Executive Summary

Summary
Title scponly: Multiple vulnerabilities
Informations
Name GLSA-200802-06 First vendor Publication 2008-02-12
Vendor Gentoo Last vendor Modification 2008-02-12
Severity (Vendor) Normal Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Cvss Base Score 8.5 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 6.8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities in scponly allow authenticated users to bypass security restrictions.

Background

scponly is a shell for restricting user access to file transfer only using sftp and scp.

Description

Florian Weimer from Debian discovered that scponly does not filter the
- -o and -F options to the scp executable (CVE-2007-6415). Joachim Breitner reported that Subversion and rsync support invokes subcommands in an insecure manner (CVE-2007-6350).

Impact

A local attacker could exploit these vulnerabilities to elevate privileges and execute arbitrary commands on the vulnerable host.

Workaround

There is no known workaround at this time.

Resolution

All scponly users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/scponly-4.8"

Due to the design of scponly's Subversion support, security restrictions can still be circumvented. Please read carefully the SECURITY file included in the package.

References

[ 1 ] CVE-2007-6350 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6350
[ 2 ] CVE-2007-6415 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6415

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200802-06.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-200802-06.xml

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-264 Permissions, Privileges, and Access Controls
50 % CWE-94 Failure to Control Generation of Code ('Code Injection')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:18701
 
Oval ID: oval:org.mitre.oval:def:18701
Title: DSA-1473-1 scponly - arbitrary code execution
Description: Joachim Breitner discovered that Subversion support in scponly is inherently insecure, allowing execution of arbitrary commands. Further investigation showed that rsync and Unison support suffer from similar issues. This set of issues has been assigned <a href="http://security-tracker.debian.org/tracker/CVE-2007-6350">CVE-2007-6350</a>.
Family: unix Class: patch
Reference(s): DSA-1473-1
CVE-2007-6350
CVE-2007-6415
 Version: 7
Platform(s): Debian GNU/Linux 4.0
 Product(s): scponly
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7732
 
Oval ID: oval:org.mitre.oval:def:7732
Title: DSA-1473 scponly -- design flaw
Description: Joachim Breitner discovered that Subversion support in scponly is inherently insecure, allowing execution of arbitrary commands. Further investigation showed that rsync and Unison support suffer from similar issues. This set of issues has been assigned CVE-2007-6350. In addition, it was discovered that it was possible to invoke scp with certain options that may lead to the execution of arbitrary commands (CVE-2007-6415). This update removes Subversion, rsync and Unison support from the scponly package, and prevents scp from being invoked with the dangerous options.
Family: unix Class: patch
Reference(s): DSA-1473
CVE-2007-6350
CVE-2007-6415
 Version: 3
Platform(s): Debian GNU/Linux 4.0
Debian GNU/Linux 3.1
 Product(s): scponly
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 21
Os 2

OpenVAS Exploits

Date Description
2009-02-16 Name : Fedora Update for scponly FEDORA-2008-1728
File : nvt/gb_fedora_2008_1728_scponly_fc7.nasl
2009-02-16 Name : Fedora Update for scponly FEDORA-2008-1743
File : nvt/gb_fedora_2008_1743_scponly_fc8.nasl
2008-09-24 Name : Gentoo Security Advisory GLSA 200802-06 (scponly)
File : nvt/glsa_200802_06.nasl
2008-01-31 Name : Debian Security Advisory DSA 1473-1 (scponly)
File : nvt/deb_1473_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
44137 scponly Multiple Subcommands Crafted Subversion (SVN) Repository Restriction ...
42843 scponly -Fo Restricted Shell Bypass Arbitrary Code Execution

Nessus® Vulnerability Scanner

Date Description
2008-02-18 Name : The remote Fedora host is missing a security update.
File : fedora_2008-1728.nasl - Type : ACT_GATHER_INFO
2008-02-18 Name : The remote Fedora host is missing a security update.
File : fedora_2008-1743.nasl - Type : ACT_GATHER_INFO
2008-02-14 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200802-06.nasl - Type : ACT_GATHER_INFO
2008-01-27 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1473.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:35:33
  • Multiple Updates