Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1810 |
Message | ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE |
Summary | This event is generated when an attack against an OpenSSH (v2.9 - 3.3) server using the GOBBLES exploit was successful. |
Impact | Full system compromise with escalated privileges. |
Detailed Information | This attack exploits the "remote challenge-response" vulnerability in older versions of OpenSSH servers. The vulnerability affects OpenSSH versions 2.9 through 3.3 that have the challenge response option enabled and that also use SKEY or BSD_AUTH authentication. |
Affected Systems | Any UNIX Servers that have vulnerable OpenSSH daemon running including but not limited to the following: Mandrake Soft Linux 7.1, 7.2, 8.0, 8.1, 8.2 OpenBSD 3.0, 3.1 Red Hat Linux 7.0, 7.1, 7.2, 7.3 SuSe Linux 6.4, 7.0, 7.1, 7.2, 7.3 |
Attack Scenarios | An attacker first determines what version of OpenSSH the targeted machine is running then launches a publicly available GOBBLES exploit script against it. |
Ease of Attack | Simple. |
Corrective Action | Disable S/Key and BSD Authentication by modifying the sshd_config file ChallengeResponseAuthentication no Upgrade to OpenSSH v3.4 or later Apply the appropriate vendor supplied patch. |
Additional References | CERT: http://www.cert.org/advisories/CA-2002-18.html |
Rule References | bugtraq: 5093 cve: 2002-0390 cve: 2002-0639 |
--
DID:464534
--
http://www.aanval.com/