Vulnerabilities > CVE-2009-2904 - Configuration vulnerability in Openbsd Openssh 4.3/4.8

047910
CVSS 6.9 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE

Summary

A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2010-0004.NASL
    descriptiona. vMA and Service Console update for newt to 0.52.2-12.el5_4.1 Newt is a programming library for color text mode, widget based user interfaces. Newt can be used to add stacked windows, entry widgets, checkboxes, radio buttons, labels, plain text fields, scrollbars, etc., to text mode user interfaces. A heap-based buffer overflow flaw was found in the way newt processes content that is to be displayed in a text dialog box. A local attacker could issue a specially crafted text dialog box display request (direct or via a custom application), leading to a denial of service (application crash) or, potentially, arbitrary code execution with the privileges of the user running the application using the newt library. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-2905 to this issue. b. vMA and Service Console update for vMA package nfs-utils to 1.0.9-42.el5 The nfs-utils package provides a daemon for the kernel NFS server and related tools. It was discovered that nfs-utils did not use tcp_wrappers correctly. Certain hosts access rules defined in
    last seen2020-06-01
    modified2020-06-02
    plugin id44993
    published2010-03-05
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/44993
    titleVMSA-2010-0004 : ESX Service Console and vMA third-party updates
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from VMware Security Advisory 2010-0004. 
    # The text itself is copyright (C) VMware Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(44993);
      script_version("1.31");
      script_cvs_date("Date: 2018/08/06 14:03:16");
    
      script_cve_id("CVE-2008-3916", "CVE-2008-4316", "CVE-2008-4552", "CVE-2009-0115", "CVE-2009-0590", "CVE-2009-1189", "CVE-2009-1377", "CVE-2009-1378", "CVE-2009-1379", "CVE-2009-1386", "CVE-2009-1387", "CVE-2009-2695", "CVE-2009-2849", "CVE-2009-2904", "CVE-2009-2905", "CVE-2009-2908", "CVE-2009-3228", "CVE-2009-3286", "CVE-2009-3547", "CVE-2009-3560", "CVE-2009-3563", "CVE-2009-3612", "CVE-2009-3613", "CVE-2009-3620", "CVE-2009-3621", "CVE-2009-3720", "CVE-2009-3726", "CVE-2009-4022");
      script_bugtraq_id(30815, 31602, 31823, 34100, 34256, 35001, 35138, 35174, 36304, 36515, 36552, 36639, 36706, 36723, 36824, 36827, 36901, 36936, 37118, 37203, 37255);
      script_xref(name:"VMSA", value:"2010-0004");
    
      script_name(english:"VMSA-2010-0004 : ESX Service Console and vMA third-party updates");
      script_summary(english:"Checks esxupdate output for the patches");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote VMware ESX host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "a. vMA and Service Console update for newt to 0.52.2-12.el5_4.1
    
       Newt is a programming library for color text mode, widget based
       user interfaces. Newt can be used to add stacked windows, entry
       widgets, checkboxes, radio buttons, labels, plain text fields,
       scrollbars, etc., to text mode user interfaces.
    
       A heap-based buffer overflow flaw was found in the way newt
       processes content that is to be displayed in a text dialog box.
       A local attacker could issue a specially crafted text dialog box
       display request (direct or via a custom application), leading to a
       denial of service (application crash) or, potentially, arbitrary
       code execution with the privileges of the user running the
       application using the newt library.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2009-2905 to this issue.
    
    b. vMA and Service Console update for vMA package nfs-utils to
       1.0.9-42.el5
    
       The nfs-utils package provides a daemon for the kernel NFS server
       and related tools.
    
       It was discovered that nfs-utils did not use tcp_wrappers
       correctly.  Certain hosts access rules defined in '/etc/hosts.allow'
       and '/etc/hosts.deny' may not have been honored, possibly allowing
       remote attackers to bypass intended access restrictions.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2008-4552 to this issue.
    
    c. vMA and Service Console package glib2 updated to 2.12.3-4.el5_3.1
    
       GLib is the low-level core library that forms the basis for
       projects such as GTK+ and GNOME. It provides data structure
       handling for C, portability wrappers, and interfaces for such
       runtime functionality as an event loop, threads, dynamic loading,
       and an object system.
    
       Multiple integer overflows in glib/gbase64.c in GLib before 2.20
       allow context-dependent attackers to execute arbitrary code via a
       long string that is converted either from or to a base64
       representation.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2008-4316 to this issue.
    
    d. vMA and Service Console update for openssl to 0.9.8e-12.el5
    
       SSL is a toolkit implementing SSL v2/v3 and TLS protocols with full-
       strength cryptography world-wide.
    
       Multiple denial of service flaws were discovered in OpenSSL's DTLS
       implementation. A remote attacker could use these flaws to cause a
       DTLS server to use excessive amounts of memory, or crash on an
       invalid memory access or NULL pointer dereference.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the names CVE-2009-1377, CVE-2009-1378,
       CVE-2009-1379, CVE-2009-1386, CVE-2009-1387 to these issues.
    
       An input validation flaw was found in the handling of the BMPString
       and UniversalString ASN1 string types in OpenSSL's
       ASN1_STRING_print_ex() function. An attacker could use this flaw to
       create a specially crafted X.509 certificate that could cause
       applications using the affected function to crash when printing
       certificate contents.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2009-0590 to this issue.
    
    e. vMA and Service Console package bind updated to 9.3.6-4.P1.el5_4.1
    
       It was discovered that BIND was incorrectly caching responses
       without performing proper DNSSEC validation, when those responses
       were received during the resolution of a recursive client query
       that requested DNSSEC records but indicated that checking should be
       disabled. A remote attacker could use this flaw to bypass the DNSSEC
       validation check and perform a cache poisoning attack if the target
       BIND server was receiving such client queries.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2009-4022 to this issue.
    
    f. vMA and Service Console package expat updated to 1.95.8-8.3.el5_4.2.
    
       Two buffer over-read flaws were found in the way Expat handled
       malformed UTF-8 sequences when processing XML files. A specially-
       crafted XML file could cause applications using Expat to fail while
       parsing the file.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the names CVE-2009-3560 and CVE-2009-3720 to these
       issues.
    
    g. vMA and Service Console package openssh update to 4.3p2-36.el5_4.2
    
       A Red Hat specific patch used in the openssh packages as shipped in
       Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain
       ownership requirements for directories used as arguments for the
       ChrootDirectory configuration options. A malicious user that also
       has or previously had non-chroot shell access to a system could
       possibly use this flaw to escalate their privileges and run
       commands as any system user.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2009-2904 to this issue.
    
    h. vMA and Service Console package ntp updated to
       ntp-4.2.2p1-9.el5_4.1.i386.rpm
    
       A flaw was discovered in the way ntpd handled certain malformed NTP
       packets. ntpd logged information about all such packets and replied
       with an NTP packet that was treated as malformed when received by
       another ntpd. A remote attacker could use this flaw to create an NTP
       packet reply loop between two ntpd servers through a malformed packet
       with a spoofed source IP address and port, causing ntpd on those
       servers to use excessive amounts of CPU time and fill disk space with
       log messages.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2009-3563 to this issue.   
    
    i. vMA update for package kernel to 2.6.18-164.9.1.el5
    
       Updated vMA package kernel addresses the security issues listed
       below.
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2009-2849 to the security issue fixed in
       kernel 2.6.18-128.2.1
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the names CVE-2009-2695, CVE-2009-2908, CVE-2009-3228,
       CVE-2009-3286, CVE-2009-3547, CVE-2009-3613 to the security issues
       fixed in kernel 2.6.18-128.6.1
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the names CVE-2009-3612, CVE-2009-3620, CVE-2009-3621,
       CVE-2009-3726 to the security issues fixed in kernel
       2.6.18-128.9.1
    
    j. vMA 4.0 updates for the packages kpartx, libvolume-id,
       device-mapper-multipath, fipscheck, dbus, dbus-libs, and ed
    
       kpartx updated to 0.4.7-23.el5_3.4, libvolume-id updated to
       095-14.20.el5 device-mapper-multipath package updated to
       0.4.7-23.el5_3.4, fipscheck updated to 1.0.3-1.el5, dbus
       updated to 1.1.2-12.el5, dbus-libs updated to 1.1.2-12.el5,
       and ed package updated to 0.2-39.el5_2.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the names CVE-2008-3916, CVE-2009-1189 and
       CVE-2009-0115 to these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://lists.vmware.com/pipermail/security-announce/2010/000104.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(16, 20, 119, 189, 200, 264, 362, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/03/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/03/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
      script_family(english:"VMware ESX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
      script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("vmware_esx_packages.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
    if (
      !get_kb_item("Host/VMware/esxcli_software_vibs") &&
      !get_kb_item("Host/VMware/esxupdate")
    ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    init_esx_check(date:"2010-03-03");
    flag = 0;
    
    
    if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201006407-SG")) flag++;
    if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201008406-SG")) flag++;
    
    if (
      esx_check(
        ver           : "ESX 4.0.0",
        patch         : "ESX400-201002404-SG",
        patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.0.0",
        patch         : "ESX400-201002406-SG",
        patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.0.0",
        patch         : "ESX400-201002407-SG",
        patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.0.0",
        patch         : "ESX400-201005403-SG",
        patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.0.0",
        patch         : "ESX400-201005404-SG",
        patch_updates : make_list("ESX400-201404402-SG", "ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMisc.
    NASL idOPENSSH_RHEL_43.NASL
    descriptionAccording to its banner, the version of OpenSSH running on the remote host may have a privilege escalation vulnerability. OpenSSH on Red Hat Enterprise Linux 5, Fedora 11, and possibly other platforms use an insecure implementation of the
    last seen2020-06-01
    modified2020-06-02
    plugin id17706
    published2011-11-18
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17706
    titleRed Hat Enterprise Linux OpenSSH ChrootDirectory Local Privilege Escalation
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(17706);
      script_version("1.6");
      script_cvs_date("Date: 2018/07/16 14:09:13");
    
      script_cve_id("CVE-2009-2904");
      script_bugtraq_id(36552);
      script_xref(name:"RHSA", value:"2009:1470");
    
      script_name(english:"Red Hat Enterprise Linux OpenSSH ChrootDirectory Local Privilege Escalation");
      script_summary(english:"Checks OpenSSH banner");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The SSH server running on the remote host has a privilege escalation
    vulnerability."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "According to its banner, the version of OpenSSH running on the remote
    host may have a privilege escalation vulnerability.  OpenSSH on Red
    Hat Enterprise Linux 5, Fedora 11, and possibly other platforms use an
    insecure implementation of the 'ChrootDirectory' configuration
    setting, which could allow privilege escalation.  Upstream OpenSSH is
    not affected. 
    
    The fix for this issue does not change the version in the OpenSSH
    banner, so this may be a false positive."
      );
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=522141");
      script_set_attribute(
        attribute:"solution",
        value:
    "Apply the appropriate patch listed in Red Hat security advisory
    RHSA-2009:1470-1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
     script_cwe_id(16);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/09/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/18");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_detect.nasl");
      script_require_keys("Settings/PCI_DSS");
      script_require_ports("Services/ssh");
    
      exit(0);
    }
    
    include("backport.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Ensure the port is open.
    port = get_service(svc:"ssh", exit_on_fail:TRUE);
    
    # Only RHEL and FC packages are affected
    if (!get_kb_item("Settings/PCI_DSS")) exit(0, "PCI-DSS compliance checking is not enabled.");
    
    # Get banner for service.
    banner = get_kb_item_or_exit("SSH/banner/"+port);
    bp_banner = tolower(get_backport_banner(banner:banner));
    if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH.");
    if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported.");
    
    # Check the version in the backported banner.
    match = eregmatch(string:bp_banner, pattern:"openssh[-_]([0-9][-._0-9a-z]+)");
    if (isnull(match)) exit(1, "Could not parse the version string in the banner from port "+port+".");
    version = match[1];
    
    match = eregmatch(string:version, pattern:'^([0-9.]+)');
    if (isnull(match)) # this should never happen due to the previous eregmatch() call, but let's code defensively anyway
      exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.');
    
    ver = match[1];
    
    if (ver == '4.3')
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source    : ' + banner +
          '\n  Installed version : ' + version + '\n';
        security_warning(port:port, extra:report);
      }
      else security_warning(port);
      exit(0);
    }
    else exit(0, "The OpenSSH version "+version+" server listening on port "+port+" is not affected.");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-5429.NASL
    descriptionRollback chroot patch Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id47388
    published2010-07-01
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/47388
    titleFedora 11 : openssh-5.2p1-6.fc11 (2010-5429)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2010-0004_REMOTE.NASL
    descriptionThe remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries : - bind - expat - glib2 - Kernel - newt - nfs-utils - NTP - OpenSSH - OpenSSL
    last seen2020-06-01
    modified2020-06-02
    plugin id89737
    published2016-03-08
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89737
    titleVMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2010-0004) (remote check)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2009-1470.NASL
    descriptionUpdated openssh packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD
    last seen2020-06-01
    modified2020-06-02
    plugin id43797
    published2010-01-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43797
    titleCentOS 5 : openssh (CESA-2009:1470)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL15156.NASL
    descriptionA certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership. (CVE-2009-2904)
    last seen2020-06-01
    modified2020-06-02
    plugin id78162
    published2014-10-10
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78162
    titleF5 Networks BIG-IP : OpenSSH vulnerability (SOL15156)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20090930_OPENSSH_ON_SL5_X.NASL
    descriptionA Red Hat specific patch used in the openssh packages as shipped in Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain ownership requirements for directories used as arguments for the ChrootDirectory configuration options. A malicious user that also has or previously had non-chroot shell access to a system could possibly use this flaw to escalate their privileges and run commands as any system user. (CVE-2009-2904) After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.
    last seen2020-06-01
    modified2020-06-02
    plugin id60671
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60671
    titleScientific Linux Security Update : openssh on SL5.x i386/x86_64
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2009-1470.NASL
    descriptionFrom Red Hat Security Advisory 2009:1470 : Updated openssh packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD
    last seen2020-06-01
    modified2020-06-02
    plugin id67933
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67933
    titleOracle Linux 5 : openssh (ELSA-2009-1470)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-1470.NASL
    descriptionUpdated openssh packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD
    last seen2020-06-01
    modified2020-06-02
    plugin id41951
    published2009-10-01
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/41951
    titleRHEL 5 : openssh (RHSA-2009:1470)

Oval

accepted2013-04-29T04:22:51.644-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionA certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
familyunix
idoval:org.mitre.oval:def:9862
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleA certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
version18

Redhat

advisories
bugzilla
id522141
titleCVE-2009-2904 openssh: possible privilege escalation when using ChrootDirectory setting
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • commentopenssh-server is earlier than 0:4.3p2-36.el5_4.2
          ovaloval:com.redhat.rhsa:tst:20091470001
        • commentopenssh-server is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070540006
      • AND
        • commentopenssh-askpass is earlier than 0:4.3p2-36.el5_4.2
          ovaloval:com.redhat.rhsa:tst:20091470003
        • commentopenssh-askpass is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070540002
      • AND
        • commentopenssh-clients is earlier than 0:4.3p2-36.el5_4.2
          ovaloval:com.redhat.rhsa:tst:20091470005
        • commentopenssh-clients is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070540004
      • AND
        • commentopenssh is earlier than 0:4.3p2-36.el5_4.2
          ovaloval:com.redhat.rhsa:tst:20091470007
        • commentopenssh is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070540008
rhsa
idRHSA-2009:1470
released2009-09-30
severityModerate
titleRHSA-2009:1470: openssh security update (Moderate)
rpms
  • openssh-0:4.3p2-36.el5_4.2
  • openssh-askpass-0:4.3p2-36.el5_4.2
  • openssh-clients-0:4.3p2-36.el5_4.2
  • openssh-debuginfo-0:4.3p2-36.el5_4.2
  • openssh-server-0:4.3p2-36.el5_4.2