OpenSSH X11 cookie privilege escalation

openssh-x11cookie-privilege-escalation (36637)

Medium Risk

Description:

OpenSSH could allow a remote attacker on the adjacent network to gain elevated privileges. Trusted X11 cookies are created when untrusted cookies cannot be created, which could allow an attacker to bypass security restrictions and gain elevated privileges using an untrusted X client.

Platforms Affected:

• Apple, Mac OS X 10.4.11
• Apple, Mac OS X 10.5.2
• Apple, Mac OS X Server 10.4.11
• Apple, Mac OS X Server 10.5.2
• Canonical, Ubuntu 6.06 LTS
• Canonical, Ubuntu 6.10
• Canonical, Ubuntu 7.04
• Canonical, Ubuntu 7.10
• Debian, Debian Linux 4.0
• Gentoo, Linux
• HP, HP-UX B.11.11
• HP, HP-UX B.11.23
• HP, HP-UX B.11.31
• IBM, AIX 5.2
• IBM, AIX 5.3
• IBM, AIX 6.1
• IBM, zOS
• MandrakeSoft, Mandrake Linux 2007
• MandrakeSoft, Mandrake Linux 2007 X86_64
• MandrakeSoft, Mandrake Linux 2007.1 X86_64
• MandrakeSoft, Mandrake Linux 2007.1
• MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
• MandrakeSoft, Mandrake Linux Corporate Server 3.0
• MandrakeSoft, Mandrake Linux Corporate Server 4.0 X86_64
• MandrakeSoft, Mandrake Linux Corporate Server 4.0
• MandrakeSoft, Mandrake Multi Network Firewall 2.0
• OpenBSD, OpenSSH 1.2
• OpenBSD, OpenSSH 1.2.1
• OpenBSD, OpenSSH 1.2.2
• OpenBSD, OpenSSH 1.2.27
• OpenBSD, OpenSSH 1.2.3
• OpenBSD, OpenSSH 2.1
• OpenBSD, OpenSSH 2.1.1
• OpenBSD, OpenSSH 2.1.1p4
• OpenBSD, OpenSSH 2.2
• OpenBSD, OpenSSH 2.2.0p1
• OpenBSD, OpenSSH 2.3
• OpenBSD, OpenSSH 2.3.0p1
• OpenBSD, OpenSSH 2.5
• OpenBSD, OpenSSH 2.5.1
• OpenBSD, OpenSSH 2.5.1p1
• OpenBSD, OpenSSH 2.5.1p2
• OpenBSD, OpenSSH 2.5.2
• OpenBSD, OpenSSH 2.5.2p1
• OpenBSD, OpenSSH 2.5.2p2
• OpenBSD, OpenSSH 2.9
• OpenBSD, OpenSSH 2.9.9
• OpenBSD, OpenSSH 2.9.9p1
• OpenBSD, OpenSSH 2.9.9p2
• OpenBSD, OpenSSH 2.9p1
• OpenBSD, OpenSSH 2.9p2
• OpenBSD, OpenSSH 3.0
• OpenBSD, OpenSSH 3.0.1
• OpenBSD, OpenSSH 3.0.1p1
• OpenBSD, OpenSSH 3.0.2
• OpenBSD, OpenSSH 3.0.2p1
• OpenBSD, OpenSSH 3.0p1
• OpenBSD, OpenSSH 3.1
• OpenBSD, OpenSSH 3.1p1
• OpenBSD, OpenSSH 3.2
• OpenBSD, OpenSSH 3.2.2
• OpenBSD, OpenSSH 3.2.2p1
• OpenBSD, OpenSSH 3.2.3
• OpenBSD, OpenSSH 3.2.3p1
• OpenBSD, OpenSSH 3.3
• OpenBSD, OpenSSH 3.3p1
• OpenBSD, OpenSSH 3.4
• OpenBSD, OpenSSH 3.4p1
• OpenBSD, OpenSSH 3.5
• OpenBSD, OpenSSH 3.5p1
• OpenBSD, OpenSSH 3.6
• OpenBSD, OpenSSH 3.6.1
• OpenBSD, OpenSSH 3.6.1p1
• OpenBSD, OpenSSH 3.6.1p2
• OpenBSD, OpenSSH 3.7
• OpenBSD, OpenSSH 3.7.1
• OpenBSD, OpenSSH 3.7.1p1
• OpenBSD, OpenSSH 3.7.1p2
• OpenBSD, OpenSSH 3.8
• OpenBSD, OpenSSH 3.8.1
• OpenBSD, OpenSSH 3.8.1p1
• OpenBSD, OpenSSH 3.9
• OpenBSD, OpenSSH 3.9.1
• OpenBSD, OpenSSH 3.9.1p1
• OpenBSD, OpenSSH 4.0
• OpenBSD, OpenSSH 4.0p1
• OpenBSD, OpenSSH 4.1p1
• OpenBSD, OpenSSH 4.2
• OpenBSD, OpenSSH 4.2p1
• OpenBSD, OpenSSH 4.3
• OpenBSD, OpenSSH 4.3p1
• OpenBSD, OpenSSH 4.3p2
• OpenBSD, OpenSSH 4.4
• OpenBSD, OpenSSH 4.4p1
• OpenBSD, OpenSSH 4.5
• OpenBSD, OpenSSH 4.5p1
• OpenBSD, OpenSSH 4.6
• RedHat, Enterprise Linux 4 ES
• RedHat, Enterprise Linux 4 Desktop
• RedHat, Enterprise Linux 4 WS
• RedHat, Enterprise Linux 4 AS
• RedHat, Enterprise Linux 4.5.z AS
• RedHat, Enterprise Linux 4.5.z ES
• RedHat, Enterprise Linux 5
• RedHat, Enterprise Linux 5 Client
• Turbolinux, Turbolinux 10 Server
• Turbolinux, Turbolinux 10 Server x64 Ed
• Turbolinux, Turbolinux FUJI
• Turbolinux, Turbolinux Appliance Server 2.0

Remedy:

Upgrade to the latest version of OpenSSH (4.7 or later), available from the OpenSSH Web site. See References.

For rPath Linux:
Refer to rPath Linux Issue RPL-1706 for patch, upgrade, or suggested workaround information. See References.

For Mac OS X:
Apply Security Update 2008-002, available from the Apple Web site. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Gain Privileges

References:

• Apple Web site, About Security Update 2008-002 at http://docs.info.apple.com/article.html?artnum=307562.
• BugTraq Mailing List, Mon Nov 12 2007 - 13:57:33 CST, HPSBUX02287 SSRT071485 rev.1 - HP-UX Running HP Secure Shell, Remotely Gain Extended Privileges at http://archives.neohapsis.com/archives/bugtraq/2007-11/0164.html.
• ESB-2008.0123, AIX OpenSSH creates trusted X11 cookie instead of untrusted at http://www.auscert.org.au/render.html?it=8746.
• IBM APAR OA25412, OA25412: DOC UPDATE FOR "IBM PORTED TOOLS FOR Z/OS" OPENSSH 5655M2301 at http://www-1.ibm.com/support/docview.wss?rs=203&context=SW000&dc=DB550&dc=D100&q1=Security+vulnerability&uid=isg1OA25412.
• OpenSSH Web site, OpenSSH at http://www.openssh.com/.
• OpenSSH Web site, OpenSSH 4.7/4.7p1 at http://www.openssh.com/txt/release-4.7.
• OpenSSH Web site: OpenSSH 4.7 Release notes, Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails at http://www.openssh.com/txt/release-4.7.
• rPath Linux Issue RPL-1706, openssh uses a trusted X11cookie if creation of an untrusted cookie fails CVE-2007-4752 at https://issues.rpath.com/browse/RPL-1706.
• ASA-2007-497: HP-UX Running HP Secure Shell, Remotely Gain Extended Privileges (HPSBUX02287)
• ASA-2008-399: openssh security update (RHSA-2008-0855)
• BID-25628: OpenSSH X11 Cookie Local Authentication Bypass Vulnerability
• CVE-2007-4752: ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
• DSA-1576: openssh -- predictable random number generator
• GLSA-200711-02: OpenSSH: Security bypass
• MDKSA-2007:236: Updated openssh packages fix X11 cookie vulnerability
• RHSA-2008-0855: Critical: openssh security update
• SA29420: Mac OS X Security Update Fixes Multiple Vulnerabilities
• SA32241: Avaya Products Red Hat Tampered OpenSSH Packages
• SUSE-SR:2007:022: SUSE Security Summary Report

Reported:

Sep 11, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page