OPIE w/ OpenSSH Account Enumeration The remote host is susceptible to an information disclosure attack.
Hi,
I am running the openssh-server-7.4p1-21.el7.x86_64 on CentOS Linux release 7.9.2009 (Core).
#cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core) # rpm -qa |grep ssh openssh-server-7.4p1-21.el7.x86_64 libssh2-1.8.0-4.el7.x86_64 openssh-7.4p1-21.el7.x86_64 openssh-clients-7.4p1-21.el7.x86_64
While invoking the Vulnerability Assessment and Penetration Testing (VAPT) scan, we are encountering the below vulnerability.
OPIE w/ OpenSSH Account Enumeration The remote host is susceptible to an
information disclosure attack. CVE-2007-2768 A patch currently does not exist for this issue. As a workaround, ensure that OPIE for PAM is not installed. Version source : SSH-2.0-OpenSSH_7.4 Installed version : 7.4 https://seclists.org/fulldisclosure/2007/Apr/634
Any help will be highly appreciated. Thanks in Advance. Please let me know if you need any additional information.
Best Regards,
Kaushal -
On Thu, 28 Jan 2021 at 11:40, Kaushal Shriyan kaushalshriyan@gmail.com wrote:
Hi,
I am running the openssh-server-7.4p1-21.el7.x86_64 on CentOS Linux release 7.9.2009 (Core).
#cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core) # rpm -qa |grep ssh openssh-server-7.4p1-21.el7.x86_64 libssh2-1.8.0-4.el7.x86_64 openssh-7.4p1-21.el7.x86_64 openssh-clients-7.4p1-21.el7.x86_64
While invoking the Vulnerability Assessment and Penetration Testing (VAPT) scan, we are encountering the below vulnerability.
OPIE w/ OpenSSH Account Enumeration The remote host is susceptible to an
information disclosure attack. CVE-2007-2768 A patch currently does not exist for this issue. As a workaround, ensure that OPIE for PAM is not installed. Version source : SSH-2.0-OpenSSH_7.4 Installed version : 7.4 https://seclists.org/fulldisclosure/2007/Apr/634
Any help will be highly appreciated. Thanks in Advance. Please let me know if you need any additional information.
This vulnerability is a 'useless' one to test against unless you are either going to 'exploit' OPIE to confirm it is installed or have local access to the system to check. For the systems which show up like this you will need to see if OPIE has been installed on the systems. OPIE is not shipped with CentOS as far as I know but it could be installed aftermarket.
if it was done with rpms' rpm -qa | grep -i opie
otherwise you will need to look in /etc/pam.d
grep -i open /etc/pam.d/*
If it is installed, then this isn't a CentOS issue as OPIE is not shipped but would be whoever added this to the systems problem.
Best Regards,
Kaushal
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
Kaushal Shriyan -
Stephen John Smoogen