[Information Disclosure] OpenSSH_7.4p1 Raspbian-10+deb9u7 discloses OS version
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Raspbian |
New
|
Undecided
|
Unassigned |
Bug Description
OS: Raspbian GNU/Linux 9.11 (stretch) armv7l
Model: Raspberry Pi 3 Model B Rev 1.2
Kernel: 4.19.66-v7+
The Raspbian-10+deb9u7 release of OpenSSH_7.4p1 sends over the "Raspbian-
This is considered an Information Disclosure error, because SSHD shouldn't disclose OS Version information to clients.
To verify this is true: Run CrackMapExec against OpenSSH_7.4p1 Raspbian-10+deb9u7 with a command like the following:
`./cme --verbose ssh -u pi --port 2322 192.168.0.10`
(I changed the default SSHd port from 22 to 2322)
[CrackMapExec](https:/
If you traceback the output of CME, you'll find that it's just paramiko "reading a line from the socket" and parsing it to get the version information.
I reported the bug to the [OpenSSH Bug tracker](https:/
`That's something added by the OS vendor, either in code or via the VersionAddendum option in sshd_config. It's not something we have any control over. You will need to take it up with them.`
I have checked the _VersionAddendum_ option in my sshd_config, and it was already set to none (Yes, uncommenting changes nothing, as it's already using the default value):
`#VersionAddendum none`
I have also reported ([the bug on RPI-Distro](https:/
´This repo is for archive.
Raspbian bugs should be reported here:
https:/
So, here we are. Why does this specific release of SSHd do this, and is there a way to prevent it?
information type: | Public → Public Security |
We did not do anything to deliberately change this on the raspbian side. Does Debian behave in the same way (but with Debian instead of Raspbian)?