ID CVE-2004-2760
Summary sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the TCP connection after a root login attempt with the correct password, but leaves the connection open after an attempt with an incorrect password, which makes it easier for remote attackers to guess the password by observing the connection state, a different vulnerability than CVE-2003-0190. NOTE: it could be argued that in most environments, this does not cross privilege boundaries without requiring leverage of a separate vulnerability.
References
Vulnerable Configurations
  • OpenBSD OpenSSH 3.5
    cpe:2.3:a:openbsd:openssh:3.5
  • OpenBSD OpenSSH 3.5 p1
    cpe:2.3:a:openbsd:openssh:3.5p1
CVSS
Base: 6.8 (as of 04-08-2008 - 14:21)
Impact:
Exploitability:
CWE CWE-16
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Misc.
    NASL id OPENSSH_40.NASL
    description According to its banner, the remote host is running a version of OpenSSH prior to 4.0. Versions of OpenSSH earlier than 4.0 are affected by an information disclosure vulnerability because the application stores hostnames, IP addresses, and keys in plaintext in the 'known_hosts' file. A local attacker, exploiting this flaw, could gain access to sensitive information that could be used in subsequent attacks.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 44075
    published 2011-10-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44075
    title OpenSSH < 4.0 known_hosts Plaintext Host Information Disclosure
  • NASL family Gain a shell remotely
    NASL id OPENSSH_36.NASL
    description According to its banner, the remote SSH server is running a version of OpenSSH older than 3.7.1. Such versions are vulnerable to a flaw in the buffer management functions that might allow an attacker to execute arbitrary commands on this host. An exploit for this issue is rumored to exist. Note that several distributions patched this hole without changing the version number of OpenSSH. Since Nessus solely relied on the banner of the remote SSH server to perform this check, this might be a false positive. If you are running a RedHat host, make sure that the command : rpm -q openssh-server returns : openssh-server-3.1p1-13 (RedHat 7.x) openssh-server-3.4p1-7 (RedHat 8.0) openssh-server-3.5p1-11 (RedHat 9)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 11837
    published 2003-09-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=11837
    title OpenSSH < 3.7.1 Multiple Vulnerabilities
  • NASL family Misc.
    NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL
    description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 55992
    published 2011-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55992
    title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure
refmap via4
bugtraq
  • 20040412 BID 7482, bug in OpenSSH (Still in FreeBSD-STABLE)
  • 20040413 Re: Fwd: [BID 7482, bug in OpenSSH (Still in FreeBSD-STABLE)]
sreason 4100
statements via4
contributor Joshua Bressers
lastmodified 2008-08-11
organization Red Hat
statement The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode.
Last major update 29-01-2009 - 00:37
Published 31-12-2004 - 00:00
Back to Top