Vulnerability identifier: #VU103988
Vulnerability risk: Medium
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
OpenSSH
Server applications /
Remote management servers, RDP, SSH
Vendor: OpenSSH
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions. A local user can hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
OpenSSH: 4.3p2
External links
https:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-005.txt.asc
https://aix.software.ibm.com/aix/efixes/security/ssh_advisory.asc
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011
https://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01462841
https://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html
https://lists.opensuse.org/opensuse-security-announce/2008-04/msg00007.html
https://secunia.com/advisories/29522
https://secunia.com/advisories/29537
https://secunia.com/advisories/29554
https://secunia.com/advisories/29626
https://secunia.com/advisories/29676
https://secunia.com/advisories/29683
https://secunia.com/advisories/29686
https://secunia.com/advisories/29721
https://secunia.com/advisories/29735
https://secunia.com/advisories/29873
https://secunia.com/advisories/29939
https://secunia.com/advisories/30086
https://secunia.com/advisories/30230
https://secunia.com/advisories/30249
https://secunia.com/advisories/30347
https://secunia.com/advisories/30361
https://secunia.com/advisories/31531
https://secunia.com/advisories/31882
https://security.FreeBSD.org/advisories/FreeBSD-SA-08:05.openssh.asc
https://sourceforge.net/project/shownotes.php?release_id=590180&group_id=69227
https://sunsolve.sun.com/search/document.do?assetkey=1-26-237444-1
https://sunsolve.sun.com/search/document.do?assetkey=1-77-1019235.1-1
https://support.attachmate.com/techdocs/2374.html
https://support.avaya.com/elmodocs2/security/ASA-2008-205.htm
https://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2008-1483
https://wiki.rpath.com/wiki/Advisories:rPSA-2008-0120
https://www.debian.org/security/2008/dsa-1576
https://www.gentoo.org/security/en/glsa/glsa-200804-03.xml
https://www.globus.org/mail_archive/security-announce/2008/04/msg00000.html
https://www.mandriva.com/security/advisories?name=MDVSA-2008:078
https://www.securityfocus.com/archive/1/490054/100/0/threaded
https://www.securityfocus.com/bid/28444
https://www.securitytracker.com/id?1019707
https://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.540188
https://www.us-cert.gov/cas/techalerts/TA08-260A.html
https://www.vupen.com/english/advisories/2008/0994/references
https://www.vupen.com/english/advisories/2008/1123/references
https://www.vupen.com/english/advisories/2008/1124/references
https://www.vupen.com/english/advisories/2008/1448/references
https://www.vupen.com/english/advisories/2008/1526/references
https://www.vupen.com/english/advisories/2008/1624/references
https://www.vupen.com/english/advisories/2008/1630/references
https://www.vupen.com/english/advisories/2008/2396
https://www.vupen.com/english/advisories/2008/2584
https://exchange.xforce.ibmcloud.com/vulnerabilities/41438
https://issues.rpath.com/browse/RPL-2397
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6085
https://usn.ubuntu.com/597-1/
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.