Win32-OpenSSH
Win32-OpenSSH copied to clipboard
Hardcoded banner allows an attacker to quickly identify vulnerable machines
Prerequisites
- [X] Write a descriptive title.
- [X] Make sure you are able to repro it on the latest version
- [X] Search the existing issues.
Steps to reproduce
This is a duplicate of https://github.com/PowerShell/Win32-OpenSSH/issues/2021
Win32-OpenSSH publicly displays a banner revealing the OS and the OpenSSH version number. Although this is not a security vulnerability by itself, it will easily give an attacker known vulnerabilities on the system if a version is not the latest.
banner none
is ignored in the config.
Expected behavior
No banner shown if `banner none` is in the config
Actual behavior
Displayed banner:
`SSH-2.0-OpenSSH_for_Windows_9.2`
Error details
No response
Environment data
Name Value
---- -----
PSVersion 7.3.4
PSEdition Core
GitCommitId 7.3.4
OS Microsoft Windows 10.0.19045
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Version
9.2