Next Page >>
Secure Shell
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Secure Shell Denial of Service
Vulnerabilities
Advisory ID: cisco-sa-20080521-ssh
http://www.cisco.com/warp/public/707/cisco-sa-20080521-ssh.shtml
Remote Denial of Service for SSH service at Dell DRAC4 (maybe Mocana SSH)
ETES GmbH Security Advisory; August 13, 2007 - updated January 18, 2007
BACKGROUND
==========
Dell Remote Access Card 4 (DRAC4) allows customers to effectively manage
servers in remote locations where no administrative IT staff exists. It
provides lights out management with continuous video that provides a
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS XR Software SSH Denial of Service
Vulnerability
Advisory ID: cisco-sa-20100120-xr-ssh
Revision 1.0
Remote Denial of Service for SSH service at Dell DRAC4 (maybe Mocana SSH)
ETES GmbH Security Advisory; August 13, 2007
BACKGROUND
==========
Dell Remote Access Card 4 (DRAC4) allows customers to effectively manage
servers in remote locations where no administrative IT staff exists. It
provides lights out management with continuous video that provides a
| | All versions | All versions |
| Privilege Escalation Vulnerability | prior to A1 | prior to A2 |
| | (8a) | (1.2) |
|-------------------------------------+--------------+--------------|
| | All versions | All versions |
| Crafted SSH Packet Vulnerability | prior to A3 | prior to A2 |
| | (2.1) | (1.3) |
|-------------------------------------+--------------+--------------|
| Crafted Simple Network Management | All versions | All versions |
| Protocol version 2 (SNMPv2) Packet | prior to A3 | prior to A2 |
| Vulnerability | (2.1) | (1.3) |
Devices running affected versions of Cisco IOS Software are
susceptible if configured with any of the following features:
* Secure Socket Layer (SSL) Virtual Private Network (VPN)
* Secure Shell (SSH)
* Internet Key Exchange (IKE) Encrypted Nonces
Note: Other SSL/HTTPS related features than WebVPN and SSL VPN are
not affected by this vulnerability.
OpenSSH 4.X deny remote connections.
The service itself doesn't crash, but it does NOT allow anyone to connect after 10 or so pending connections.
To reproduce:
telnet 3.1.33.7 22
vulnerable.
Cisco ASA and Cisco PIX devices running versions 7.1.x and 7.2.x with
WebVPN, SSL VPN, or ASDM enabled are affected by this vulnerability.
Devices running software versions on the 8.0 release that are
configured for Telnet, Secure Shell (SSH), WebVPN, SSL VPN, or ASDM
enabled are affected by this vulnerability.
Note: Devices running IPv4 and IPv6 are affected by this
vulnerability.
Security Advisory
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: TANDBERG Video Communication Server Static SSH Host Keys
Release Date: 2010-04-09
Application: Video Communication Server (VCS)
Versions: x4.3.0, x4.2.1, and possibly earlier
Severity: High
Discovered by: Jon Hart
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco IOS XR Software SSHv1 Denial of Service Vulnerability
Advisory ID: cisco-sa-20110525-iosxr-ssh
Revision 1.0
For Public Release 2011 May 25 1600 UTC (GMT)
* SSH Server DoS
Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G and
7971G devices running SCCP firmware contain a buffer overflow
vulnerability in their internal Secure Shell (SSH) server. By
sending a specially crafted to packet to TCP port 22 on a
vulnerable phone, it may be possible for an unauthenticated
attacker to cause the phone to reboot. It may also be possible
for an unauthenticated attacker to execute arbitrary code with
system privileges. It is possible to workaround this issue by
Aruba Networks Security Advisory
Title: Management User Authentication Bypass Vulnerability When Using
Public Key Based SSH Authentication.
Aruba Advisory ID: AID-42309
Revision: 1.0
For Public Release on 4/23/2009
On Nov 12, 2007 7:57 PM, <security-alert@hp.com> wrote:
> HPSBUX02287 SSRT071485 rev.1 - HP-UX Running HP Secure Shell, Remotely Gain Extended Privileges
[...]
> SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
> HP-UX B.11.11, B.11.23, and B.11.31 running HP Secure Shell
If there's anyone from HP here, can you clarify whether or not HPUX
11.00 is omitted from the impacted list because it's not supported or
because it's not affected - thanks.
Administrators can determine the status of their device by using the
Serial Number Validator located at the following link:
http://serialnumbervalidation.com/PSIRT-20111026
The Serial Number Validator tool will indicate if the device was
affected when the product was shipped. If a factory reset or software
upgrade occurred or certain manual configuration changes were made,
the device may not be affected.
Products Confirmed Not Vulnerable
+--------------------------------
(WLC) platforms. This security advisory outlines the details of the
following vulnerabilities:
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
* SSH connections denial of service vulnerability
* Crafted HTTP or HTTPS request denial of service vulnerability
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
Cisco has released free software updates that address these
2) Stored XSS
An attacker may inject 36 bytes of JavaScript code into log via SSH login
parameter. Login parameter will be written into log as is. BBI or telnet login parameter
does not write into log - only SSH. And when log page will be generated all input
from SSH login parameter will be displayed as is.
Both vulnerabilities give chance to change switch configuration file or attack Administrator's
One of the applications that is exposed through the port 8812 message routing service executes a system command without sanitizing the arguments provided by the requesting application. This allows arbitrary commands to be executed on the appliance. Combined with Issue #1, this allows remote, unauthenticated command execution on the appliance as the "soggycat" user, which is root equivalent (sudo rights). Rapid7 has developed a Metasploit module[***] to chain these vulnerabilities and will release this module in early March.
3. Remote Administration TTY Check Bypass
The appliance ships with a default login of admin/accellion. To reduce the risk of remote attack, this account is not allowed to login over Secure Shell. The implementation of this security check has a flaw and
it is still possible to configure an out-of-box Accellion appliance remotely through SSH, simply by executing a shell without a TTY: (ssh admin@target 'sh')
4. Static Passwords for Privileged User Accounts
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01271085
Version: 1
HPSBUX02287 SSRT071485 rev.1 - HP-UX Running HP Secure Shell, Remotely Gain Extended Privileges
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-11-07
Last Updated: 2007-11-07
vulnerabilities only if SunRPC inspection is enabled. SunRPC
inspection is enabled by default.
To check if SunRPC inspection is enabled, use the "show service-policy
| include sunrpc" command and confirm that the command returns output,
as shown in the following example:
fwsm#show service-policy | include sunrpc
Inspect: sunrpc , packet 0, drop 0, reset-drop 0
Alternatively, a device that has SunRPC inspection enabled has a
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01462841
Version: 1
HPSBUX02337 SSRT080072 rev.1 - HP-UX Running HP-UX Secure Shell, Local Unauthorized Access and Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-05-21
Last Updated: 2008-05-21
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-11:09.pam_ssh Security Advisory
The FreeBSD Project
Topic: pam_ssh improperly grants access when user account has
unencrypted SSH private keys
by or originated from the device. Transit traffic will not trigger this
vulnerability.
Both connections to and from the router could trigger this
vulnerability. An example of a connection to the router is that you may
still be able to ping the device, but fail to establish a TELNET or SSH
connection to the device. For example, an administrator may still be
able to ping the device but fail to establish a Telnet or SSH connection
to the device. Administrators who attempt a Telnet or a SSH connection
to a remote device from the CLI prompt will encounter a hung session
and the "Trying <ip address|hostname> ..." prompt. The connection
PuTTY, a SSH client for Windows, requests the passphrase to the ssh key
in the console window used for the connection. This could allow a
malicious server to gain access to a user's passphrase by spoofing that
prompt.
We assume that the user is using key-bases ssh auth with ssh and
connects using PuTTY. PuTTY now asks for the passphrase to the key. The
user enters the passphrase. If the passphrase is wrong, PuTTY will now
request the passphrase again after stating that it was wrong. If the
passphrase is correct, the connection to the server is established.
Hi Securityfocus,
the debian openssl issue leads that there are only 65.536 possible ssh keys generated, cause the only entropy is the pid of the process generating the key.
This leads to that the following perl script can be used with the precalculated ssh keys to brute force the ssh login. It works if such a keys is installed on a non-patched debian or any other system manual configured to.
On an unpatched system, which doesn't need to be debian, do the following:
1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2
On Mon, May 31, 2010 at 8:47 PM, Jan Schejbal
<jan.mailinglisten@googlemail.com> wrote:
> PuTTY, a SSH client for Windows, requests the passphrase to the ssh key in
> the console window used for the connection. This could allow a malicious
> server to gain access to a user's passphrase by spoofing that prompt.
>
> We assume that the user is using key-bases ssh auth with ssh and connects
> using PuTTY. PuTTY now asks for the passphrase to the key. The user enters
____
Vendor: Jscape, http://www.jscape.com/
Affected Products: Jscape Secure FTP Applet
http://www.jscape.com/sftpapplet/index.html
Vulnerability: SSH Host key is not verified allowing for Man in the
Middle
attacks
Risk: High
____________________________________________________________________________
____
By default, Telnet is configured on the Management port. Telnet
services can be disabled to mitigate this vulnerability.
Administrators can disable Telnet by using the administration
graphical user interface (GUI) or by using the "interfaceconfig"
command in the command-line interface (CLI). As a security best
practice, customers should use Secure Shell (SSH) instead of Telnet.
Complete the following steps to disable Telnet via the GUI:
Step 1: Navigate to Network > IP Interfaces > interface_name.
On Jun 1, 2010, at 2:47 AM, Jan Schejbal wrote:
> PuTTY, a SSH client for Windows, requests the passphrase to the ssh key in the console window used for the connection. This could allow a malicious server to gain access to a user's passphrase by spoofing that prompt.
>
> We assume that the user is using key-bases ssh auth with ssh and connects using PuTTY. PuTTY now asks for the passphrase to the key. The user enters the passphrase. If the passphrase is wrong, PuTTY will now request the passphrase again after stating that it was wrong. If the passphrase is correct, the connection to the server is established.
This kind of attack is a real classic, the in-band problem inherent to any text terminal. Reading of the venerable and now forgotten classic by Wood and Kochan, "Unix System Security", published in 1985 should still be mandatory. Moreover, many of these in-band risks are applicable to window systems, which exhibit even worse properties. See the fuss with "tab-nabbing" now.
What documents have you been reading?
Take a look at the actual vulnerability advisory.
http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
Or the original posting by OpenSSH
http://www.securityfocus.com/archive/1/498558/30/0/threaded
Where is there any condition related to National Security?
If you read the vulnerability advisory you would see that the problem is "a
Undocument bug on Cisco CSS series 11000 with Webns 8.20.0.1
Cisco CSS series 11000 with webns system and ssh daemon crash on ssh
crc32 old 2001 exploit
Cisco CSS :
Webns Version: 08.20.0.01 (using command sh ver)
SSH Version: SSHield version 1.6.1, SSH version OpenSSH_3.0.2p1 (using
command sh sshd version)
Next Page>>
|
