Permissions, Privileges, and Access Controls in OpenSSH
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU103988
Risk: Medium
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2008-1483
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions. A local user can hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
MitigationInstall update from vendor's website.
Vulnerable software versionsOpenSSH: 4.3p2
CPE2.3 External linkshttps:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-005.txt.asc
https://aix.software.ibm.com/aix/efixes/security/ssh_advisory.asc
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011
https://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01462841
https://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html
https://lists.opensuse.org/opensuse-security-announce/2008-04/msg00007.html
https://secunia.com/advisories/29522
https://secunia.com/advisories/29537
https://secunia.com/advisories/29554
https://secunia.com/advisories/29626
https://secunia.com/advisories/29676
https://secunia.com/advisories/29683
https://secunia.com/advisories/29686
https://secunia.com/advisories/29721
https://secunia.com/advisories/29735
https://secunia.com/advisories/29873
https://secunia.com/advisories/29939
https://secunia.com/advisories/30086
https://secunia.com/advisories/30230
https://secunia.com/advisories/30249
https://secunia.com/advisories/30347
https://secunia.com/advisories/30361
https://secunia.com/advisories/31531
https://secunia.com/advisories/31882
https://security.FreeBSD.org/advisories/FreeBSD-SA-08:05.openssh.asc
https://sourceforge.net/project/shownotes.php?release_id=590180&group_id=69227
https://sunsolve.sun.com/search/document.do?assetkey=1-26-237444-1
https://sunsolve.sun.com/search/document.do?assetkey=1-77-1019235.1-1
https://support.attachmate.com/techdocs/2374.html
https://support.avaya.com/elmodocs2/security/ASA-2008-205.htm
https://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2008-1483
https://wiki.rpath.com/wiki/Advisories:rPSA-2008-0120
https://www.debian.org/security/2008/dsa-1576
https://www.gentoo.org/security/en/glsa/glsa-200804-03.xml
https://www.globus.org/mail_archive/security-announce/2008/04/msg00000.html
https://www.mandriva.com/security/advisories?name=MDVSA-2008:078
https://www.securityfocus.com/archive/1/490054/100/0/threaded
https://www.securityfocus.com/bid/28444
https://www.securitytracker.com/id?1019707
https://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.540188
https://www.us-cert.gov/cas/techalerts/TA08-260A.html
https://www.vupen.com/english/advisories/2008/0994/references
https://www.vupen.com/english/advisories/2008/1123/references
https://www.vupen.com/english/advisories/2008/1124/references
https://www.vupen.com/english/advisories/2008/1448/references
https://www.vupen.com/english/advisories/2008/1526/references
https://www.vupen.com/english/advisories/2008/1624/references
https://www.vupen.com/english/advisories/2008/1630/references
https://www.vupen.com/english/advisories/2008/2396
https://www.vupen.com/english/advisories/2008/2584
https://exchange.xforce.ibmcloud.com/vulnerabilities/41438
https://issues.rpath.com/browse/RPL-2397
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6085
https://usn.ubuntu.com/597-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
