DSA-1576

Executive Summary

Summary
Title	New openssh packages fix predictable randomness

Informations
Name	DSA-1576	First vendor Publication	2008-05-14
Vendor	Debian	Last vendor Modification	2008-05-16
Severity (Vendor)	N/A	Revision	2

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:N/A:N)
Cvss Base Score	7.8	Attack Range	Network
Cvss Impact Score	6.9	Attack Complexity	Low
Cvss Expoit Score	10	Authentification	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Matt Zimmerman discovered that entries in ~/.ssh/authorized_keys with options (such as "no-port-forwarding" or forced commands) were ignored by the new ssh-vulnkey tool introduced in openssh 1:4.3p2-9etch1 (see DSA 1576-1). This could cause some compromised keys not to be listed in ssh-vulnkey's output.

This update also adds more information to ssh-vulnkey's manual page.

For the stable distribution (etch), this problem has been fixed in version 1:4.3p2-9etch2

We recommend that you upgrade your openssh (1:4.3p2-9etch2) package.

Original Source

Url : http://www.debian.org/security/2008/dsa-1576

CAPEC : Common Attack Pattern Enumeration & Classification

id	Name
CAPEC-59	Session Credential Falsification through Prediction
CAPEC-112	Brute Force
CAPEC-281	Analytic Attacks

CWE : Common Weakness Enumeration

id	Name
CWE-330	Use of Insufficiently Random Values
CWE-310	Cryptographic Issues
CWE-264	Permissions, Privileges, and Access Controls
CWE-20	Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5599

Oval ID:	oval:org.mitre.oval:def:5599
Title:	HP-UX Running HP Secure Shell, Remotely Gain Extended Privileges
Description:	ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2007-4752	Version:	1
Platform(s):	HP-UX 11	Product(s):
Definition Synopsis:
Criteria meets HP Security Bulletin HPSBUX02287 HP Release B.11.11 AND Secure_Shell.SECURE_SHELL version is less than A.04.70.003 OR Criteria meets HP Security Bulletin HPSBUX02287 HP Release B.11.23 AND Secure_Shell.SECURE_SHELL version is less than A.04.70.004 OR Criteria meets HP Security Bulletin HPSBUX02287 HP-UX B.11.31 AND Secure_Shell.SECURE_SHELL version is less than A.04.70.005

Definition Id: oval:org.mitre.oval:def:10809

Oval ID:	oval:org.mitre.oval:def:10809
Title:	ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
Description:	ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2007-4752	Version:	5
Platform(s):	Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section openssh is earlier than 0:3.9p1-11.el4_7 AND openssh-askpass is earlier than 0:3.9p1-11.el4_7 AND openssh-server is earlier than 0:3.9p1-11.el4_7 AND openssh-clients is earlier than 0:3.9p1-11.el4_7 AND openssh-askpass-gnome is earlier than 0:3.9p1-11.el4_7 OR OS Section: RHEL5, CentOS5, Oracle Linux 5 RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section openssh is earlier than 0:4.3p2-26.el5_2.1 AND openssh-askpass is earlier than 0:4.3p2-26.el5_2.1 AND openssh-server is earlier than 0:4.3p2-26.el5_2.1 AND openssh-clients is earlier than 0:4.3p2-26.el5_2.1

Definition Id: oval:org.mitre.oval:def:6085

Oval ID:	oval:org.mitre.oval:def:6085
Title:	Security Vulnerability in Solaris SSH May Allow Unauthorized Access to X11 Sessions
Description:	OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2008-1483	Version:	1
Platform(s):	Sun Solaris 9 Sun Solaris 10	Product(s):
Definition Synopsis:
Software Section Solaris 9 (SPARC) meets Sun Alert 237444 Solaris 9 (SPARC) is installed AND NOT Patch 114356-14 or later installed AND X11Forwarding is enabled OR Solaris 9 (x86) meets Sun Alert 237444 Solaris 9 (x86) is installed AND NOT Patch 114357-13 or later installed AND X11Forwarding is enabled OR Solaris 10 (SPARC) meets Sun Alert 237444 Solaris 10 (SPARC) is installed AND NOT Patch 126133-03 or later installed AND NOT X11Forwarding is not enabled OR Solaris 10 (x86) meets Sun Alert 237444 Solaris 10 (x86) is installed AND NOT Patch 126134-03 or later installed AND NOT X11Forwarding is not enabled AND Configuration Section sshd running

CPE : Common Platform Enumeration

Type	Description	Count
Application	Openssh Openssh cpe:/a:openssh:openssh:4.6 cpe:/a:openssh:openssh:4.3p2	2
Application	Openssl Project Openssl cpe:/a:openssl_project:openssl:0.9.8g-9 cpe:/a:openssl_project:openssl:0.9.8g-8 cpe:/a:openssl_project:openssl:0.9.8g-7 cpe:/a:openssl_project:openssl:0.9.8g-6 cpe:/a:openssl_project:openssl:0.9.8g-5 cpe:/a:openssl_project:openssl:0.9.8g-4 cpe:/a:openssl_project:openssl:0.9.8g-3 cpe:/a:openssl_project:openssl:0.9.8g-2 cpe:/a:openssl_project:openssl:0.9.8g-1 cpe:/a:openssl_project:openssl:0.9.8f-9 cpe:/a:openssl_project:openssl:0.9.8f-8 cpe:/a:openssl_project:openssl:0.9.8f-7 cpe:/a:openssl_project:openssl:0.9.8f-6 cpe:/a:openssl_project:openssl:0.9.8f-5 cpe:/a:openssl_project:openssl:0.9.8f-4 cpe:/a:openssl_project:openssl:0.9.8f-3 cpe:/a:openssl_project:openssl:0.9.8f-2 cpe:/a:openssl_project:openssl:0.9.8f-1 cpe:/a:openssl_project:openssl:0.9.8e-9 cpe:/a:openssl_project:openssl:0.9.8e-8 cpe:/a:openssl_project:openssl:0.9.8e-7 cpe:/a:openssl_project:openssl:0.9.8e-6 cpe:/a:openssl_project:openssl:0.9.8e-5 cpe:/a:openssl_project:openssl:0.9.8e-4 cpe:/a:openssl_project:openssl:0.9.8e-3 cpe:/a:openssl_project:openssl:0.9.8e-2 cpe:/a:openssl_project:openssl:0.9.8e-1 cpe:/a:openssl_project:openssl:0.9.8d-9 cpe:/a:openssl_project:openssl:0.9.8d-8 cpe:/a:openssl_project:openssl:0.9.8d-7 cpe:/a:openssl_project:openssl:0.9.8d-6 cpe:/a:openssl_project:openssl:0.9.8d-5 cpe:/a:openssl_project:openssl:0.9.8d-4 cpe:/a:openssl_project:openssl:0.9.8d-3 cpe:/a:openssl_project:openssl:0.9.8d-2 cpe:/a:openssl_project:openssl:0.9.8d-1 cpe:/a:openssl_project:openssl:0.9.8c-9 cpe:/a:openssl_project:openssl:0.9.8c-8 cpe:/a:openssl_project:openssl:0.9.8c-7 cpe:/a:openssl_project:openssl:0.9.8c-6 cpe:/a:openssl_project:openssl:0.9.8c-5 cpe:/a:openssl_project:openssl:0.9.8c-4 cpe:/a:openssl_project:openssl:0.9.8c-3 cpe:/a:openssl_project:openssl:0.9.8c-2 cpe:/a:openssl_project:openssl:0.9.8c-1	45

Open Source Vulnerability Database (OSVDB)

id	Description
45503	Ubuntu Linux ssh-vulnkey authorized_keys Unspecified Options Key Guessing Wea...
45029	OpenSSL on Debian/Ubuntu Linux Predictable Random Number Generator (RNG) Cryp...
43745	OpenSSH X11 Forwarding Local Session Hijacking
43371	OpenSSH Trusted X11 Cookie Connection Policy Bypass