On Sat, Jan 7, 2012 at 5:24 AM, Bruno Wolff III <bruno(a)wolff.to> wrote:
On Sat, Jan 07, 2012 at 05:09:42 +0100,
Reindl Harald <h.reindl(a)thelounge.net> wrote:
> however - why do we spit the current running versions to everyone?
It can help when trouble shooting problems. The current version isn't
really that helpful to attackers anyway. It's about as easy to just to try
an exploit as it is to first test to see if the exploit might work and
then try it.
Actually, knowing the exact build/version can help select the right
exploit/payload so that the exploit succeeds on the first try (and
leaves no or very little evidence behind) instead of trying 10
different variangs and causing a large log/IDS signature. Hence, the
less specific the version information is, the better.
(Address randomization is often a larger obstacle than an unknown
build/version number, but address randomization only affects a certain
class of vulnerabilities.)
In the particular case of SSH, we are really dealing with a "protocol
identifier", not a "version number" and it needs to be treated as such
- ideally by the auditors as well.