OpenSSH vulnerabilities
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openssh (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Hi,
I was using NMAP to scan my Ubuntu server and it listed some vulnerabilities in OpenSSH. It also came up with exploits against these vulnerabilities.
On my home network, I have several computers that I use for various purposes; a Ubuntu 20.04 LTS computer and Kali Linux computer being the subject for this email. I wanted to test if I had any security issues on my Ubuntu computer so I was doing some scans on it from my Kali computer. I did a scan with NMAP and it produced some vulnerabilities in OpenSSH and what exploits to use. Here is some info on my computers and the NMAP command that I used:
~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal
─$ lsb_release -a
No LSB modules are available.
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2021.1
Codename: kali-rolling
~$ ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020
~$ apt-cache policy ssh
ssh:
Installed: (none)
Candidate: 1:8.2p1-4ubuntu0.2
Version table:
1:
500 http://
500 http://
1:8.2p1-4 500
500 http://
─$ sudo nmap -sV --script vuln 192.168.0.10
Starting Nmap 7.91 ( https:/
Pre-scan script results:
| broadcast-
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.0.10
Host is up (0.00017s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:
| EDB-ID:21018 10.0 https:/
| CVE-2001-0554 10.0 https:/
| CVE-2020-15778 6.8 https:/
| CVE-2020-12062 5.0 https:/
| CVE-2021-28041 4.6 https:/
| MSF:ILITIES/
| MSF:ILITIES/
| MSF:ILITIES/
| MSF:ILITIES/
| MSF:ILITIES/
| CVE-2020-14145 4.3 https:/
|_ MSF:AUXILIARY/
80/tcp open http Apache httpd
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-
|_http-
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
443/tcp open ssl/http Apache httpd
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-
|_http-
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_sslv2-drown:
MAC Address: 00:15:C5:F6:5D:94 (Dell)
Service Info: OS: Linux; CPE: cpe:/o:
Service detection performed. Please report any incorrect results at https:/
Nmap done: 1 IP address (1 host up) scanned in 80.86 seconds
Thanks,
Ian
CVE References
| summary: |
- OpenSSH vulnefrabilitlies + OpenSSH vulnerabilities |
| Changed in ubuntu: | |
| status: | New → Incomplete |
| Seth Arnold (seth-arnold) wrote | #1 |
| Ian (ianc01) wrote | #2 |
| Ian (ianc01) wrote | #3 |
| Seth Arnold (seth-arnold) wrote | #4 |
| affects: | ubuntu → openssh (Ubuntu) |
| Changed in openssh (Ubuntu): | |
| status: | Incomplete → Invalid |
| information type: | Private Security → Public Security |
Hello Ian, thanks for the bug.
Have you had any success with any of the exploits?
Most of these sorts of tools that do "banner detection" assume everyone builds all their programs from source code themselves, and thus aren't very useful in the real world. The first CVE listed is from 2001, which predates Ubuntu by some margin.
Here's our current status on OpenSSH issues: https:/
There's several we've chosen to ignore; there's one we've rated as low priority, and will address if there's a medium priority or higher issue in the future: https:/
Thanks