GLSA-200804-03 : OpenSSH: Privilege escalation

2008-04-1100:00:00

www.tenable.com

The remote host is affected by the vulnerability described in GLSA-200804-03 (OpenSSH: Privilege escalation)

Two issues have been discovered in OpenSSH:
Timo Juhani     Lindfors discovered that OpenSSH sets the DISPLAY variable in SSH     sessions using X11 forwarding even when it cannot bind the X11 server     to a local port in all address families (CVE-2008-1483).
OpenSSH will execute the contents of the '.ssh/rc' file even when     the 'ForceCommand' directive is enabled in the global sshd_config     (CVE-2008-1657).

Impact :

A local attacker could exploit the first vulnerability to hijack     forwarded X11 sessions of other users and possibly execute code with     their privileges, disclose sensitive data or cause a Denial of Service,     by binding a local X11 server to a port using only one address family.
The second vulnerability might allow local attackers to bypass intended     security restrictions and execute commands other than those specified     by 'ForceCommand' if they are able to write to their home directory.

Workaround :

There is no known workaround at this time.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 200804-03.
#
# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(31834);
  script_version("1.16");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id("CVE-2008-1483", "CVE-2008-1657");
  script_xref(name:"GLSA", value:"200804-03");

  script_name(english:"GLSA-200804-03 : OpenSSH: Privilege escalation");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-200804-03
(OpenSSH: Privilege escalation)

    Two issues have been discovered in OpenSSH:
    Timo Juhani
    Lindfors discovered that OpenSSH sets the DISPLAY variable in SSH
    sessions using X11 forwarding even when it cannot bind the X11 server
    to a local port in all address families (CVE-2008-1483).
    OpenSSH will execute the contents of the '.ssh/rc' file even when
    the 'ForceCommand' directive is enabled in the global sshd_config
    (CVE-2008-1657).
  
Impact :

    A local attacker could exploit the first vulnerability to hijack
    forwarded X11 sessions of other users and possibly execute code with
    their privileges, disclose sensitive data or cause a Denial of Service,
    by binding a local X11 server to a port using only one address family.
    The second vulnerability might allow local attackers to bypass intended
    security restrictions and execute commands other than those specified
    by 'ForceCommand' if they are able to write to their home directory.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/200804-03"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All OpenSSH users should upgrade to the latest version:
    # emerge --sync
    # emerge --ask --oneshot --verbose '>=net-misc/openssh-4.7_p1-r6'"
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(264);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openssh");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2008/04/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2008/04/11");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"net-misc/openssh", unaffected:make_list("ge 4.7_p1-r6"), vulnerable:make_list("lt 4.7_p1-r6"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenSSH");
}

VendorProductVersionCPE
gentoolinuxopensshp-cpe:/a:gentoo:linux:openssh
gentoolinuxcpe:/o:gentoo:linux

Vendor	Product	Version	CPE
gentoo	linux	openssh	p-cpe:/a:gentoo:linux:openssh
gentoo	linux		cpe:/o:gentoo:linux

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1657

security.gentoo.org/glsa/200804-03

JSON

Related for GENTOO_GLSA-200804-03.NASL