RE: [Plugins-writers] False positive for 10965: ssh_AllowedAuthen tications.nasl?

• Previous message: Renaud Deraison: "Re: [Plugins-writers] POSIX ... on multiple lines."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Upon further investigation, it turns out the SSH daemon involved is from
Sun.  It is the version that comes stock with Solaris 9.

I have started a correspondence with their tech support to see if they will
be incrementing the version string in some way to indicate they have patched
for known vulnerabilities like OpenSSH does.  I'm not expecting much since
their first answer was that version scanning for vulnerabilities was "lazy"
and they won't change the version string lest they break compatibility with
something or other.

Since the vulnerability in question is specific to OpenSSH (I assume based
on the version numbers), would it be appropriate for the plugin to recognize
this as Sun's SSH daemon and not issue an alert?  I don't know how to verify
this vulnerability against Sun's daemon without a CVE or advisory to
cross-reference.

Regards,
Owen

-----Original Message-----
From: Crow, Owen 
Sent: Wednesday, March 10, 2004 3:45 PM
To: plugins-writers@private
Subject: RE: [Plugins-writers] False positive for 10965:
ssh_AllowedAuthentications.nasl?

I was afraid of that.  I guess I'll see if the sunfreesoftware.com guys are
willing to update the port to include better version info or our admins will
start rolling their own OpenSSH (which I assume would have a better
banner?).

Thanks,
Owen
 
-----Original Message-----
From: Renaud Deraison [mailto:deraison@private]
Sent: Wednesday, March 10, 2004 3:33 PM
To: plugins-writers@private
Subject: Re: [Plugins-writers] False positive for 10965:
ssh_AllowedAuthentications.nasl?

On Wed, Mar 10, 2004 at 03:26:50PM -0600, Crow, Owen wrote:
> When running a full, non-safe, non-optimized scan against a new 
> Solaris 9, I get the following alert:
> 
>  
> 
> "You are running a version of SSH which is older than 3.1.2 and newer 
> or equal to 3.0.0.
> 
> [snip]"
> The version we have installed from is openssh-3.7.1p2-sol9-sparc-local 
> from sunfreesoftware.com so it should be way past 3.1.2.  It may be 
> the banner from sshd is confusing it which reads: SSH-2.0-Sun_SSH_1.0

Do you mean that sunfreesoftware.com is distributing a version of OpenSSH
with this weird banner ?


You may be able to fix that by adding this signature to backport.inc.



				-- Renaud
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers

• Next message: Michel Arboi: "[Plugins-writers] ASN.1-Brute"
• Previous message: Renaud Deraison: "Re: [Plugins-writers] POSIX ... on multiple lines."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 19 2004 - 14:47:38 PST