[4eyes] FW: [COE #52965] [UCSB-OIT #506586] Vulnerabilities Found on 128.111.28.109

Matthew Turk mturk at cs.ucsb.edu
Thu Jun 20 09:05:07 PDT 2013 

We've been notified that there's a vulnerability in a lab machine, IP
address 128.111.28.109. Please check to see if this is your machine. The
problem is with Dropbear SSH, which needs to be upgraded to version 2012.55
or later.

And please let me know if this is your machine, so I'll know it's being
fixed.

Thanks,
	Matthew

-----Original Message-----
From: Todd Atkins via RT [mailto:vsc at oit.ucsb.edu] 
Sent: Wednesday, June 19, 2013 4:07 PM
To: support at cs.ucsb.edu
Subject: [UCSB-OIT #506586] Vulnerabilities Found on 128.111.28.109

Greetings:

Our vulnerability scanner has found a potentially vulnerable host on your
network.  You should consider taking the recommended actions mentioned in
this report in order to reduce the chances of this host being abused by an
attacker.  If you believe any part of this report to be incorrect, please
let us know so that we can work to improve our reporting accuracy.

Here is information about the vulnerabilities that were found:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

IP : 128.111.28.109
Name : ilab-109.cs.ucsb.edu
Scan Time : Tue Jun 18 20:32:53 2013
Service : ssh (22/tcp)
Plugin ID : 58183
Synopsis :

The remote host is affected by a remote code execution vulnerability.

Description :

According to its self-reported banner, the remote host is running a version
of Dropbear SSH before 2012.55.  As such, it reportedly contains a flaw that
might allow an attacker to run arbitrary code on the remote host with root
privileges if they are authenticated using a public key and command
restriction is enforced. 

Note that Nessus has not tried to exploit this vulnerability but instead has
relied solely on the version in the service's banner. 

Note also, in cases where the host is running ESXi 4.0 or ESXi 4.1, VMware
states in their KB article id 2037316 that this is a false positive since
administrative access is required to login via SSH so there are no
privileges to be gained by exploiting this issue.  That is true only in a
default setup, not one in which SSH access has been enabled for non-root
users.

See also :

https://matt.ucc.asn.au/dropbear/CHANGES
https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
https://www.mantor.org/~northox/misc/CVE-2012-0920.html
http://kb.vmware.com/kb/2037316

Solution :

Upgrade to the Dropbear SSH 2012.55 or later.

CVSS Base Score : 8.5
(CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 6.3
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Plugin output :

Version source    : SSH-2.0-dropbear_0.52
  Installed version : 0.52
  Fixed version     : 2012.55

CVE : CVE-2012-0920
BID : 52159
Other references : OSVDB:79590
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


--
E. Todd Atkins
Office of Information Technology
University of California, Santa Barbara

**********************************************************************
The NOC's list of network contacts is used to determine who should receive
email such as this.  Please direct any requests for changes to this list of
network contacts to noc at ucsb.edu.
**********************************************************************

More information about the Ilab-users mailing list