Hi, On 02.10.2016 15:18, Christian Fischer wrote: > On 10/02/2016 02:55 PM, Reindl Harald wrote: >> Am 02.10.2016 um 13:20 schrieb Christian Fischer: >>> On 10/02/2016 01:02 PM, Reindl Harald wrote: >>>> besides that i doubt on a server responding with "Permission denied >>>> (publickey)" (means: no password auth) "The flaw exists due to the >>>> auth_password function in 'auth-passwd.c' script does not limit password >>>> lengths for password authentication" can be triggered >>> >>> the linux NVT has a QoD of 30% which means it is not shown by default >>> unless you're configure your filter to show results from NVTs prone to >>> false positives. >> >> well, why is the Windows NVT shown at all on Fedora machines :-) >> >> NVT: OpenSSH 'auth_password' Denial of Service Vulnerability (Windows) >> (OID: 1.3.6.1.4.1.25623.1.0.809121) >> >> Vulnerability Detection Result >> Best matching OS: >> cpe:/o:linux:kernel >> Found by NVT 1.3.6.1.4.1.25623.1.0.102002 (Detects remote operating >> system version) >> Other OS detections (in order of reliability): >> OS: cpe:/o:microsoft:windows found by 1.3.6.1.4.1.25623.1.0.102002 >> (Detects remote operati? >> ng system version) >> > > Outsch, have missed the "(Windows)" in your initial mail (yeah, its > Sunday :-)). > > Strange that the OS is correctly detected as Linux but the: > > ## exit, if its not Windows > if(host_runs("Windows") != "yes") exit(0); > > doesn't kick in. Will have a look at this at Tuesday, thanks for the notice. >
just want to let you know that we have identified the issue. A fix has been submitted to the Feed and should be available with the next Feed update. >>> Besides that you can configure your sshd_conf to contain something like: >>> >>> *snip* >>> PasswordAuthentication no >>> >>> Match User foo >>> PasswordAuthentication yes >>> >>> *snip* >>> >>> which means that your server would be still vulnerable even if the >>> initial connection from OpenVAS has identified "Permission denied >>> (publickey)". >>> >>> Nothing to be done here from my PoV. >>> Regards > > Regards, -- Christian Fischer | PGP Key: 0x54F3CE5B76C597AD Greenbone Networks GmbH | http://greenbone.net Neuer Graben 17, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss