ID CVE-2006-4925
Summary packet.c in ssh in OpenSSH allows remote attackers to cause a denial of service (crash) by sending an invalid protocol sequence with USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL.
References
Vulnerable Configurations
  • OpenBSD OpenSSH 4.5
    cpe:2.3:a:openbsd:openssh:4.5
CVSS
Base: 5.0 (as of 02-10-2006 - 07:53)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_OPENSSH-2184.NASL
    description Several security problems were fixed in OpenSSH : - A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. (CVE-2006-4924) - If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. (CVE-2006-4925) - Fixed an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. (CVE-2006-5051) - Fixed a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. (CVE-2006-5052)
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 29538
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29538
    title SuSE 10 Security Update : OpenSSH (ZYPP Patch Number 2184)
  • NASL family Misc.
    NASL id OPENSSH_45.NASL
    description According to its banner, the remote host is running a version of OpenSSH prior to 4.5. Versions before 4.5 are affected by the following vulnerabilities : - A client-side NULL pointer dereference, caused by a protocol error from a malicious server, which could cause the client to crash. (CVE-2006-4925) - A privilege separation vulnerability exists, which could allow attackers to bypass authentication. The vulnerability is caused by a design error between privileged processes and their child processes. Note that this particular issue is only exploitable when other vulnerabilities are present. (CVE-2006-5794) - An attacker that connects to the service before it has finished creating keys could force the keys to be recreated. This could result in a denial of service for any processes that relies on a trust relationship with the server. Note that this particular issue only affects the Apple implementation of OpenSSH on Mac OS X. (CVE-2007-0726)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 44077
    published 2011-10-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44077
    title OpenSSH < 4.5 Multiple Vulnerabilities
  • NASL family Misc.
    NASL id OPENSSH_44.NASL
    description According to its banner, the version of OpenSSH installed on the remote host is affected by multiple vulnerabilities : - A race condition exists that may allow an unauthenticated, remote attacker to crash the service or, on portable OpenSSH, possibly execute code on the affected host. Note that successful exploitation requires that GSSAPI authentication be enabled. - A flaw exists that may allow an attacker to determine the validity of usernames on some platforms. Note that this issue requires that GSSAPI authentication be enabled. - When SSH version 1 is used, an issue can be triggered via an SSH packet that contains duplicate blocks that could result in a loss of availability for the service. - On Fedora Core 6 (and possibly other systems), an unspecified vulnerability in the linux_audit_record_event() function allows remote attackers to inject incorrect information into audit logs.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 22466
    published 2006-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22466
    title OpenSSH < 4.4 Multiple Vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-179.NASL
    description Tavis Ormandy of the Google Security Team discovered a Denial of Service vulnerability in the SSH protocol version 1 CRC compensation attack detector. This could allow a remote unauthenticated attacker to trigger excessive CPU utilization by sending a specially crafted SSH message, which would then deny ssh services to other users or processes (CVE-2006-4924, CVE-2006-4925). Please note that Mandriva ships with only SSH protocol version 2 enabled by default. Next, an unsafe signal handler was found by Mark Dowd. This signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication DoS, and theoretically a pre-authentication remote code execution in the case where some authentication methods like GSSAPI are enabled (CVE-2006-5051). Updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24565
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24565
    title Mandrake Linux Security Advisory : openssh (MDKSA-2006:179)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_OPENSSH-2183.NASL
    description Several security problems were fixed in OpenSSH : - CVE-2006-4924: A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. - CVE-2006-4925: If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. - CVE-2006-5051: Fixed an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. - CVE-2006-5052: Fixed a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27365
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27365
    title openSUSE 10 Security Update : openssh (openssh-2183)
  • NASL family Misc.
    NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL
    description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 55992
    published 2011-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55992
    title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure
refmap via4
bugtraq
  • 20060927 rPSA-2006-0174-1 gnome-ssh-askpass openssh openssh-client openssh-server
  • 20061005 rPSA-2006-0185-1 gnome-ssh-askpass openssh openssh-client openssh-server
confirm
mandriva MDKSA-2006:179
misc http://bugs.gentoo.org/show_bug.cgi?id=148228
openpkg OpenPKG-SA-2006.022
secunia
  • 22245
  • 22298
  • 22495
  • 23038
suse
  • SUSE-SA:2006:062
  • SUSE-SR:2006:024
statements via4
contributor Joshua Bressers
lastmodified 2006-10-31
organization Red Hat
statement Red Hat does not consider this flaw a security issue. This flaw can cause an OpenSSH client to crash when connecting to a malicious server, which does not result in a denial of service condition.
Last major update 15-09-2010 - 01:26
Published 28-09-2006 - 20:07
Last modified 17-10-2018 - 17:40
Back to Top