OpenSSH < 2.1.0 /dev/random Check Failure

medium Nessus Plugin ID 17700

Synopsis

The remote host is running a version of SSH that may have weak encryption keys.

Description

According to its banner, the version of OpenSSH running on the remote host is less than 2.1.0. On a FreeBSD system running on the Alpha architecture, versions earlier than that may not use the /dev/random and /dev/urandom devices to provide a strong source of cryptographic entropy, which could lead to the generation of keys with weak cryptographic strength.

Solution

Upgrade OpenSSH to version 2.1.0 or higher / OpenSSL to version 0.9.5a or higher and re-generate encryption keys.

See Also

http://cvs.openssl.org/fileview?f=openssl/CHANGES&v=1.514

http://www.nessus.org/u?16bc8320

http://www.nessus.org/u?dca3a5e9

Plugin Details

Severity: Medium

ID: 17700

File Name: openssh_210.nasl

Version: 1.9

Type: remote

Family: Misc.

Published: 11/18/2011

Updated: 3/27/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: cpe:/a:openbsd:openssh

Required KB Items: installed_sw/OpenSSH

Exploit Ease: No known exploits are available

Patch Publication Date: 5/10/2010

Vulnerability Publication Date: 6/12/2010

Reference Information

CVE: CVE-2000-0535

BID: 1340