Mailing List Archive

Low severity and CVSS score in ssh1_proto_enabled.nasl
Plugin ssh1_proto_enabled.nasl (version 1.18) rates CVE-2001-0361 as
Low with CVSS 2.6, which seems rather odd, especially considering that
it should be rated similarly to SSLv2.

According to CVE/NVD the CVSS score is in fact 4.0:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0361

The following patch fixes the issue:

--- ssh1_proto_enabled.nasl.orig 2009-02-24 21:15:13.000000000 -0600
+++ ssh1_proto_enabled.nasl 2009-03-10 13:13:49.000000000 -0400
@@ -33,8 +33,8 @@

Risk factor :

-Low / CVSS Base Score : 2.6
-(CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)";
+Medium / CVSS Base Score : 4.0
+(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)";


script_description(english:desc["english"]);
@@ -91,5 +91,5 @@

if((test_version(version:"1.33", port:port)) ||
(test_version(version:"1.5", port:port)))
- security_note(port);
+ security_warning(port);




Cheers,
nnposter
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers