CVE-2009-2904 - A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in Ope

CVE-2009-2904

Summary

A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.

References

Vulnerable Configurations

cpe:2.3:a:openbsd:openssh:4.3:*:*:*:*:*:*:*
cpe:2.3:a:openbsd:openssh:4.3:*:*:*:*:*:*:*
cpe:2.3:a:openbsd:openssh:4.8:*:*:*:*:*:*:*
cpe:2.3:a:openbsd:openssh:4.8:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:11:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:11:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:5:*:server:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:5:*:server:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:5:*:client:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:5:*:client:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:5:*:*:*:*:*:*:*

CVSS

Base:	6.9 (as of 19-09-2017 - 01:29)
Impact:
Exploitability:

CWE

CWE-16

CAPEC

Access

Vector	Complexity	Authentication
LOCAL	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:L/AC:M/Au:N/C:C/I:C/A:C

oval via4

accepted

2013-04-29T04:22:51.644-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:9862

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

redhat via4

advisories

bugzilla

id	522141
title	CVE-2009-2904 openssh: possible privilege escalation when using ChrootDirectory setting

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005

AND
comment openssh is earlier than 0:4.3p2-36.el5_4.2
oval oval:com.redhat.rhsa:tst:20091470001
comment openssh is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070540002

AND

comment openssh-askpass is earlier than 0:4.3p2-36.el5_4.2
oval oval:com.redhat.rhsa:tst:20091470003
comment openssh-askpass is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070540004

AND

comment openssh-clients is earlier than 0:4.3p2-36.el5_4.2
oval oval:com.redhat.rhsa:tst:20091470005
comment openssh-clients is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070540006

AND

comment openssh-server is earlier than 0:4.3p2-36.el5_4.2
oval oval:com.redhat.rhsa:tst:20091470007
comment openssh-server is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070540008

rhsa

id	RHSA-2009:1470
released	2009-09-30
severity	Moderate
title	RHSA-2009:1470: openssh security update (Moderate)

rpms

openssh-0:4.3p2-36.el5_4.2
openssh-askpass-0:4.3p2-36.el5_4.2
openssh-clients-0:4.3p2-36.el5_4.2
openssh-debuginfo-0:4.3p2-36.el5_4.2
openssh-server-0:4.3p2-36.el5_4.2

refmap via4

bid	36552
confirm	https://bugzilla.redhat.com/show_bug.cgi?id=522141
fedora	FEDORA-2010-5429
mlist	[security-announce] 20100303 VMSA-2010-0004 ESX Service Console and vMA third party updates
osvdb	58495
secunia	38794 38834 39182
vupen	ADV-2010-0528

Last major update

19-09-2017 - 01:29

Published

01-10-2009 - 15:30

Last modified

19-09-2017 - 01:29