Bug 3196 - [Information Disclosure] OpenSSH_7.4p1 Raspbian-10+deb9u7 discloses OS version
Summary: [Information Disclosure] OpenSSH_7.4p1 Raspbian-10+deb9u7 discloses OS version
Status: CLOSED INVALID
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 7.4p1
Hardware: Other Other
: P5 security
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-19 08:49 AEST by Ignacio Perez
Modified: 2021-04-23 14:58 AEST (History)
1 user (show)

See Also:

Attachments
CrackMapExec accidentally reports OS version using the paramiko library (190.92 KB, image/png)
2020-07-19 08:49 AEST, Ignacio Perez 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ignacio Perez 2020-07-19 08:49:31 AEST 
Created attachment 3432 [details]
CrackMapExec accidentally reports OS version using the paramiko library

The Raspbian-10+deb9u7 release of OpenSSH_7.4p1 sends over the "Raspbian-10+deb9u7" text when communicating SSHD version to a client.
This is considered an Information Disclosure error, because SSHD shouldn't disclose OS Version information to clients.


REPLICATE: Run CrackMapExec against OpenSSH_7.4p1 Raspbian-10+deb9u7 with a command like the following:

./cme --verbose ssh -u pi --port 2322 192.168.0.10
CrackMapExec(github.com/byt3bl33d3r/CrackMapExec) uses the paramiko library(github.com/paramiko/paramiko) to dectect SSH version.

If you traceback the output of CME, you'll find that it's just paramiko "reading a line from the socket" and parsing it to get the version information.
Comment 1 Darren Tucker 2020-07-19 11:53:15 AEST 
That's something added by the OS vendor, either in code or via the VersionAddendum option in sshd_config.  It's not something we have any control over.  You will need to take it up with them.
Comment 2 Damien Miller 2021-04-23 14:58:51 AEST 
closing resolved bugs as of 8.6p1 release