[Openvas-discuss] FP: OpenSSH 'auth_password' Denial of Service Vulnerability

Christian Fischer christian.fischer at greenbone.net
Thu Oct 6 17:05:28 CEST 2016


Hi,

On 02.10.2016 15:18, Christian Fischer wrote:
> On 10/02/2016 02:55 PM, Reindl Harald wrote:
>> Am 02.10.2016 um 13:20 schrieb Christian Fischer:
>>> On 10/02/2016 01:02 PM, Reindl Harald wrote:
>>>> besides that i doubt on a server responding with "Permission denied
>>>> (publickey)" (means: no password auth) "The flaw exists due to the
>>>> auth_password function in 'auth-passwd.c' script does not limit password
>>>> lengths for password authentication" can be triggered
>>>
>>> the linux NVT has a QoD of 30% which means it is not shown by default
>>> unless you're configure your filter to show results from NVTs prone to
>>> false positives.
>>
>> well, why is the Windows NVT shown at all on Fedora machines :-)
>>
>> NVT: OpenSSH 'auth_password' Denial of Service Vulnerability (Windows)
>> (OID: 1.3.6.1.4.1.25623.1.0.809121)
>>
>> Vulnerability Detection Result
>> Best matching OS:
>> cpe:/o:linux:kernel
>> Found by NVT 1.3.6.1.4.1.25623.1.0.102002 (Detects remote operating
>> system version)
>> Other OS detections (in order of reliability):
>> OS: cpe:/o:microsoft:windows found by 1.3.6.1.4.1.25623.1.0.102002
>> (Detects remote operati?
>> ng system version)
>>
> 
> Outsch, have missed the "(Windows)" in your initial mail (yeah, its
> Sunday :-)).
> 
> Strange that the OS is correctly detected as Linux but the:
> 
> ## exit, if its not Windows
> if(host_runs("Windows") != "yes") exit(0);
> 
> doesn't kick in. Will have a look at this at Tuesday, thanks for the notice.
> 

just want to let you know that we have identified the issue. A fix has
been submitted to the Feed and should be available with the next Feed
update.

>>> Besides that you can configure your sshd_conf to contain something like:
>>>
>>> *snip*
>>> PasswordAuthentication no
>>>
>>> Match User foo
>>>         PasswordAuthentication yes
>>>
>>> *snip*
>>>
>>> which means that your server would be still vulnerable even if the
>>> initial connection from OpenVAS has identified "Permission denied
>>> (publickey)".
>>>
>>> Nothing to be done here from my PoV.
>>> Regards
> 
> 

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neuer Graben 17, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner



More information about the Openvas-discuss mailing list