openssh bugs - Jul 2020 - [Bug 3196] New: [Information Disclosure] OpenSSH_7.4p1 Raspbian-10+deb9u7 discloses OS version

https://bugzilla.mindrot.org/show_bug.cgi?id=3196

            Bug ID: 3196
           Summary: [Information Disclosure] OpenSSH_7.4p1
                    Raspbian-10+deb9u7 discloses OS version
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: Other
                OS: Other
            Status: NEW
          Severity: security
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: 5990 at protonmail.com

Created attachment 3432
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3432&action=edit
CrackMapExec accidentally reports OS version using the paramiko library

The Raspbian-10+deb9u7 release of OpenSSH_7.4p1 sends over the
"Raspbian-10+deb9u7" text when communicating SSHD version to a client.
This is considered an Information Disclosure error, because SSHD
shouldn't disclose OS Version information to clients.


REPLICATE: Run CrackMapExec against OpenSSH_7.4p1 Raspbian-10+deb9u7
with a command like the following:

./cme --verbose ssh -u pi --port 2322 192.168.0.10
CrackMapExec(github.com/byt3bl33d3r/CrackMapExec) uses the paramiko
library(github.com/paramiko/paramiko) to dectect SSH version.

If you traceback the output of CME, you'll find that it's just paramiko
"reading a line from the socket" and parsing it to get the version
information.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3196

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
That's something added by the OS vendor, either in code or via the
VersionAddendum option in sshd_config.  It's not something we have any
control over.  You will need to take it up with them.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3196

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.