GEN:SID | 1:1810 |
Message | ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE |
Summary | This event is generated when an attack against an OpenSSH (v2.9 - 3.3) server using the GOBBLES exploit was successful.
|
Impact | Full system compromise with escalated privileges.
|
Detailed Information | This attack exploits the "remote challenge-response" vulnerability in older versions of OpenSSH servers. The vulnerability affects OpenSSH versions 2.9 through 3.3 that have the challenge response option enabled and that also use SKEY or BSD_AUTH authentication.
|
Affected Systems | Any UNIX Servers that have vulnerable OpenSSH daemon running including but not limited to the following: Mandrake Soft Linux 7.1, 7.2, 8.0, 8.1, 8.2 OpenBSD 3.0, 3.1 Red Hat Linux 7.0, 7.1, 7.2, 7.3 SuSe Linux 6.4, 7.0, 7.1, 7.2, 7.3
|
Attack Scenarios | An attacker first determines what version of OpenSSH the targeted machine is running then launches a publicly available GOBBLES exploit script against it.
|
Ease of Attack | Simple.
|
Corrective Action | Disable S/Key and BSD Authentication by modifying the sshd_config file
ChallengeResponseAuthentication no
Upgrade to OpenSSH v3.4 or later
Apply the appropriate vendor supplied patch.
|
Additional References | CERT: http://www.cert.org/advisories/CA-2002-18.html
|
Rule References | bugtraq: 2370
bugtraq: 5093
cve: 2001-0214
cve: 2002-0390
cve: 2002-0639
|