Opened 4 years ago
Last modified 4 years ago
#16871 new defect
Dropbear SSH Server < 2013.59 Multiple Vulnerabilities
Reported by: | tomasz.figa@… | Owned by: | developers |
---|---|---|---|
Priority: | high | Milestone: | Attitude Adjustment 12.09.1 |
Component: | packages | Version: | Attitude Adjustment 12.09 |
Keywords: | dropbear nessus update CVE-2013-4421 CVE-2013-4434 | Cc: |
Description
Hi,
I've been checking my home server for known vulnerabilities using Nessus, which has certain services accessible through ports forwarded on my router running OpenWRT Attitude Adjustment 12.09.1 and stumbled upon a security issue related to ancient Dropbear version present in Attitude Adjustment.
I would appreciate providing updated version of aforementioned package, so that the problem can be eliminated.
Best regards,
Tomasz
-->8 - Nessus report follows - 8<--
70545 (1) - Dropbear SSH Server < 2013.59 Multiple Vulnerabilities
Synopsis
The remote SSH service is affected by multiple vulnerabilities.
Description
According to its self-reported banner, the version of Dropbear SSH running on this port is earlier than 2013.59. As
such, it is potentially affected by multiple vulnerabilities :
- A denial of service vulnerability caused by the way the 'buf_decompress()' function handles compressed files.
(CVE-2013-4421)
- User-enumeration is possible due to a timing error when authenticating users. (CVE-2013-4434)
See Also
https://matt.ucc.asn.au/dropbear/CHANGES
https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f
https://secure.ucc.asn.au/hg/dropbear/rev/a625f9e135a4
Solution
Upgrade to the Dropbear SSH 2013.59 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
4.3 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
References
BID
62958
BID
62993
CVE
CVE-2013-4421
CVE
CVE-2013-4434
XREF
OSVDB:98303
XREF
OSVDB:98365
Plugin Information:
Publication date: 2013/10/22, Modification date: 2014/05/29
Attachments (1)
Change History (10)
comment:1 Changed 4 years ago by anonymous
comment:2 follow-up: ↓ 3 Changed 4 years ago by anonymous
Wait, what's wrong with that? It's the stable release, so it should be reasonably secure to use, no?
comment:3 in reply to: ↑ 2 ; follow-up: ↓ 4 Changed 4 years ago by anonymous
Replying to anonymous:
Wait, what's wrong with that? It's the stable release, so it should be reasonably secure to use, no?
stable to use, not always secure
comment:4 in reply to: ↑ 3 ; follow-up: ↓ 8 Changed 4 years ago by tom3q
comment:5 follow-up: ↓ 6 Changed 4 years ago by anonymous
I guess OP also uses Windows 95 and IE 3 and mails MS every week to patch security holes.
comment:6 in reply to: ↑ 5 Changed 4 years ago by tom3q
Replying to anonymous:
I guess OP also uses Windows 95 and IE 3 and mails MS every week to patch security holes.
I guess OP has much more experience with software development than you have. Please stop trolling.
comment:7 Changed 4 years ago by anonymous
dear anonymous
maybe you have 1 or 2 routers running openwrt, i have 4 bulletm2, 2 rspro and 7 wr1043nd, so i'm also using AA because when i update from 300km away i'm pretty sure that it'll reboot just fine, no need to test before. Stability is important !
comment:8 in reply to: ↑ 4 Changed 4 years ago by anonymous
Replying to tom3q:
Replying to anonymous:
Replying to anonymous:
Wait, what's wrong with that? It's the stable release, so it should be reasonably secure to use, no?
stable to use, not always secure
So you either have stable and insecure or secure and unstable? I hope you are not saying this seriously...
another analogy, Windows XP is stable to use, but not secure.
I prefer last other option. both stable and secure.
comment:9 Changed 4 years ago by tom3q
I have successfully applied dropbear-2014.63.patch and managed to build dropbear 2014.63 package for Attitude Adjustment, thanks. Hopefully this hits the attitude_adjustment/12.09 branch.
"...on my router running OpenWRT Attitude Adjustment 12.09.1", stopped reading there.