Bugtraq mailing list archives
vulnerability diagnosis in "nessus" incorrect...
From: Bruce Campbell <bruce () engmail uwaterloo ca>
Date: Sun, 4 Nov 2001 16:20:44 -0500 (EST)
concerning remote root exploit vulnerability in ssh prior to 1.2.32... vulnerability diagnosis in "nessus" incorrect leading to possible false sense of security. As you know, ssh prior to 1.2.32 is vulnerable to remote root exploit. The diagnostic from security vulnerability detector tool www.nessus.org incorrectly identifies the risk as a command insertion vulnerability. The difference in risk is huge, and I believe the false diagnostic from nessus could give users a false sense of security. http://cgi.nessus.org/plugins/dump.php3?id=10607 says...
You are running a version of SSH which is older than version 1.2.32, or a version of OpenSSH which is older than 2.3.0. This version is vulnerable to a flaw which allows an attacker to insert arbitrary commands in a ssh stream. Solution : Upgrade to version 1.2.32 of SSH which solves this problem, or to version 2.3.0 of OpenSSH http://www.core-sdi.com/advisories/ssh1_deattack.htm Risk factor : High
------------------------------------------------------------------------ Bruce Campbell Engineering Computing University of Waterloo http://www.eng.uwaterloo.ca/~bruce/ 519-888-4567 ext. 5889 PGP Key: http://www.eng.uwaterloo.ca/~bruce/public.txt
Current thread:
- vulnerability diagnosis in "nessus" incorrect... Bruce Campbell (Nov 04)
- Re: vulnerability diagnosis in "nessus" incorrect... Renaud Deraison (Nov 05)