int(3431)

Boletines de Vulnerabilidades

Aumento de privilegios en OpenSSH

Clasificación de la vulnerabilidad
Propiedad Valor
Nivel de Confianza Oficial
Impacto Aumento de privilegios
Dificultad Experto
Requerimientos del atacante Acceso remoto sin cuenta a un servicio estandar

Información sobre el sistema
Propiedad Valor
Fabricante afectado GNU/Linux
Software afectado OpenSSH < 4.7

Descripción
Se ha encontrado una vulnerabilidad en OpenSSH en las versiones anteriores a la 4.7 en ssh. La vulnerabilidad reside al reaccionar de forma incorrecta cuando una cookie, que no es de confianza, no se puede crear y en su lugar sea utilizada una cookie X11 de confianza.

Un atacante remoto podría aumentar sus privilegios mediante causar que un cliente X sea tratado como de confianza.

Solución


Actualización de software

OpenSSH
OpenSSH version 4.7
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/

Mandriva (MDKSA-2007:236)

Corporate Server 3.0
X86
corporate/3.0/i586/openssh-4.3p1-0.4.C30mdk.i586.rpm
corporate/3.0/i586/openssh-askpass-4.3p1-0.4.C30mdk.i586.rpm
corporate/3.0/i586/openssh-askpass-gnome-4.3p1-0.4.C30mdk.i586.rpm
corporate/3.0/i586/openssh-clients-4.3p1-0.4.C30mdk.i586.rpm
corporate/3.0/i586/openssh-server-4.3p1-0.4.C30mdk.i586.rpm
corporate/3.0/SRPMS/openssh-4.3p1-0.4.C30mdk.src.rpm
X86_64
corporate/3.0/x86_64/openssh-4.3p1-0.4.C30mdk.x86_64.rpm
corporate/3.0/x86_64/openssh-askpass-4.3p1-0.4.C30mdk.x86_64.rpm
corporate/3.0/x86_64/openssh-askpass-gnome-4.3p1-0.4.C30mdk.x86_64.rpm
corporate/3.0/x86_64/openssh-clients-4.3p1-0.4.C30mdk.x86_64.rpm
corporate/3.0/x86_64/openssh-server-4.3p1-0.4.C30mdk.x86_64.rpm
corporate/3.0/SRPMS/openssh-4.3p1-0.4.C30mdk.src.rpm

Multi Network Firewall 2.0
X86
mnt/2.0/i586/openssh-4.3p1-0.4.M20mdk.i586.rpm
mnt/2.0/i586/openssh-askpass-4.3p1-0.4.M20mdk.i586.rpm
mnt/2.0/i586/openssh-askpass-gnome-4.3p1-0.4.M20mdk.i586.rpm
mnt/2.0/i586/openssh-clients-4.3p1-0.4.M20mdk.i586.rpm
mnt/2.0/i586/openssh-server-4.3p1-0.4.M20mdk.i586.rpm
mnt/2.0/SRPMS/openssh-4.3p1-0.4.M20mdk.src.rpm

Mandriva Linux 2007
X86
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/i586/media/main/updates/openssh-4.5p1-0.2mdv2007.0.i586.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/i586/media/main/updates/openssh-askpass-4.5p1-0.2mdv2007.0.i586.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/i586/media/main/updates/openssh-askpass-common-4.5p1-0.2mdv2007.0.i586.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/i586/media/main/updates/openssh-askpass-gnome-4.5p1-0.2mdv2007.0.i586.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/i586/media/main/updates/openssh-clients-4.5p1-0.2mdv2007.0.i586.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/i586/media/main/updates/openssh-server-4.5p1-0.2mdv2007.0.i586.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/SRPMS/main/updates/openssh-4.5p1-0.2mdv2007.0.src.rpm
X86_64
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/x86_64/media/main/updates/openssh-4.5p1-0.2mdv2007.0.x86_64.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/x86_64/media/main/updates/openssh-askpass-4.5p1-0.2mdv2007.0.x86_64.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/x86_64/media/main/updates/openssh-askpass-common-4.5p1-0.2mdv2007.0.x86_64.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/x86_64/media/main/updates/openssh-askpass-gnome-4.5p1-0.2mdv2007.0.x86_64.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/x86_64/media/main/updates/openssh-clients-4.5p1-0.2mdv2007.0.x86_64.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/x86_64/media/main/updates/openssh-server-4.5p1-0.2mdv2007.0.x86_64.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/SRPMS/main/updates/openssh-4.5p1-0.2mdv2007.0.src.rpm

Corporate Server 4.0
X86
corporate/4.0/i586/openssh-4.3p1-0.5.20060mlcs4.i586.rpm
corporate/4.0/i586/openssh-askpass-4.3p1-0.5.20060mlcs4.i586.rpm
corporate/4.0/i586/openssh-askpass-gnome-4.3p1-0.5.20060mlcs4.i586.rpm
corporate/4.0/i586/openssh-clients-4.3p1-0.5.20060mlcs4.i586.rpm
corporate/4.0/i586/openssh-server-4.3p1-0.5.20060mlcs4.i586.rpm
corporate/4.0/SRPMS/openssh-4.3p1-0.5.20060mlcs4.src.rpm
X86_64
corporate/4.0/x86_64/openssh-4.3p1-0.5.20060mlcs4.x86_64.rpm
corporate/4.0/x86_64/openssh-askpass-4.3p1-0.5.20060mlcs4.x86_64.rpm
corporate/4.0/x86_64/openssh-askpass-gnome-4.3p1-0.5.20060mlcs4.x86_64.rpm
corporate/4.0/x86_64/openssh-clients-4.3p1-0.5.20060mlcs4.x86_64.rpm
corporate/4.0/x86_64/openssh-server-4.3p1-0.5.20060mlcs4.x86_64.rpm
corporate/4.0/SRPMS/openssh-4.3p1-0.5.20060mlcs4.src.rpm

Mandriva Linux 2007.1
X86
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/i586/media/main/updates/openssh-4.6p1-1.1mdv2007.1.i586.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/i586/media/main/updates/openssh-askpass-4.6p1-1.1mdv2007.1.i586.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/i586/media/main/updates/openssh-askpass-common-4.6p1-1.1mdv2007.1.i586.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/i586/media/main/updates/openssh-askpass-gnome-4.6p1-1.1mdv2007.1.i586.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/i586/media/main/updates/openssh-clients-4.6p1-1.1mdv2007.1.i586.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/i586/media/main/updates/openssh-server-4.6p1-1.1mdv2007.1.i586.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/SRPMS/main/updates/openssh-4.6p1-1.1mdv2007.1.src.rpm
X86_64
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/x86_64/media/main/updates/openssh-4.6p1-1.1mdv2007.1.x86_64.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/x86_64/media/main/updates/openssh-askpass-4.6p1-1.1mdv2007.1.x86_64.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/x86_64/media/main/updates/openssh-askpass-common-4.6p1-1.1mdv2007.1.x86_64.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/x86_64/media/main/updates/openssh-askpass-gnome-4.6p1-1.1mdv2007.1.x86_64.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/x86_64/media/main/updates/openssh-clients-4.6p1-1.1mdv2007.1.x86_64.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/x86_64/media/main/updates/openssh-server-4.6p1-1.1mdv2007.1.x86_64.rpm
ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/SRPMS/main/updates/openssh-4.6p1-1.1mdv2007.1.src.rpm

Ubuntu (USN-566-1)

Ubuntu 6.06 LTS
openssh-client / patch 1:4.2p1-7ubuntu3.2

Ubuntu 6.10
openssh-client / patch 1:4.3p2-5ubuntu1.1

Ubuntu 7.04
openssh-client / patch 1:4.3p2-8ubuntu1.1

Ubuntu 7.10
openssh-client / patch 1:4.6p1-5ubuntu0.1

IBM
AIX 6.1
http://downloads.sourceforge.net/openssh-aix/openssh-4.5p1-r2.tar.Z
AIX 5.3
http://downloads.sourceforge.net/openssh-aix/openssh-4.5p1-r2.tar.Z
AIX 5.2
De momento, no existe actualización. Visite periódicamente la siguiente página web:
http://sourceforge.net/projects/openssh-aix

Debian (DSA-1576-1)

Debian Linux 4.0
Source
http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2-9etch1.diff.gz
http://security.debian.org/pool/updates/main/o/openssh-blacklist/openssh-blacklist_0.1.1.tar.gz
http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2-9etch1.dsc
http://security.debian.org/pool/updates/main/o/openssh-blacklist/openssh-blacklist_0.1.1.dsc
http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2.orig.tar.gz
Arquitectura independiente
http://security.debian.org/pool/updates/main/o/openssh-blacklist/openssh-blacklist_0.1.1_all.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh_4.3p2-9etch1_all.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh-krb5_4.3p2-9etch1_all.deb
alpha (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_alpha.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_alpha.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_alpha.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_alpha.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_alpha.deb
amd64 (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_amd64.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_amd64.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_amd64.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_amd64.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_amd64.deb
hppa (HP PA RISC)
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_hppa.udeb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_hppa.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_hppa.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_hppa.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_hppa.deb
i386 (Intel ia32)
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_i386.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_i386.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_i386.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_i386.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_i386.udeb
ia64 (Intel ia64)
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_ia64.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_ia64.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_ia64.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_ia64.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_ia64.deb
powerpc (PowerPC)
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_powerpc.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_powerpc.udeb
sparc (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_sparc.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_sparc.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_sparc.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_sparc.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_sparc.udeb

Red Hat (RHSA-2008:0855-6)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 servidor)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 cliente)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)
https://rhn.redhat.com/

Identificadores estándar
Propiedad Valor
CVE CVE-2007-4752
BID 25628

Recursos adicionales
OpenSSH security
http://www.openssh.com/txt/release-4.7

Mandriva Security Advisory (MDKSA-2007:236)
http://www.mandriva.com/security/advisories?name=MDKSA-2007:236

Ubuntu Security Advisory (USN-566-1)
http://www.ubuntu.com/usn/usn-566-1

IBM Security Advisory
http://www14.software.ibm.com/webapp/set2/subscriptions/ijhifoeblist?mode=7&heading=AIX61&path=%2F200802%2FSECURITY%2F20080205%2Fdatafile155518

Debian Security Advisory (DSA-1576-1)
http://lists.debian.org/debian-security-announce/2008/msg00153.html

Red Hat Security Advisory (RHSA-2008:0855-6)
http://rhn.redhat.com/errata/RHSA-2008-0855.html

Histórico de versiones
Versión Comentario Fecha
1.0 Aviso emitido 2007-09-14
1.1 Aviso emitido por Mandriva (MDKSA-2007:236) 2007-12-05
1.2 Aviso emitido por Ubuntu (USN-566-1) 2008-01-11
1.3 Aviso emitido por IBM 2008-02-07
1.4 Aviso emitido por Debian (DSA-1576-1) 2008-05-15
1.5 Aviso emitido por Red Hat (RHSA-2008:0855-6) 2008-08-25

Miembros de

CERT
FIRST
TF-CSIRT
EGC Group
UE
Red Nacional de SOC
Foro Nacional de Ciberseguridad
CSIRT.es
Ministerio de Defensa
CNI
CCN
CCN-CERT