CVE-2012-5975
published 2012-12-04CVE-2012-5975: The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX…
PriorityP272critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.87%
98.3th percentile
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX and Linux, when old-style password authentication is enabled, allows remote attackers to bypass authentication via a crafted session involving entry of blank passwords, as demonstrated by a root login session from a modified OpenSSH client with an added input_userauth_passwd_changereq call in sshconnect2.c.
Affected
35 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
| ssh | tectia_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSH banner matching 'SSH Tectia' to identify potentially vulnerable targets; the Metasploit module uses this exact string to confirm exploitability. ↗
- →Alert on SSH sessions where a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ (password change request) is sent BEFORE any successful password authentication — this is the core exploit primitive. ↗
- →Monitor for SSH authentication sequences where both old and new passwords in a USERAUTH password-change packet are empty strings — a strong indicator of exploitation. ↗
- →Watch for keyboard-interactive auth attempts followed immediately by a password-change request (USERAUTH CHANGE REQUEST) targeting the 'root' username on port 22. ↗
- →Flag SSH sessions from modified OpenSSH clients that include an 'input_userauth_passwd_changereq' call in sshconnect2.c, as this is the client-side modification used to trigger the vulnerability. ↗
- ·The vulnerability is only exploitable when 'old-style password authentication' is enabled on the SSH Tectia Server. Installations not using this authentication mode are not affected. ↗
- ·The vulnerability is limited to UNIX and Linux platforms; Windows-based Tectia Server deployments are not affected. ↗
- ·A valid username on the target system is required for exploitation; the attacker does not need to know the password but must supply a known username (e.g., root). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
(SSH.com Communications) SSH Tectia - USERAUTH Change Request Password Reset (Metasploit)
exploitdb·2012-12-05
CVE-2012-5975 (SSH.com Communications) SSH Tectia - USERAUTH Change Request Password Reset (Metasploit)
(SSH.com Communications) SSH Tectia - USERAUTH Change Request Password Reset (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'net/ssh'
class Metasploit3 "Tectia SSH USERAUTH Change Request Password Reset Vulnerability",
'Description' => %q{
This module exploits a vulnerability in Tectia SSH server for Unix-based
platforms. The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request
before password authentication, allowing any remote user to bypass the login
routine, and then gain access as root.
},
'License' => MSF_LICENSE,
'Author'
Exploit-DB
(SSH.com Communications) SSH Tectia (SSH < 2.0-6.1.9.95 / Tectia 6.1.9.95) - Remote Authentication Bypass
exploitdb·2012-12-02
CVE-2012-5975 (SSH.com Communications) SSH Tectia (SSH < 2.0-6.1.9.95 / Tectia 6.1.9.95) - Remote Authentication Bypass
(SSH.com Communications) SSH Tectia (SSH < 2.0-6.1.9.95 / Tectia 6.1.9.95) - Remote Authentication Bypass
---
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23082.zip
SSH Tectia Remote Authentication Bypass
Tectia is the commercial OpenSSH solution. The product can be found at:
www.tectia.com
An attacker in the possession of a valid username of an SSH Tectia installation running on UNIX (verified: AIX/Linux) can login without a password.
The bug is in the SSH USERAUTH CHANGE REQUEST routines which are there to allow a user to change their password. A bug in this code allows an attacker to login without a password by forcing a password change request prior to authentication.
The vulnerability has been verified on UNIX operating systems and at least on t
Metasploit
Tectia SSH USERAUTH Change Request Password Reset Vulnerability
metasploit
Tectia SSH USERAUTH Change Request Password Reset Vulnerability
Tectia SSH USERAUTH Change Request Password Reset Vulnerability
This module exploits a vulnerability in Tectia SSH server for Unix-based platforms. The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request before password authentication, allowing any remote user to bypass the login routine, and then gain access as root.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0013.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2012-12/0065.htmlhttp://www.exploit-db.com/exploits/23082/https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ssh/tectia_passwd_changereq.rbhttp://archives.neohapsis.com/archives/fulldisclosure/2012-12/0013.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2012-12/0065.htmlhttp://www.exploit-db.com/exploits/23082/https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ssh/tectia_passwd_changereq.rb
2012-12-04
Published