#VU45330 Permissions, Privileges, and Access Controls in OpenSSH - CVE-2011-0539

Cybersecurity Help s.r.o.

Published: 2011-02-10 | Updated: 2020-08-11

Vulnerability identifier: #VU45330

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2011-0539

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSH
Server applications / Remote management servers, RDP, SSH

Vendor: OpenSSH

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when generating legacy certificates using the -t command-line option in ssh-keygen, does not initialize the nonce field, which might allow remote attackers to obtain sensitive stack memory contents or make it easier to conduct hash collision attacks.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSH: 5.6 - 5.7

External links
https://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02794777
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673
https://secunia.com/advisories/43181
https://secunia.com/advisories/44269
https://www.openssh.com/txt/legacy-cert.adv
https://www.openwall.com/lists/oss-security/2011/02/04/2
https://www.securityfocus.com/bid/46155
https://www.securitytracker.com/id?1025028
https://www.vupen.com/english/advisories/2011/0284
https://exchange.xforce.ibmcloud.com/vulnerabilities/65163

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Permissions, Privileges, and Access Controls in OpenSSH