OpenSSH X11 cookie privilege escalation

openssh-x11cookie-privilege-escalation (36637)

Medium Risk

Description:

OpenSSH could allow a remote attacker on the adjacent network to gain elevated privileges. Trusted X11 cookies are created when untrusted cookies cannot be created, which could allow an attacker to bypass security restrictions and gain elevated privileges using an untrusted X client.

Platforms Affected:

• Apple, Mac OS X 10.4.11
• Apple, Mac OS X 10.5.2
• Apple, Mac OS X Server 10.4.11
• Apple, Mac OS X Server 10.5.2
• Canonical, Ubuntu 6.06 LTS
• Canonical, Ubuntu 6.10
• Canonical, Ubuntu 7.04
• Canonical, Ubuntu 7.10
• Gentoo, Linux
• HP, HP-UX B.11.11
• HP, HP-UX B.11.23
• HP, HP-UX B.11.31
• IBM, AIX 5.2
• IBM, AIX 5.3
• IBM, AIX 6.1
• Mandriva, Corporate Server 3.0 X86_64
• Mandriva, Corporate Server 3.0
• Mandriva, Corporate Server 4.0 X86_64
• Mandriva, Corporate Server 4.0
• Mandriva, Linux 2007 X86_64
• Mandriva, Linux 2007
• Mandriva, Linux 2007.1 X86_64
• Mandriva, Linux 2007.1
• Mandriva, Multi Network Firewall 2.0
• OpenBSD, OpenSSH 1.2
• OpenBSD, OpenSSH 1.2.1
• OpenBSD, OpenSSH 1.2.2
• OpenBSD, OpenSSH 1.2.27
• OpenBSD, OpenSSH 1.2.3
• OpenBSD, OpenSSH 2.1
• OpenBSD, OpenSSH 2.1.1
• OpenBSD, OpenSSH 2.1.1p4
• OpenBSD, OpenSSH 2.2
• OpenBSD, OpenSSH 2.2.0p1
• OpenBSD, OpenSSH 2.3
• OpenBSD, OpenSSH 2.3.0p1
• OpenBSD, OpenSSH 2.5
• OpenBSD, OpenSSH 2.5.1
• OpenBSD, OpenSSH 2.5.1p1
• OpenBSD, OpenSSH 2.5.1p2
• OpenBSD, OpenSSH 2.5.2
• OpenBSD, OpenSSH 2.5.2p1
• OpenBSD, OpenSSH 2.5.2p2
• OpenBSD, OpenSSH 2.9
• OpenBSD, OpenSSH 2.9.9
• OpenBSD, OpenSSH 2.9.9p1
• OpenBSD, OpenSSH 2.9.9p2
• OpenBSD, OpenSSH 2.9p1
• OpenBSD, OpenSSH 2.9p2
• OpenBSD, OpenSSH 3.0
• OpenBSD, OpenSSH 3.0.1
• OpenBSD, OpenSSH 3.0.1p1
• OpenBSD, OpenSSH 3.0.2
• OpenBSD, OpenSSH 3.0.2p1
• OpenBSD, OpenSSH 3.0p1
• OpenBSD, OpenSSH 3.1
• OpenBSD, OpenSSH 3.1p1
• OpenBSD, OpenSSH 3.2
• OpenBSD, OpenSSH 3.2.2
• OpenBSD, OpenSSH 3.2.2p1
• OpenBSD, OpenSSH 3.2.3
• OpenBSD, OpenSSH 3.2.3p1
• OpenBSD, OpenSSH 3.3
• OpenBSD, OpenSSH 3.3p1
• OpenBSD, OpenSSH 3.4
• OpenBSD, OpenSSH 3.4p1
• OpenBSD, OpenSSH 3.5
• OpenBSD, OpenSSH 3.5p1
• OpenBSD, OpenSSH 3.6
• OpenBSD, OpenSSH 3.6.1
• OpenBSD, OpenSSH 3.6.1p1
• OpenBSD, OpenSSH 3.6.1p2
• OpenBSD, OpenSSH 3.7
• OpenBSD, OpenSSH 3.7.1
• OpenBSD, OpenSSH 3.7.1p1
• OpenBSD, OpenSSH 3.7.1p2
• OpenBSD, OpenSSH 3.8
• OpenBSD, OpenSSH 3.8.1
• OpenBSD, OpenSSH 3.8.1p1
• OpenBSD, OpenSSH 3.9
• OpenBSD, OpenSSH 3.9.1
• OpenBSD, OpenSSH 3.9.1p1
• OpenBSD, OpenSSH 4.0
• OpenBSD, OpenSSH 4.0p1
• OpenBSD, OpenSSH 4.1p1
• OpenBSD, OpenSSH 4.2
• OpenBSD, OpenSSH 4.2p1
• OpenBSD, OpenSSH 4.3
• OpenBSD, OpenSSH 4.3p1
• OpenBSD, OpenSSH 4.3p2
• OpenBSD, OpenSSH 4.4
• OpenBSD, OpenSSH 4.4p1
• OpenBSD, OpenSSH 4.5
• OpenBSD, OpenSSH 4.5p1
• OpenBSD, OpenSSH 4.6

Remedy:

Upgrade to the latest version of OpenSSH (4.7 or later), available from the OpenSSH Web site. See References.

For rPath Linux:
Refer to rPath Linux Issue RPL-1706 for patch, upgrade, or suggested workaround information. See References.

For Mac OS X:
Apply Security Update 2008-002, available from the Apple Web site. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Gain Privileges

References:

• Apple Web site, About Security Update 2008-002 at http://docs.info.apple.com/article.html?artnum=307562.
• BugTraq Mailing List, Mon Nov 12 2007 - 13:57:33 CST, HPSBUX02287 SSRT071485 rev.1 - HP-UX Running HP Secure Shell, Remotely Gain Extended Privileges at http://archives.neohapsis.com/archives/bugtraq/2007-11/0164.html.
• ESB-2008.0123, AIX OpenSSH creates trusted X11 cookie instead of untrusted at http://www.auscert.org.au/render.html?it=8746.
• OpenSSH Web site, OpenSSH at http://www.openssh.com/.
• OpenSSH Web site, OpenSSH 4.7/4.7p1 at http://www.openssh.com/txt/release-4.7.
• OpenSSH Web site: OpenSSH 4.7 Release notes, Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails at http://www.openssh.com/txt/release-4.7.
• rPath Linux Issue RPL-1706, openssh uses a trusted X11cookie if creation of an untrusted cookie fails CVE-2007-4752 at https://issues.rpath.com/browse/RPL-1706.
• ASA-2007-497: HP-UX Running HP Secure Shell, Remotely Gain Extended Privileges (HPSBUX02287)
• BID-25628: OpenSSH X11 Cookie Local Authentication Bypass Vulnerability
• CVE-2007-4752: ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
• FrSIRT/ADV-2007-3156: OpenSSH Untrusted Cookie Creation Handling Security Bypass Weakness
• FrSIRT/ADV-2008-0924: Apple Mac OS X Command Execution and Security Bypass Issues
• GLSA-200711-02: OpenSSH: Security bypass
• MDKSA-2007:236: Updated openssh packages fix X11 cookie vulnerability
• SA29420: Mac OS X Security Update Fixes Multiple Vulnerabilities
• SUSE-SR:2007:022: SUSE Security Summary Report
• USN-566-1: OpenSSH vulnerability

Reported:

Sep 11, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page