Vulnerabilities > CVE-2007-0726 - Applications Multiple vulnerability in Apple Mac OS X
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The SSH key generation process in OpenSSH in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote attackers to cause a denial of service by connecting to the server before SSH has finished creating keys, which causes the keys to be regenerated and can break trust relationships that were based on the original keys.
Vulnerable Configurations
Nessus
NASL family Misc. NASL id OPENSSH_45.NASL description According to its banner, the remote host is running a version of OpenSSH prior to 4.5. Versions before 4.5 are affected by the following vulnerabilities : - A client-side NULL pointer dereference, caused by a protocol error from a malicious server, which could cause the client to crash. (CVE-2006-4925) - A privilege separation vulnerability exists, which could allow attackers to bypass authentication. The vulnerability is caused by a design error between privileged processes and their child processes. Note that this particular issue is only exploitable when other vulnerabilities are present. (CVE-2006-5794) - An attacker that connects to the service before it has finished creating keys could force the keys to be recreated. This could result in a denial of service for any processes that relies on a trust relationship with the server. Note that this particular issue only affects the Apple implementation of OpenSSH on Mac OS X. (CVE-2007-0726) last seen 2020-06-01 modified 2020-06-02 plugin id 44077 published 2011-10-04 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44077 title OpenSSH < 4.5 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(44077); script_version("1.9"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id("CVE-2006-4925", "CVE-2006-5794", "CVE-2007-0726"); script_bugtraq_id(20956); script_name(english:"OpenSSH < 4.5 Multiple Vulnerabilities"); script_summary(english:"Checks for remote SSH version"); script_set_attribute(attribute:"synopsis", value: "The remote SSH service is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the remote host is running a version of OpenSSH prior to 4.5. Versions before 4.5 are affected by the following vulnerabilities : - A client-side NULL pointer dereference, caused by a protocol error from a malicious server, which could cause the client to crash. (CVE-2006-4925) - A privilege separation vulnerability exists, which could allow attackers to bypass authentication. The vulnerability is caused by a design error between privileged processes and their child processes. Note that this particular issue is only exploitable when other vulnerabilities are present. (CVE-2006-5794) - An attacker that connects to the service before it has finished creating keys could force the keys to be recreated. This could result in a denial of service for any processes that relies on a trust relationship with the server. Note that this particular issue only affects the Apple implementation of OpenSSH on Mac OS X. (CVE-2007-0726)" ); script_set_attribute(attribute:"see_also", value:"https://www.openssh.com/txt/release-4.5"); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/kb/TA24626?locale=en_US"); script_set_attribute(attribute:"see_also", value:"https://www.openssh.com/security.html"); script_set_attribute(attribute:"solution", value: "Upgrade to OpenSSH 4.5 or later. For Mac OS X 10.3, apply Security Update 2007-003. For Mac OS X 10.4, upgrade to 10.4.9."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/08"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/04"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh", 22); exit(0); } include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); port = get_service(svc:'ssh', exit_on_fail:TRUE); banner = get_kb_item_or_exit('SSH/banner/'+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ('openssh' >!< bp_banner) exit(0, 'The SSH service on port '+port+' is not OpenSSH.'); if (backported) exit(1, 'The banner from the OpenSSH server on port '+port+' indicates patches may have been backported.'); # Check the version in the banner. matches = eregmatch(string:bp_banner, pattern:'openssh[-_]([0-9][-._0-9a-z]+)'); if (isnull(matches)) exit(0, 'Could not parse number from version string on port ' + port + '.'); version = matches[1]; if (version =~ '^([0-3]\\..*|4\\.[0-4]($|[^\\.0-9]|\\..*))') { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 4.5\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else exit(0, 'The OpenSSH server on port '+port+' is not affected as it\'s version '+version+'.');NASL family MacOS X Local Security Checks NASL id MACOSX_10_4_9.NASL description The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog last seen 2020-06-01 modified 2020-06-02 plugin id 24811 published 2007-03-13 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24811 title Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003) code # # (C) Tenable Network Security, Inc. # if ( ! defined_func("bn_random") ) exit(0); if ( NASL_LEVEL < 3004 ) exit(0); include("compat.inc"); if(description) { script_id(24811); script_version ("1.29"); script_cve_id("CVE-2007-0719", "CVE-2007-0467", "CVE-2007-0720", "CVE-2007-0721", "CVE-2007-0722", "CVE-2006-6061", "CVE-2006-6062", "CVE-2006-5679", "CVE-2007-0229", "CVE-2007-0267", "CVE-2007-0299", "CVE-2007-0723", "CVE-2006-5330", "CVE-2006-0300", "CVE-2006-6097", "CVE-2007-0318", "CVE-2007-0724", "CVE-2007-1071", "CVE-2007-0733", "CVE-2006-5836", "CVE-2006-6129", "CVE-2006-6173", "CVE-2006-1516", "CVE-2006-1517", "CVE-2006-2753", "CVE-2006-3081", "CVE-2006-4031", "CVE-2006-4226", "CVE-2006-3469", "CVE-2006-6130", "CVE-2007-0236", "CVE-2007-0726", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-5051", "CVE-2006-5052", "CVE-2007-0728", "CVE-2007-0588", "CVE-2007-0730", "CVE-2007-0731", "CVE-2007-0463", "CVE-2005-2959", "CVE-2006-4829"); script_bugtraq_id(20982, 21236, 21291, 21349, 22041, 22948); script_name(english:"Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)"); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a Mac OS X update which fixes a security issue." ); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog" ); script_set_attribute(attribute:"see_also", value:"http://docs.info.apple.com/article.html?artnum=305214" ); script_set_attribute(attribute:"solution", value: "Mac OS X 10.4 : Upgrade to Mac OS X 10.4.9 : http://www.apple.com/support/downloads/macosxserver1049updateppc.html http://www.apple.com/support/downloads/macosx1049updateintel.html http://www.apple.com/support/downloads/macosxserver1049updateuniversal.html Mac OS X 10.3 : Apply Security Update 2007-003 : http://www.apple.com/support/downloads/securityupdate20070031039client.html http://www.apple.com/support/downloads/securityupdate20070031039server.html" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(79, 119, 362, 399); script_set_attribute(attribute:"plugin_publication_date", value: "2007/03/13"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/28"); script_set_attribute(attribute:"patch_publication_date", value: "2007/03/13"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_summary(english:"Check for the version of Mac OS X"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"MacOS X Local Security Checks"); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); exit(0); } os = get_kb_item("Host/MacOSX/Version"); if ( ! os ) { os = get_kb_item("Host/OS"); confidence = get_kb_item("Host/OS/Confidence"); if ( confidence <= 90 ) exit(0); } if ( ! os ) exit(0); if ( ereg(pattern:"Mac OS X 10\.4($|\.[1-8]([^0-9]|$))", string:os)) security_hole(0); else if ( ereg(pattern:"Mac OS X 10\.3\.", string:os) ) { packages = get_kb_item("Host/MacOSX/packages"); if ( ! packages ) exit(0); if (!egrep(pattern:"^SecUpd(Srvr)?2007-003", string:packages)) security_hole(0); }
References
- http://docs.info.apple.com/article.html?artnum=305214
- http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.html
- http://secunia.com/advisories/24479
- http://www.osvdb.org/34850
- http://www.securityfocus.com/bid/22948
- http://www.securitytracker.com/id?1017756
- http://www.us-cert.gov/cas/techalerts/TA07-072A.html
- http://www.vupen.com/english/advisories/2007/0930
- https://exchange.xforce.ibmcloud.com/vulnerabilities/32975