Bug#492557: openssh-server discloses unnecessary information about the system in version string
Package: openssh-server
Version: 4.3p2-9etch2
Severity: minor
During connection openssh-server sends its version string to the client.
While that is perfectly ok for the version string itself, the
information added to the version string gives away free additional
information to a potential attacker about the system sshd is running on.
PROBLEMS
1) telnet ip 22 reveals the information (port scanners can do that as well)
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3p2 Debian-9etch2
The second part Debian-9etch2 does leak additional information entirely
unrelated to openssh-server, thus making attacks on the system (not
openssh-server) easier, because you immediately get to know not only
what version it is, but also what other packages (dependencies) are
installed and how current they are (i.e. if a newer package is available
it is most likely that any other package on the system is not newer than
that date etc).
The "security by obscurity"-argument does not count here, as the
information disclosed is not about the package itself but about the
underlying system and its status. This is only a minor issue because it
does not directly pose a threat itself, however it should be corrected
nonetheless, as it is unnecessary and the user cannot change this
behaviour by just changing configuration (compiling is necessary).
SUGGESTION
Change the string in openssh/version.h and compile it again.
Please note, that this error is architecture independent and that the
information given below is only about where the error was verified.
-- System Information:
Debian Release: etch
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.25.10
--
This report was not filed by reportbug and may therefore not be 100%
compliant
with the debian requirements - I am sorry for inconvenience.
Reply to: