Permission denied
(publickey)".

Nothing to be done here from my PoV.

Regards,

-- 

Christian Fischer | Greenbone Networks GmbH | http://greenbone.net
Neuer Graben 17, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner




More information about the Openvas-discuss mailing list