Ssh-2.0-cisco-1.25 Vulnerability - [cracked]
The SSH-2.0-Cisco-1.25 vulnerability is a weakness in the Cisco SSH implementation that allows an attacker to exploit the server's authentication mechanism. Specifically, the vulnerability occurs when the server is configured to use a specific type of authentication, known as "keyboard-interactive" authentication.
: The device runs into an unhandled exception state and triggers a forced system reload, generating a sustained Denial of Service (DoS) window across the production environment. 3. RSA-Based Public Key Authentication Bypass
On Cisco ASA devices that reported similar version strings (often overlapping with 1.25 ), there was a vulnerability where processing specific SSH packets would not free memory correctly. Over days or weeks, the device would exhaust memory and stop passing traffic. This required a reboot to resolve. ssh-2.0-cisco-1.25 vulnerability
By intercepting the initial handshake, a Man-in-the-Middle (MitM) attacker can drop specific protocol messages without the client or server realizing a change occurred.
The identification string SSH-2.0-Cisco-1.25 is a common sight for network engineers, appearing during SSH connections to a vast number of Cisco switches and routers. It is not merely a version number; it's a digital banner announced by the SSH server on a device as soon as a TCP connection is established on port 22. The SSH-2
| Risk Factor | Rating | Justification | | :--- | :--- | :--- | | | High | Weak encryption allows traffic decryption via MitM attacks. | | Integrity | High | Weak key exchange algorithms allow data manipulation. | | Availability | Medium | Potential for DoS via handshake exploitation. | | Attack Complexity | Medium | Requires access to the network path (MitM) or valid credentials (downgrade attacks). |
: A vulnerability in the SSH state machine of Cisco IOS and IOS-XE Software could allow an authenticated, remote attacker to cause the device to reload by sending a specific traffic pattern, leading to a Denial of Service (DoS). Terrapin Attack (CVE-2023-48795) This required a reboot to resolve
If your security scanner flagged this banner, it is likely checking for the following vulnerabilities that commonly affect Cisco SSH implementations: SSH Terrapin Prefix Truncation Weakness - Cisco Community
The identification of Cisco-1.25 suggests the device is utilizing an older SSH implementation library. Below are the primary vulnerabilities associated with this specific banner.
The device crashes and reloads, resulting in a Denial of Service (DoS) condition. C. Emerging Threats: Erlang/OTP SSH Weaknesses
This is a "prefix truncation" attack where a man-in-the-middle (MitM) attacker can secretly remove parts of the encrypted handshake.