| Summary: | [Information Disclosure] OpenSSH_7.4p1 Raspbian-10+deb9u7 discloses OS version | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Ignacio Perez <5990> | ||||
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> | ||||
| Status: | CLOSED INVALID | ||||||
| Severity: | security | CC: | dtucker | ||||
| Priority: | P5 | ||||||
| Version: | 7.4p1 | ||||||
| Hardware: | Other | ||||||
| OS: | Other | ||||||
| Attachments: |
|
||||||
That's something added by the OS vendor, either in code or via the VersionAddendum option in sshd_config. It's not something we have any control over. You will need to take it up with them. closing resolved bugs as of 8.6p1 release |
Created attachment 3432 [details] CrackMapExec accidentally reports OS version using the paramiko library The Raspbian-10+deb9u7 release of OpenSSH_7.4p1 sends over the "Raspbian-10+deb9u7" text when communicating SSHD version to a client. This is considered an Information Disclosure error, because SSHD shouldn't disclose OS Version information to clients. REPLICATE: Run CrackMapExec against OpenSSH_7.4p1 Raspbian-10+deb9u7 with a command like the following: ./cme --verbose ssh -u pi --port 2322 192.168.0.10 CrackMapExec(github.com/byt3bl33d3r/CrackMapExec) uses the paramiko library(github.com/paramiko/paramiko) to dectect SSH version. If you traceback the output of CME, you'll find that it's just paramiko "reading a line from the socket" and parsing it to get the version information.