Vulnerabilities > CVE-2012-0920 - Resource Management Errors vulnerability in multiple products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
SINGLE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54, when command restriction and public key authentication are enabled, allows remote authenticated users to execute arbitrary code and bypass command restrictions via multiple crafted command requests, related to "channels concurrency."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 5 | |
| OS | 2 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2012-10934.NASL description Update to 0.55, fix CVE-2012-0920. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-07-30 plugin id 60148 published 2012-07-30 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/60148 title Fedora 16 : dropbear-0.55-1.fc16 (2012-10934) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-10934. # include("compat.inc"); if (description) { script_id(60148); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-0920"); script_bugtraq_id(52159); script_xref(name:"FEDORA", value:"2012-10934"); script_name(english:"Fedora 16 : dropbear-0.55-1.fc16 (2012-10934)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to 0.55, fix CVE-2012-0920. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=783776" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=800656" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=800657" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-July/084354.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d65f9e10" ); script_set_attribute( attribute:"solution", value:"Update the affected dropbear package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:dropbear"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:16"); script_set_attribute(attribute:"patch_publication_date", value:"2012/07/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/07/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^16([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 16.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC16", reference:"dropbear-0.55-1.fc16")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "dropbear"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_EBA70DB4664011E198AF00262D8B701D.NASL description The Dropbear project reports : Dropbear SSH Server could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a use-after- free error. If a command restriction is enforced, an attacker could exploit this vulnerability to execute arbitrary code on the system with root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 58202 published 2012-03-05 reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/58202 title FreeBSD : dropbear -- arbitrary code execution (eba70db4-6640-11e1-98af-00262d8b701d) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201309-20.NASL description The remote host is affected by the vulnerability described in GLSA-201309-20 (Dropbear: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Dropbear. Please review the CVE identifier and Gentoo bug referenced below for details. Impact : A remote attacker could send a specially crafted request to trigger a use-after-free condition, possibly resulting in arbitrary code execution or a Denial of Service condition. Additionally, the bundled version of libtommath has an error in its prime number generation, which could result in the generation of weak keys. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 70160 published 2013-09-27 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70160 title GLSA-201309-20 : Dropbear: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2456.NASL description Danny Fullerton discovered a use-after-free in the Dropbear SSH daemon, resulting in potential execution of arbitrary code. Exploitation is limited to users, who have been authenticated through public key authentication and for which command restrictions are in place. last seen 2020-03-17 modified 2012-04-25 plugin id 58853 published 2012-04-25 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/58853 title Debian DSA-2456-1 : dropbear - use after free NASL family Misc. NASL id DROPBEAR_SSH_55.NASL description According to its self-reported banner, the remote host is running a version of Dropbear SSH before 2012.55. As such, it reportedly contains a flaw that might allow an attacker to run arbitrary code on the remote host with root privileges if they are authenticated using a public key and command restriction is enforced. Note that Nessus has not tried to exploit this vulnerability but instead has relied solely on the version in the service last seen 2020-06-01 modified 2020-06-02 plugin id 58183 published 2012-03-01 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58183 title Dropbear SSH Server Channel Concurrency Use-after-free Remote Code Execution
References
- http://matt.ucc.asn.au/dropbear/CHANGES
- http://secunia.com/advisories/48147
- http://secunia.com/advisories/48929
- http://www.debian.org/security/2012/dsa-2456
- http://www.osvdb.org/79590
- http://www.securityfocus.com/bid/52159
- https://exchange.xforce.ibmcloud.com/vulnerabilities/73444
- https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
- https://www.mantor.org/~northox/misc/CVE-2012-0920.html