|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Bruce Campbell (bruce
engmail.uwaterloo.ca)Date: Sun Nov 04 2001 - 15:20:44 CST
concerning remote root exploit vulnerability in ssh prior to 1.2.32...
vulnerability diagnosis in "nessus" incorrect leading to possible false
sense of security.
As you know, ssh prior to 1.2.32 is vulnerable to remote
root exploit. The diagnostic from security vulnerability
detector tool www.nessus.org incorrectly identifies the
risk as a command insertion vulnerability. The difference in
risk is huge, and I believe the false diagnostic from nessus
could give users a false sense of security.
http://cgi.nessus.org/plugins/dump.php3?id=10607
says...
>You are running a version of SSH which is older than version 1.2.32, or a
>version of OpenSSH which is older than 2.3.0.
>
>This version is vulnerable to a flaw which allows an attacker to insert
>arbitrary commands in a ssh stream.
>
>Solution : Upgrade to version 1.2.32 of SSH which solves this problem, or
>to version 2.3.0 of OpenSSH
>
>http://www.core-sdi.com/advisories/ssh1_deattack.htm
>
>Risk factor : High
------------------------------------------------------------------------
Bruce Campbell
Engineering Computing
University of Waterloo
http://www.eng.uwaterloo.ca/~bruce/
519-888-4567 ext. 5889
PGP Key: http://www.eng.uwaterloo.ca/~bruce/public.txt
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]