|
Family: Ubuntu Local Security Checks --> Category: infos
USN34-1 : openssh information leakage Vulnerability Scan
Vulnerability Scan Summary openssh information leakage
Detailed Explanation for this Vulnerability Test
Synopsis :
These remote packages are missing security patches :
- openssh-client
- openssh-server
- ssh
- ssh-askpass-gnome
Description :
@Mediaservice.net discovered two information leaks in the OpenSSH
server. When using password authentication, a possible hacker could
test whether a login name exists by measuring the time between
failed login attempts, i. e. the time after which the "password:"
prompt appears again.
A similar issue affects systems which do not allow root logins over
ssh ("PermitRootLogin no"). By measuring the time between login
attempts a possible hacker could check whether a given root password is
correct. This allowed determining weak root passwords using a brute
force attack.
Solution :
Upgrade to :
- openssh-client-3.8.1p1-11ubuntu3.1 (Ubuntu 4.10)
- openssh-server-3.8.1p1-11ubuntu3.1 (Ubuntu 4.10)
- ssh-3.8.1p1-11ubuntu3.1 (Ubuntu 4.10)
- ssh-askpass-gnome-3.8.1p1-11ubuntu3.1 (Ubuntu 4.10)
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.
|