this message just appeared on bugtraq (no idea why) regards, felix huber ----- Original Message ----- From: "Bruce Campbell" <bruceat_private> To: <bugtraqat_private> Sent: Sunday, November 04, 2001 10:20 PM Subject: vulnerability diagnosis in "nessus" incorrect... > > concerning remote root exploit vulnerability in ssh prior to 1.2.32... > > vulnerability diagnosis in "nessus" incorrect leading to possible false > sense of security. > > As you know, ssh prior to 1.2.32 is vulnerable to remote > root exploit. The diagnostic from security vulnerability > detector tool www.nessus.org incorrectly identifies the > risk as a command insertion vulnerability. The difference in > risk is huge, and I believe the false diagnostic from nessus > could give users a false sense of security. > > > http://cgi.nessus.org/plugins/dump.php3?id=10607 > > says... > > >You are running a version of SSH which is older than version 1.2.32, or a > >version of OpenSSH which is older than 2.3.0. > > > >This version is vulnerable to a flaw which allows an attacker to insert > >arbitrary commands in a ssh stream. > > > >Solution : Upgrade to version 1.2.32 of SSH which solves this problem, or > >to version 2.3.0 of OpenSSH > > > >http://www.core-sdi.com/advisories/ssh1_deattack.htm > > > >Risk factor : High > > > > ------------------------------------------------------------------------ > Bruce Campbell > Engineering Computing > University of Waterloo > http://www.eng.uwaterloo.ca/~bruce/ > 519-888-4567 ext. 5889 > PGP Key: http://www.eng.uwaterloo.ca/~bruce/public.txt > > > > >
This archive was generated by hypermail 2b30 : Mon Nov 05 2001 - 03:12:41 PST