Permissions, Privileges, and Access Controls in OpenSSH

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU45330

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2011-0539

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when generating legacy certificates using the -t command-line option in ssh-keygen, does not initialize the nonce field, which might allow remote attackers to obtain sensitive stack memory contents or make it easier to conduct hash collision attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

OpenSSH: 5.6 - 5.7

CPE2.3

• cpe:2.3:a:openssh:openssh:5.6:*:*:*:*:*:*:*
• cpe:2.3:a:openssh:openssh:5.7:*:*:*:*:*:*:*

External links

https://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02794777
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673
https://secunia.com/advisories/43181
https://secunia.com/advisories/44269
https://www.openssh.com/txt/legacy-cert.adv
https://www.openwall.com/lists/oss-security/2011/02/04/2
https://www.securityfocus.com/bid/46155
https://www.securitytracker.com/id?1025028
https://www.vupen.com/english/advisories/2011/0284
https://exchange.xforce.ibmcloud.com/vulnerabilities/65163

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.