#VU93515 Race condition in OpenSSH - CVE-2006-5051
Vulnerability identifier: #VU93515
Vulnerability risk: Critical
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red]
CVE-ID: CVE-2006-5051
CWE-ID:
CWE-362
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
OpenSSH
Server applications /
Remote management servers, RDP, SSH
Vendor: OpenSSH
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a race condition in sshd when GSSAPI authentication is enabled. A remote attacker can send specially crafted requests to the daemon, trigger a race condition and execute arbitrary code on the system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
OpenSSH: before 4.4p1
External links
https:httpftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:22.openssh.asc
https://www.redhat.com/support/errata/RHSA-2006-0698.html
https://www.redhat.com/support/errata/RHSA-2006-0697.html
https://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.592566
https://www.ubuntu.com/usn/usn-355-1
https://www.securityfocus.com/bid/20241
https://securitytracker.com/id?1016940
https://secunia.com/advisories/22158
https://secunia.com/advisories/22173
https://secunia.com/advisories/22183
https://secunia.com/advisories/22196
https://secunia.com/advisories/22236
https://lists.freebsd.org/pipermail/freebsd-security/2006-October/004051.html
https://www.debian.org/security/2006/dsa-1189
https://security.freebsd.org/advisories/FreeBSD-SA-06%3A22.openssh.asc
https://www.kb.cert.org/vuls/id/851340
https://secunia.com/advisories/22270
https://secunia.com/advisories/22208
https://secunia.com/advisories/22245
https://www.arkoon.fr/upload/alertes/36AK-2006-07-FR-1.0_FAST360_OPENSSH.pdf
https://www.openbsd.org/errata.html#ssh
https://secunia.com/advisories/22352
https://support.avaya.com/elmodocs2/security/ASA-2006-216.htm
https://www.openpkg.org/security/advisories/OpenPKG-SA-2006.022-openssh.html
https://secunia.com/advisories/22362
https://www.novell.com/linux/security/advisories/2006_62_openssh.html
https://secunia.com/advisories/22495
https://www.arkoon.fr/upload/alertes/43AK-2006-09-FR-1.0_SSL360_OPENSSH.pdf
ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
https://secunia.com/advisories/22487
https://security.gentoo.org/glsa/glsa-200611-06.xml
https://secunia.com/advisories/22823
https://www.debian.org/security/2006/dsa-1212
https://secunia.com/advisories/22926
https://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
https://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
https://secunia.com/advisories/23680
https://docs.info.apple.com/article.html?artnum=305214
https://secunia.com/advisories/24479
https://www-unix.globus.org/mail_archive/security-announce/2007/04/msg00000.html
https://secunia.com/advisories/24805
https://openssh.org/txt/release-4.4
https://www.osvdb.org/29264
https://sourceforge.net/forum/forum.php?forum_id=681763
https://lists.apple.com/archives/security-announce/2007/Mar/msg00002.html
https://www.mandriva.com/security/advisories?name=MDKSA-2006:179
https://www.us-cert.gov/cas/techalerts/TA07-072A.html
https://secunia.com/advisories/24799
https://www.vupen.com/english/advisories/2007/0930
https://www.vupen.com/english/advisories/2007/1332
https://www.vupen.com/english/advisories/2006/4329
https://www.vupen.com/english/advisories/2006/4018
https://marc.info/?l=openssh-unix-dev&m=115939141729160&w=2
https://exchange.xforce.ibmcloud.com/vulnerabilities/29254
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11387
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
