OpenSSH Privilege Separation Monitor Validation Error May Cause the Monitor to Fail to Properly Control the Unprivileged Process
|
|
SecurityTracker Alert ID: 1017183
|
|
SecurityTracker URL: http://securitytracker.com/id?1017183
|
|
CVE Reference: CVE-2006-5794
(Links to External Site)
|
Updated: Nov 15 2006
|
Original Entry Date: Nov 8 2006
|
Impact: Not specified
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 4.4 and prior versions
|
Description: A vulnerability was reported in OpenSSH. The privilege separation monitor may not properly verify authentication.
The sshd privilege separation monitor may not properly detect incorrect signatures. As a result, the monitor may not properly control
or restrict the unprivileged process.
The vendor notes that this security bug is not known to be exploitable in the absence of
any other vulnerability.
The vulnerability resides in 'monitor.c'.
[Editor's note: This vulnerability does not affect sshd
authentication itself.]
|
Impact: The monitor may fail to properly control or restrict the unprivileged process in certain cases.
|
Solution: The vendor has issued a fixed version (4.5 and 4.5p1), available at:
http://openssh.org/
The OpenSSH notice is available at:
http://openssh.org/txt/release-4.5
|
Vendor URL: www.openssh.org/ (Links to External Site)
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 8 Nov 2006 01:47:44 -0500
Subject: OpenSSH weakness
|
http://openssh.org/txt/release-4.5
Security bugs resolved in this release:
* Fix a bug in the sshd privilege separation monitor that weakened its
verification of successful authentication. This bug is not known to
be exploitable in the absence of additional vulnerabilities.
|
|
