SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   OpenSSH Vendors:   OpenSSH.org
(IBM Issues Fix) OpenSSH Unsafe Default Configuration May Let Local Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1020086
SecurityTracker URL:  http://securitytracker.com/id/1020086
CVE Reference:   CVE-2008-1657   (Links to External Site)
Date:  May 22 2008
Impact:   Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in OpenSSH. A local user may be able to bypass security restrictions to execute arbitrary commands.

In the default configuration, a local user with write privileges to the '~/.ssh/rc' file can modify the file and cause sshd to execute commands in the file even if an sshd_config(5) ForceCommand directive is in effect.

This behavior is documented but considered by the vendor to be an unsafe default.
Impact:   A local user may be able to execute arbitrary commands.
Solution:   IBM has issued the following fixes.

AIX 5.2:

http://downloads.sourceforge.net/openssh-aix/openssh-4.7_5201.tar.Z

AIX 5.3:

http://downloads.sourceforge.net/openssh-aix/openssh-4.7_5301.tar.Z

AIX 6.1:

http://downloads.sourceforge.net/openssh-aix/openssh-4.7_5301aix61.tar.Z
Vendor URL:  www.openssh.org/ (Links to External Site)
Cause:   Configuration error
Underlying OS:   UNIX (AIX)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 31 2008 OpenSSH Unsafe Default Configuration May Let Local Users Execute Arbitrary Commands


 Source Message Contents
Date:  Wed, 21 May 2008 20:18:39 -0400
Subject:  IBM AIX



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Wed May 21 11:27:51 CDT 2008
===============================================================================
                           VULNERABILITY SUMMARY

VULNERABILITY:   AIX OpenSSH multiple vulnerabilities

PLATFORMS:       AIX 5.2, 5.3, 6.1

SOLUTION:        Apply the fix as described below.

THREAT:          See below

CERT VU Number:  n/a
CVE Numbers:     CVE-2008-1657 CVE-2008-1483    
===============================================================================
                           DETAILED INFORMATION

I. DESCRIPTION

    CVE-2008-1483:
    OpenSSH 4.3p2, and probably other versions, allows local users to
    hijack forwarded X connections by causing ssh to set DISPLAY to
    :10, even when another process is listening on the associated
    port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing
    a cookie sent by Emacs.

    CVE-2008-1657:
    OpenSSH before 4.9 allows remote authenticated users to bypass the
    sshd_config ForceCommand directive by modifying the .ssh/rc
    session file.

II. PLATFORM VULNERABILITY ASSESSMENT

    To determine if your system is vulnerable, execute the following
    command:

    lslpp -L openssh.base.server

    The following fileset levels are vulnerable:

    AIX 6.1: all versions less than 4.7.0.5301
    AIX 5.3: all versions less than 4.7.0.5301
    AIX 5.2: all versions less than 4.7.0.5201

III. FIXES

    A fix is available, and it can be downloaded from:

    AIX 5.2:
    http://downloads.sourceforge.net/openssh-aix/openssh-4.7_5201.tar.Z
    AIX 5.3:
    http://downloads.sourceforge.net/openssh-aix/openssh-4.7_5301.tar.Z
    AIX 6.1:
    http://downloads.sourceforge.net/openssh-aix/openssh-4.7_5301aix61.tar.Z

IV. WORKAROUNDS

    There are no workarounds.

V. CONTACT INFORMATION

    If you would like to receive AIX Security Advisories via email,
    please visit:

        http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
 
    Comments regarding the content of this announcement can be
    directed to:

        security-alert@austin.ibm.com

    To request the PGP public key that can be used to communicate
    securely with the AIX Security Team you can either:

        A. Send an email with "get key" in the subject line to:

            security-alert@austin.ibm.com

        B. Download the key from a PGP Public Key Server. The key ID is:

            0xADA6EB4D

    Please contact your local IBM AIX support center for any
    assistance.

    eServer is a trademark of International Business Machines
    Corporation.  IBM, AIX and pSeries are registered trademarks of
    International Business Machines Corporation.  All other trademarks
    are property of their respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)

iD8DBQFINFL9P9Qud62m600RAs7LAJ900av+ZmOGM4nmecQ2K8ka4UI7TQCfTIcj
VyhoKJrbwhRpVAuM7t2OGR8=
=Q3YI
-----END PGP SIGNATURE-----

		
Related sites
	Supported products list
	Support for UNIX servers

Other subscription services
	APAR subscriptions

Subscription options
	Update your profile
	Unsubscribe


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC