Modify

Opened 4 years ago

Last modified 4 years ago

#16871 new defect

Dropbear SSH Server < 2013.59 Multiple Vulnerabilities

Reported by: tomasz.figa@… Owned by: developers
Priority: high Milestone: Attitude Adjustment 12.09.1
Component: packages Version: Attitude Adjustment 12.09
Keywords: dropbear nessus update CVE-2013-4421 CVE-2013-4434 Cc:

Description

Hi,

I've been checking my home server for known vulnerabilities using Nessus, which has certain services accessible through ports forwarded on my router running OpenWRT Attitude Adjustment 12.09.1 and stumbled upon a security issue related to ancient Dropbear version present in Attitude Adjustment.

I would appreciate providing updated version of aforementioned package, so that the problem can be eliminated.

Best regards,
Tomasz

-->8 - Nessus report follows - 8<--

70545 (1) - Dropbear SSH Server < 2013.59 Multiple Vulnerabilities

Synopsis
The remote SSH service is affected by multiple vulnerabilities.
Description
According to its self-reported banner, the version of Dropbear SSH running on this port is earlier than 2013.59. As
such, it is potentially affected by multiple vulnerabilities :

  • A denial of service vulnerability caused by the way the 'buf_decompress()' function handles compressed files.

(CVE-2013-4421)

  • User-enumeration is possible due to a timing error when authenticating users. (CVE-2013-4434)

See Also
https://matt.ucc.asn.au/dropbear/CHANGES
https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f
https://secure.ucc.asn.au/hg/dropbear/rev/a625f9e135a4

Solution
Upgrade to the Dropbear SSH 2013.59 or later.

Risk Factor
Medium

CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
4.3 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

References
BID

62958

BID

62993

CVE

CVE-2013-4421

CVE

CVE-2013-4434

XREF

OSVDB:98303

XREF

OSVDB:98365

Plugin Information:
Publication date: 2013/10/22, Modification date: 2014/05/29

Attachments (1)

dropbear-2014.63.patch (14.6 KB) - added by yohimba@… 4 years ago.
dropbear update to 2014.63 (attitude_adjustment)

Download all attachments as: .zip

Change History (10)

comment:1 Changed 4 years ago by anonymous

"...on my router running OpenWRT Attitude Adjustment 12.09.1", stopped reading there.

comment:2 follow-up: Changed 4 years ago by anonymous

Wait, what's wrong with that? It's the stable release, so it should be reasonably secure to use, no?

Changed 4 years ago by yohimba@…

dropbear update to 2014.63 (attitude_adjustment)

comment:3 in reply to: ↑ 2 ; follow-up: Changed 4 years ago by anonymous

Replying to anonymous:

Wait, what's wrong with that? It's the stable release, so it should be reasonably secure to use, no?

stable to use, not always secure

comment:4 in reply to: ↑ 3 ; follow-up: Changed 4 years ago by tom3q

Replying to anonymous:

Replying to anonymous:

Wait, what's wrong with that? It's the stable release, so it should be reasonably secure to use, no?

stable to use, not always secure

So you either have stable and insecure or secure and unstable? I hope you are not saying this seriously...

comment:5 follow-up: Changed 4 years ago by anonymous

I guess OP also uses Windows 95 and IE 3 and mails MS every week to patch security holes.

comment:6 in reply to: ↑ 5 Changed 4 years ago by tom3q

Replying to anonymous:

I guess OP also uses Windows 95 and IE 3 and mails MS every week to patch security holes.

I guess OP has much more experience with software development than you have. Please stop trolling.

comment:7 Changed 4 years ago by anonymous

dear anonymous

maybe you have 1 or 2 routers running openwrt, i have 4 bulletm2, 2 rspro and 7 wr1043nd, so i'm also using AA because when i update from 300km away i'm pretty sure that it'll reboot just fine, no need to test before. Stability is important !

comment:8 in reply to: ↑ 4 Changed 4 years ago by anonymous

Replying to tom3q:

Replying to anonymous:

Replying to anonymous:

Wait, what's wrong with that? It's the stable release, so it should be reasonably secure to use, no?

stable to use, not always secure

So you either have stable and insecure or secure and unstable? I hope you are not saying this seriously...

another analogy, Windows XP is stable to use, but not secure.
I prefer last other option. both stable and secure.

comment:9 Changed 4 years ago by tom3q

I have successfully applied dropbear-2014.63.patch​ and managed to build dropbear 2014.63 package for Attitude Adjustment, thanks. Hopefully this hits the attitude_adjustment/12.09 branch.

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.