OpenSSH 3.0.1 and earlier with UseLogin enabled does not properly cleanse critical environment variables such as LD_PRELOAD, which allows local users to gain root privileges.

The version of SunSSH running on the remote host has an information disclosure vulnerability.  A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration.  An attacker could exploit this to gain access to sensitive information.

Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.

If the UseLogin feature is enabled in ssh local users could pass  environment variables (including variables like LD_PRELOAD) to the  login process. This has been fixed by not copying the environment if  UseLogin is enabled.

Please note that the default configuration for Debian does not have UseLogin enabled.

The remote host is running a version of OpenSSH that is older than 3.0.2. Versions prior than 3.0.2 are vulnerable to an environment variables export that can allow a local user to execute command with root privileges.  This problem affects only versions prior than 3.0.2 when the UseLogin feature is enabled (usually disabled by default).

Note: NNM has solely relied on the banner of the SSH client to perform this check. Any backported patches or workarounds such as recompiling or edited configurations are not observable through the banner.

The new OpenSSH 3.0.2 fixes a vulnerability in the UseLogin option. By default, Mandrake Linux does not enable UseLogin, but if the administrator enables it, local users are able to pass environment variables to the login process. This update also fixes a security hole in the KerberosV support that is present in versions 2.9.9 and 3.0.0.

You are running a version of OpenSSH which is older than 3.0.2.
Versions prior than 3.0.2 have the following vulnerabilities :

  - When the UseLogin feature is enabled, a local user     could export environment variables, resulting in     command execution as root.  The UseLogin feature is     disabled by default. (CVE-2001-0872)

  - A local information disclosure vulnerability.
    Only FreeBSD hosts are affected by this issue.
    (CVE-2001-1029)

ID	Name	Product	Family	Severity
55992	SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure	Nessus	Misc.	critical
14928	Debian DSA-091-1 : ssh - influencing login	Nessus	Debian Local Security Checks	high
1992	OpenSSH < 3.0.2 UseLogin Environment Variable Local Command Execution	Nessus Network Monitor	SSH	high
13905	Mandrake Linux Security Advisory : openssh (MDKSA-2001:092)	Nessus	Mandriva Local Security Checks	high
10823	OpenSSH < 3.0.2 Multiple Vulnerabilities	Nessus	Misc.	high

Detections

Analytics

CVE-2001-0872

high

Tenable Plugins

critical

high

high

high

high