Implementations of SSH version 1.5, including (1) OpenSSH up to version 2.3.0, (2) AppGate, and (3) ssh-1 up to version 1.2.31, in certain configurations, allow a remote attacker to decrypt and/or alter traffic via a "Bleichenbacher attack" on PKCS#1 version 1.5.

According to its banner, the remote host appears to be running a version of OpenSSH earlier than 2.5.2 / 2.5.2p2. It, therefore, reportedly contains weaknesses in its implementation of the SSH protocol, both versions 1 and 2.  These weaknesses could allow an attacker to sniff password lengths, and ranges of length (this could make brute-force password guessing easier), determine whether RSA or DSA authentication is being used, the number of authorized_keys in RSA authentication and/or the length of shell commands.

The version of SunSSH running on the remote host has an information disclosure vulnerability.  A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration.  An attacker could exploit this to gain access to sensitive information.

Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.

We have received reports that the 'SSH CRC-32 compensation attack detector vulnerability' is being actively exploited. This is the same integer type error previously corrected for OpenSSH in DSA-027-1.
OpenSSH (the Debian ssh package) was fixed at that time, but ssh-nonfree and ssh-socks were not.

Though packages in the non-free section of the archive are not officially supported by the Debian project, we are taking the unusual step of releasing updated ssh-nonfree/ssh-socks packages for those users who have not yet migrated to OpenSSH. However, we do recommend that our users migrate to the regularly supported, DFSG-free 'ssh' package as soon as possible. ssh 1.2.3-9.3 is the OpenSSH package available in Debian 2.2r4.

The fixed ssh-nonfree/ssh-socks packages are available in version 1.2.27-6.2 for use with Debian 2.2 (potato) and version 1.2.27-8 for use with the Debian unstable/testing distribution. Note that the new ssh-nonfree/ssh-socks packages remove the setuid bit from the ssh binary, disabling rhosts-rsa authentication. If you need this functionality, run

chmod u+s /usr/bin/ssh1

after installing the new package.

- Versions of OpenSSH prior to 2.3.0 are vulnerable to a     remote arbitrary memory overwrite attack which may lead     to a root exploit.
  - CORE-SDI has described a problem with regards to RSA key     exchange and a Bleichenbacher attack to gather the     session key from an ssh session.

Both of these issues have been corrected in our ssh package 1.2.3-9.2.
We recommend you upgrade your openssh package immediately.

- People at WireX have found several potential insecure     uses of temporary files in programs provided by INN2.
    Some of them only lead to a vulnerability to symlink     attacks if the temporary directory was set to /tmp or     /var/tmp, which is the case in many installations, at     least in Debian packages. An attacker could overwrite     any file owned by the news system administrator, i.e.
    owned by news.news.
  - Michal Zalewski found an exploitable buffer overflow     with regard to cancel messages and their verification.
    This bug did only show up if 'verifycancels' was enabled     in inn.conf which is not the default and has been     disrecommended by upstream.

  - Andi Kleen found a bug in INN2 that makes innd crash for     two byte headers. There is a chance this can only be     exploited with uucp.

The remote host is using version 1.5 of the SSH protocol. This version allows a remote attacker to decrypt and/or alter traffic via an attack against PKCS#1 version 1.5, called the 'Bleichenbacher' attack. OpenSSH up to version 2.3.0, AppGate and SSH Communications Security ssh1 update to version 1.2.31 are vulnerable to this attack. 

According to its version number, the remote host is a Cisco router or switch running a vulnerable SSH daemon.

By exploiting weaknesses in the SSH protocol, it is possible to insert arbitrary commands into an established SSH session, collect information that may help in brute-force key recovery, or brute-force a session key.

The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. 

These protocols are not completely cryptographically safe so they should not be used.

ID	Name	Product	Family	Severity
44068	OpenSSH < 2.5.2 / 2.5.2p2 Multiple Information Disclosure Vulnerabilities	Nessus	Misc.	medium
55992	SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure	Nessus	Misc.	critical
14923	Debian DSA-086-1 : ssh-nonfree - remote root exploit	Nessus	Debian Local Security Checks	critical
14864	Debian DSA-027-1 : OpenSSH - remote exploit	Nessus	Debian Local Security Checks	critical
14860	Debian DSA-023-1 : inn2 - local tempfile vulnerabilities	Nessus	Debian Local Security Checks	medium
1971	PKCS#1 Version 1.5 Session Key Retrieval	Nessus Network Monitor	SSH	medium
10972	Cisco Devices Multiple SSH Information Disclosure Vulnerabilities	Nessus	CISCO	high
10882	SSH Protocol Version 1 Session Key Retrieval	Nessus	General	high

Detections

Analytics

CVE-2001-0361

high

Tenable Plugins

medium

critical

critical

critical

medium

medium

high

high