cbcvebase.
CVE-2012-5975
published 2012-12-04

CVE-2012-5975: The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX…

PriorityP272critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.87%
98.3th percentile
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX and Linux, when old-style password authentication is enabled, allows remote attackers to bypass authentication via a crafted session involving entry of blank passwords, as demonstrated by a root login session from a modified OpenSSH client with an added input_userauth_passwd_changereq call in sshconnect2.c.

Affected

35 ranges· showing 25
VendorProductVersion rangeFixed in
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server
sshtectia_server

Detection & IOCsextracted from sources · hover to see the quote

otherSSH2_MSG_USERAUTH_PASSWD_CHANGEREQ (byte 0x3C / message type 60)
otherSSH2_MSG_USERAUTH_SUCCESS (message type 52)
otherSSH2_MSG_SERVICE_ACCEPT (message type 6)
versionSSH-2.0-6.1.9.95 SSH Tectia Server
versionSSH-2.0-6.0.11.5 SSH Tectia Server
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23082.zip
  • Detect SSH banner matching 'SSH Tectia' to identify potentially vulnerable targets; the Metasploit module uses this exact string to confirm exploitability.
  • Alert on SSH sessions where a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ (password change request) is sent BEFORE any successful password authentication — this is the core exploit primitive.
  • Monitor for SSH authentication sequences where both old and new passwords in a USERAUTH password-change packet are empty strings — a strong indicator of exploitation.
  • Watch for keyboard-interactive auth attempts followed immediately by a password-change request (USERAUTH CHANGE REQUEST) targeting the 'root' username on port 22.
  • Flag SSH sessions from modified OpenSSH clients that include an 'input_userauth_passwd_changereq' call in sshconnect2.c, as this is the client-side modification used to trigger the vulnerability.
  • ·The vulnerability is only exploitable when 'old-style password authentication' is enabled on the SSH Tectia Server. Installations not using this authentication mode are not affected.
  • ·The vulnerability is limited to UNIX and Linux platforms; Windows-based Tectia Server deployments are not affected.
  • ·A valid username on the target system is required for exploitation; the attacker does not need to know the password but must supply a known username (e.g., root).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.