Vulnerabilities > CVE-2006-4925 - Denial-Of-Service vulnerability in Openbsd Openssh 4.5
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
packet.c in ssh in OpenSSH allows remote attackers to cause a denial of service (crash) by sending an invalid protocol sequence with USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Misc. NASL id OPENSSH_44.NASL description According to its banner, the version of OpenSSH installed on the remote host is affected by multiple vulnerabilities : - A race condition exists that may allow an unauthenticated, remote attacker to crash the service or, on portable OpenSSH, possibly execute code on the affected host. Note that successful exploitation requires that GSSAPI authentication be enabled. - A flaw exists that may allow an attacker to determine the validity of usernames on some platforms. Note that this issue requires that GSSAPI authentication be enabled. - When SSH version 1 is used, an issue can be triggered via an SSH packet that contains duplicate blocks that could result in a loss of availability for the service. - On Fedora Core 6 (and possibly other systems), an unspecified vulnerability in the linux_audit_record_event() function allows remote attackers to inject incorrect information into audit logs. last seen 2020-06-01 modified 2020-06-02 plugin id 22466 published 2006-09-28 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22466 title OpenSSH < 4.4 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(22466); script_version("1.30"); script_cvs_date("Date: 2018/07/16 14:09:13"); script_cve_id("CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-5229", "CVE-2007-3102", "CVE-2008-4109"); script_bugtraq_id(20216, 20241, 20245); script_name(english:"OpenSSH < 4.4 Multiple Vulnerabilities"); script_summary(english:"Checks version number of OpenSSH"); script_set_attribute(attribute:"synopsis", value: "The remote SSH server is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "According to its banner, the version of OpenSSH installed on the remote host is affected by multiple vulnerabilities : - A race condition exists that may allow an unauthenticated, remote attacker to crash the service or, on portable OpenSSH, possibly execute code on the affected host. Note that successful exploitation requires that GSSAPI authentication be enabled. - A flaw exists that may allow an attacker to determine the validity of usernames on some platforms. Note that this issue requires that GSSAPI authentication be enabled. - When SSH version 1 is used, an issue can be triggered via an SSH packet that contains duplicate blocks that could result in a loss of availability for the service. - On Fedora Core 6 (and possibly other systems), an unspecified vulnerability in the linux_audit_record_event() function allows remote attackers to inject incorrect information into audit logs."); script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-4.4" ); script_set_attribute(attribute:"solution", value: "Upgrade to OpenSSH 4.4 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(264, 362, 399); script_set_attribute(attribute:"plugin_publication_date", value: "2006/09/28"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/09/28"); script_set_attribute(attribute:"plugin_type", value: "remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh", 22); exit(0); } include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:"ssh", exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/"+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH."); if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported."); if (!get_kb_item("Settings/PCI_DSS")) { auth = get_kb_item_or_exit("SSH/supportedauth/" + port); if ("gssapi" >!< auth) exit(0, "The SSH service on port "+port+" doesn't support GSSAPI."); } if (bp_banner =~ "openssh[-_]([0-3]\.|4\.[0-3]([^0-9]|$))") security_hole(port);NASL family Misc. NASL id OPENSSH_45.NASL description According to its banner, the remote host is running a version of OpenSSH prior to 4.5. Versions before 4.5 are affected by the following vulnerabilities : - A client-side NULL pointer dereference, caused by a protocol error from a malicious server, which could cause the client to crash. (CVE-2006-4925) - A privilege separation vulnerability exists, which could allow attackers to bypass authentication. The vulnerability is caused by a design error between privileged processes and their child processes. Note that this particular issue is only exploitable when other vulnerabilities are present. (CVE-2006-5794) - An attacker that connects to the service before it has finished creating keys could force the keys to be recreated. This could result in a denial of service for any processes that relies on a trust relationship with the server. Note that this particular issue only affects the Apple implementation of OpenSSH on Mac OS X. (CVE-2007-0726) last seen 2020-06-01 modified 2020-06-02 plugin id 44077 published 2011-10-04 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44077 title OpenSSH < 4.5 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(44077); script_version("1.9"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id("CVE-2006-4925", "CVE-2006-5794", "CVE-2007-0726"); script_bugtraq_id(20956); script_name(english:"OpenSSH < 4.5 Multiple Vulnerabilities"); script_summary(english:"Checks for remote SSH version"); script_set_attribute(attribute:"synopsis", value: "The remote SSH service is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the remote host is running a version of OpenSSH prior to 4.5. Versions before 4.5 are affected by the following vulnerabilities : - A client-side NULL pointer dereference, caused by a protocol error from a malicious server, which could cause the client to crash. (CVE-2006-4925) - A privilege separation vulnerability exists, which could allow attackers to bypass authentication. The vulnerability is caused by a design error between privileged processes and their child processes. Note that this particular issue is only exploitable when other vulnerabilities are present. (CVE-2006-5794) - An attacker that connects to the service before it has finished creating keys could force the keys to be recreated. This could result in a denial of service for any processes that relies on a trust relationship with the server. Note that this particular issue only affects the Apple implementation of OpenSSH on Mac OS X. (CVE-2007-0726)" ); script_set_attribute(attribute:"see_also", value:"https://www.openssh.com/txt/release-4.5"); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/kb/TA24626?locale=en_US"); script_set_attribute(attribute:"see_also", value:"https://www.openssh.com/security.html"); script_set_attribute(attribute:"solution", value: "Upgrade to OpenSSH 4.5 or later. For Mac OS X 10.3, apply Security Update 2007-003. For Mac OS X 10.4, upgrade to 10.4.9."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/08"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/04"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh", 22); exit(0); } include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); port = get_service(svc:'ssh', exit_on_fail:TRUE); banner = get_kb_item_or_exit('SSH/banner/'+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ('openssh' >!< bp_banner) exit(0, 'The SSH service on port '+port+' is not OpenSSH.'); if (backported) exit(1, 'The banner from the OpenSSH server on port '+port+' indicates patches may have been backported.'); # Check the version in the banner. matches = eregmatch(string:bp_banner, pattern:'openssh[-_]([0-9][-._0-9a-z]+)'); if (isnull(matches)) exit(0, 'Could not parse number from version string on port ' + port + '.'); version = matches[1]; if (version =~ '^([0-3]\\..*|4\\.[0-4]($|[^\\.0-9]|\\..*))') { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 4.5\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else exit(0, 'The OpenSSH server on port '+port+' is not affected as it\'s version '+version+'.');NASL family SuSE Local Security Checks NASL id SUSE_OPENSSH-2183.NASL description Several security problems were fixed in OpenSSH : - CVE-2006-4924: A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. - CVE-2006-4925: If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. - CVE-2006-5051: Fixed an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. - CVE-2006-5052: Fixed a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. last seen 2020-06-01 modified 2020-06-02 plugin id 27365 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27365 title openSUSE 10 Security Update : openssh (openssh-2183) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openssh-2183. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27365); script_version ("1.15"); script_cvs_date("Date: 2019/10/25 13:36:28"); script_cve_id("CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052"); script_name(english:"openSUSE 10 Security Update : openssh (openssh-2183)"); script_summary(english:"Check for the openssh-2183 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Several security problems were fixed in OpenSSH : - CVE-2006-4924: A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. - CVE-2006-4925: If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. - CVE-2006-5051: Fixed an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. - CVE-2006-5052: Fixed a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms." ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(362, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/10/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.1", reference:"openssh-4.2p1-18.9") ) flag++; if ( rpm_check(release:"SUSE10.1", reference:"openssh-askpass-4.2p1-18.9") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_062.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:062 (openssh). Several security problems were fixed in OpenSSH 4.4 and the bug fixes were back ported to the openssh versions in our products. - CVE-2006-4924: A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. - CVE-2006-4925: If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. - CVE-2006-5051: Fixed an unsafe signal handler reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. - CVE-2006-5052: Fixed a GSSAPI authentication abort that could be used to determine the validity of user names on some platforms. last seen 2019-10-28 modified 2007-02-18 plugin id 24440 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24440 title SUSE-SA:2006:062: openssh code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:062 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(24440); script_version ("1.9"); name["english"] = "SUSE-SA:2006:062: openssh"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2006:062 (openssh). Several security problems were fixed in OpenSSH 4.4 and the bug fixes were back ported to the openssh versions in our products. - CVE-2006-4924: A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. - CVE-2006-4925: If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. - CVE-2006-5051: Fixed an unsafe signal handler reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. - CVE-2006-5052: Fixed a GSSAPI authentication abort that could be used to determine the validity of user names on some platforms." ); script_set_attribute(attribute:"solution", value: "http://www.novell.com/linux/security/advisories/2006_62_openssh.html" ); script_set_attribute(attribute:"risk_factor", value:"High" ); script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/18"); script_end_attributes(); summary["english"] = "Check for the version of the openssh package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"openssh-4.1p1-10.9", release:"SUSE10.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"openssh-askpass-4.1p1-10.9", release:"SUSE10.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"openssh-3.9p1-3.10", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"openssh-askpass-3.9p1-3.10", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"openssh-3.9p1-12.8", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"openssh-askpass-3.9p1-12.8", release:"SUSE9.3") ) { security_hole(0); exit(0); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-179.NASL description Tavis Ormandy of the Google Security Team discovered a Denial of Service vulnerability in the SSH protocol version 1 CRC compensation attack detector. This could allow a remote unauthenticated attacker to trigger excessive CPU utilization by sending a specially crafted SSH message, which would then deny ssh services to other users or processes (CVE-2006-4924, CVE-2006-4925). Please note that Mandriva ships with only SSH protocol version 2 enabled by default. Next, an unsafe signal handler was found by Mark Dowd. This signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication DoS, and theoretically a pre-authentication remote code execution in the case where some authentication methods like GSSAPI are enabled (CVE-2006-5051). Updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 24565 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24565 title Mandrake Linux Security Advisory : openssh (MDKSA-2006:179) NASL family SuSE Local Security Checks NASL id SUSE_OPENSSH-2184.NASL description Several security problems were fixed in OpenSSH : - A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. (CVE-2006-4924) - If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. (CVE-2006-4925) - Fixed an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. (CVE-2006-5051) - Fixed a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. (CVE-2006-5052) last seen 2020-06-01 modified 2020-06-02 plugin id 29538 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29538 title SuSE 10 Security Update : OpenSSH (ZYPP Patch Number 2184) NASL family Misc. NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them. last seen 2020-06-01 modified 2020-06-02 plugin id 55992 published 2011-08-29 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55992 title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure
Statements
| contributor | Joshua Bressers |
| lastmodified | 2006-10-31 |
| organization | Red Hat |
| statement | Red Hat does not consider this flaw a security issue. This flaw can cause an OpenSSH client to crash when connecting to a malicious server, which does not result in a denial of service condition. |
References
- http://bugs.gentoo.org/show_bug.cgi?id=148228
- http://secunia.com/advisories/22245
- http://secunia.com/advisories/22298
- http://secunia.com/advisories/22495
- http://secunia.com/advisories/23038
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:179
- http://www.novell.com/linux/security/advisories/2006_24_sr.html
- http://www.novell.com/linux/security/advisories/2006_62_openssh.html
- http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.144&r2=1.145&f=h
- http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.022-openssh.html
- http://www.securityfocus.com/archive/1/447153/100/0/threaded
- http://www.securityfocus.com/archive/1/447861/100/200/threaded
- https://issues.rpath.com/browse/RPL-661
- https://issues.rpath.com/browse/RPL-681