ID CVE-2006-5051
Summary Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
References
Vulnerable Configurations
  • OpenBSD OpenSSH 1.2
    cpe:2.3:a:openbsd:openssh:1.2
  • OpenBSD OpenSSH 1.2.1
    cpe:2.3:a:openbsd:openssh:1.2.1
  • OpenBSD OpenSSH 1.2.2
    cpe:2.3:a:openbsd:openssh:1.2.2
  • OpenBSD OpenSSH 1.2.3
    cpe:2.3:a:openbsd:openssh:1.2.3
  • OpenBSD OpenSSH 1.2.27
    cpe:2.3:a:openbsd:openssh:1.2.27
  • OpenBSD OpenSSH 2.1
    cpe:2.3:a:openbsd:openssh:2.1
  • OpenBSD OpenSSH 2.1.1
    cpe:2.3:a:openbsd:openssh:2.1.1
  • OpenBSD OpenSSH 2.2
    cpe:2.3:a:openbsd:openssh:2.2
  • OpenBSD OpenSSH 2.3
    cpe:2.3:a:openbsd:openssh:2.3
  • OpenBSD OpenSSH 2.5
    cpe:2.3:a:openbsd:openssh:2.5
  • OpenBSD OpenSSH 2.5.1
    cpe:2.3:a:openbsd:openssh:2.5.1
  • OpenBSD OpenSSH 2.5.2
    cpe:2.3:a:openbsd:openssh:2.5.2
  • OpenBSD OpenSSH 2.9
    cpe:2.3:a:openbsd:openssh:2.9
  • OpenBSD OpenSSH 2.9.9
    cpe:2.3:a:openbsd:openssh:2.9.9
  • OpenBSD OpenSSH 2.9.9 p2
    cpe:2.3:a:openbsd:openssh:2.9.9p2
  • OpenBSD OpenSSH 2.9 p1
    cpe:2.3:a:openbsd:openssh:2.9p1
  • OpenBSD OpenSSH 2.9 p2
    cpe:2.3:a:openbsd:openssh:2.9p2
  • OpenBSD OpenSSH 3.0
    cpe:2.3:a:openbsd:openssh:3.0
  • OpenBSD OpenSSH 3.0.1
    cpe:2.3:a:openbsd:openssh:3.0.1
  • OpenBSD OpenSSH 3.0.1 p1
    cpe:2.3:a:openbsd:openssh:3.0.1p1
  • OpenBSD OpenSSH 3.0.2
    cpe:2.3:a:openbsd:openssh:3.0.2
  • OpenBSD OpenSSH 3.0.2p1
    cpe:2.3:a:openbsd:openssh:3.0.2p1
  • OpenBSD OpenSSH 3.0 p1
    cpe:2.3:a:openbsd:openssh:3.0p1
  • OpenBSD OpenSSH 3.1
    cpe:2.3:a:openbsd:openssh:3.1
  • OpenBSD OpenSSH 3.1 p1
    cpe:2.3:a:openbsd:openssh:3.1p1
  • OpenBSD OpenSSH 3.2
    cpe:2.3:a:openbsd:openssh:3.2
  • OpenBSD OpenSSH 3.2.2
    cpe:2.3:a:openbsd:openssh:3.2.2
  • OpenBSD OpenSSH 3.2.2 p1
    cpe:2.3:a:openbsd:openssh:3.2.2p1
  • OpenBSD OpenSSH 3.2.3 p1
    cpe:2.3:a:openbsd:openssh:3.2.3p1
  • OpenBSD OpenSSH 3.3
    cpe:2.3:a:openbsd:openssh:3.3
  • OpenBSD OpenSSH 3.3 p1
    cpe:2.3:a:openbsd:openssh:3.3p1
  • OpenBSD OpenSSH 3.4
    cpe:2.3:a:openbsd:openssh:3.4
  • OpenBSD OpenSSH 3.4 p1
    cpe:2.3:a:openbsd:openssh:3.4p1
  • OpenBSD OpenSSH 3.5
    cpe:2.3:a:openbsd:openssh:3.5
  • OpenBSD OpenSSH 3.5 p1
    cpe:2.3:a:openbsd:openssh:3.5p1
  • OpenBSD OpenSSH 3.6
    cpe:2.3:a:openbsd:openssh:3.6
  • OpenBSD OpenSSH 3.6.1
    cpe:2.3:a:openbsd:openssh:3.6.1
  • OpenBSD OpenSSH 3.6.1 p1
    cpe:2.3:a:openbsd:openssh:3.6.1p1
  • OpenBSD OpenSSH 3.6.1 p2
    cpe:2.3:a:openbsd:openssh:3.6.1p2
  • OpenBSD OpenSSH 3.7
    cpe:2.3:a:openbsd:openssh:3.7
  • OpenBSD OpenSSH 3.7.1
    cpe:2.3:a:openbsd:openssh:3.7.1
  • OpenBSD OpenSSH 3.7.1 p1
    cpe:2.3:a:openbsd:openssh:3.7.1p1
  • OpenBSD OpenSSH 3.7.1 p2
    cpe:2.3:a:openbsd:openssh:3.7.1p2
  • OpenBSD OpenSSH 3.8
    cpe:2.3:a:openbsd:openssh:3.8
  • OpenBSD OpenSSH 3.8.1
    cpe:2.3:a:openbsd:openssh:3.8.1
  • OpenBSD OpenSSH 3.8.1 p1
    cpe:2.3:a:openbsd:openssh:3.8.1p1
  • OpenBSD OpenSSH 3.9
    cpe:2.3:a:openbsd:openssh:3.9
  • OpenBSD OpenSSH 3.9.1
    cpe:2.3:a:openbsd:openssh:3.9.1
  • OpenBSD OpenSSH 3.9.1 p1
    cpe:2.3:a:openbsd:openssh:3.9.1p1
  • OpenBSD OpenSSH 4.0
    cpe:2.3:a:openbsd:openssh:4.0
  • OpenBSD OpenSSH Portable 4.0.p1
    cpe:2.3:a:openbsd:openssh:4.0p1
  • OpenBSD OpenSSH Portable 4.1.p1
    cpe:2.3:a:openbsd:openssh:4.1p1
  • OpenBSD OpenSSH 4.2
    cpe:2.3:a:openbsd:openssh:4.2
  • OpenBSD OpenSSH Portable 4.2.p1
    cpe:2.3:a:openbsd:openssh:4.2p1
  • OpenBSD OpenSSH 4.3
    cpe:2.3:a:openbsd:openssh:4.3
  • OpenBSD OpenSSH Portable 4.3.p1
    cpe:2.3:a:openbsd:openssh:4.3p1
CVSS
Base: 9.3 (as of 28-09-2006 - 14:30)
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-355-1.NASL
    description Tavis Ormandy discovered that the SSH daemon did not properly handle authentication packets with duplicated blocks. By sending specially crafted packets, a remote attacker could exploit this to cause the ssh daemon to drain all available CPU resources until the login grace time expired. (CVE-2006-4924) Mark Dowd discovered a race condition in the server's signal handling. A remote attacker could exploit this to crash the server. (CVE-2006-5051). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27935
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27935
    title Ubuntu 5.04 / 5.10 / 6.06 LTS : openssh vulnerabilities (USN-355-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_4_9.NASL
    description The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 24811
    published 2007-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24811
    title Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)
  • NASL family Misc.
    NASL id JUNIPER_NSM_2012_1.NASL
    description According to the version of one or more Juniper NSM servers running on the remote host, it is potentially vulnerable to multiple vulnerabilities, the worst of which may allow an authenticated user to trigger a denial of service condition or execute arbitrary code.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 69872
    published 2013-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69872
    title Juniper NSM Servers < 2012.1 Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0697.NASL
    description Updated openssh packages that fix two security flaws are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. Mark Dowd discovered a signal handler race condition in the OpenSSH sshd server. A remote attacker could possibly leverage this flaw to cause a denial of service (crash). (CVE-2006-5051) The OpenSSH project believes the likelihood of successful exploitation leading to arbitrary code execution appears remote. However, the Red Hat Security Response Team have not yet been able to verify this claim due to lack of upstream vulnerability information. We are therefore including a fix for this flaw and have rated it important security severity in the event our continued investigation finds this issue to be exploitable. Tavis Ormandy of the Google Security Team discovered a denial of service bug in the OpenSSH sshd server. A remote attacker can send a specially crafted SSH-1 request to the server causing sshd to consume a large quantity of CPU resources. (CVE-2006-4924) All users of openssh should upgrade to these updated packages, which contain backported patches that resolves these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 22473
    published 2006-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22473
    title RHEL 3 / 4 : openssh (RHSA-2006:0697)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0697.NASL
    description Updated openssh packages that fix two security flaws are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. Mark Dowd discovered a signal handler race condition in the OpenSSH sshd server. A remote attacker could possibly leverage this flaw to cause a denial of service (crash). (CVE-2006-5051) The OpenSSH project believes the likelihood of successful exploitation leading to arbitrary code execution appears remote. However, the Red Hat Security Response Team have not yet been able to verify this claim due to lack of upstream vulnerability information. We are therefore including a fix for this flaw and have rated it important security severity in the event our continued investigation finds this issue to be exploitable. Tavis Ormandy of the Google Security Team discovered a denial of service bug in the OpenSSH sshd server. A remote attacker can send a specially crafted SSH-1 request to the server causing sshd to consume a large quantity of CPU resources. (CVE-2006-4924) All users of openssh should upgrade to these updated packages, which contain backported patches that resolves these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 22485
    published 2006-10-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22485
    title CentOS 3 / 4 : openssh / openssl (CESA-2006:0697)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2006-272-02.NASL
    description New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix security issues.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22468
    published 2006-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22468
    title Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : openssh (SSA:2006-272-02)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1189.NASL
    description Several remote vulnerabilities have been discovered in OpenSSH, a free implementation of the Secure Shell protocol, which may lead to denial of service and potentially the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-4924 Tavis Ormandy of the Google Security Team discovered a denial of service vulnerability in the mitigation code against complexity attacks, which might lead to increased CPU consumption until a timeout is triggered. This is only exploitable if support for SSH protocol version 1 is enabled. - CVE-2006-5051 Mark Dowd discovered that insecure signal handler usage could potentially lead to execution of arbitrary code through a double free. The Debian Security Team doesn't believe the general openssh package without Kerberos support to be exploitable by this issue. However, due to the complexity of the underlying code we will issue an update to rule out all eventualities.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22731
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22731
    title Debian DSA-1189-1 : openssh-krb5 - several vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_OPENSSH-2184.NASL
    description Several security problems were fixed in OpenSSH : - A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. (CVE-2006-4924) - If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. (CVE-2006-4925) - Fixed an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. (CVE-2006-5051) - Fixed a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. (CVE-2006-5052)
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 29538
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29538
    title SuSE 10 Security Update : OpenSSH (ZYPP Patch Number 2184)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1212.NASL
    description Two denial of service problems have been found in the OpenSSH server. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CVE-2006-4924 The sshd support for ssh protocol version 1 does not properly handle duplicate incoming blocks. This could allow a remote attacker to cause sshd to consume significant CPU resources leading to a denial of service. - CVE-2006-5051 A signal handler race condition could potentially allow a remote attacker to crash sshd and could theoretically lead to the ability to execute arbitrary code.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 23661
    published 2006-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23661
    title Debian DSA-1212-1 : openssh - Denial of service
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-649-1.NASL
    description It was discovered that the ForceCommand directive could be bypassed. If a local user created a malicious ~/.ssh/rc file, they could execute arbitrary commands as their user id. This only affected Ubuntu 7.10. (CVE-2008-1657) USN-355-1 fixed vulnerabilities in OpenSSH. It was discovered that the fixes for this issue were incomplete. A remote attacker could attempt multiple logins, filling all available connection slots, leading to a denial of service. This only affected Ubuntu 6.06 and 7.04. (CVE-2008-4109). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 36855
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36855
    title Ubuntu 6.06 LTS / 7.04 / 7.10 : openssh vulnerabilities (USN-649-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200611-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-200611-06 (OpenSSH: Multiple Denial of Service vulnerabilities) Tavis Ormandy of the Google Security Team has discovered a pre-authentication vulnerability, causing sshd to spin until the login grace time has been expired. Mark Dowd found an unsafe signal handler that was vulnerable to a race condition. It has also been discovered that when GSSAPI authentication is enabled, GSSAPI will in certain cases incorrectly abort. Impact : The pre-authentication and signal handler vulnerabilities can cause a Denial of Service in OpenSSH. The vulnerability in the GSSAPI authentication abort could be used to determine the validity of usernames on some platforms. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 23671
    published 2006-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23671
    title GLSA-200611-06 : OpenSSH: Multiple Denial of Service vulnerabilities
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL6736.NASL
    description The remote BIG-IP device is missing a patch required by a security advisory.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 88441
    published 2016-01-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88441
    title F5 Networks BIG-IP : OpenSSH vulnerabilities (SOL6736)
  • NASL family Misc.
    NASL id OPENSSH_44.NASL
    description According to its banner, the version of OpenSSH installed on the remote host is affected by multiple vulnerabilities : - A race condition exists that may allow an unauthenticated, remote attacker to crash the service or, on portable OpenSSH, possibly execute code on the affected host. Note that successful exploitation requires that GSSAPI authentication be enabled. - A flaw exists that may allow an attacker to determine the validity of usernames on some platforms. Note that this issue requires that GSSAPI authentication be enabled. - When SSH version 1 is used, an issue can be triggered via an SSH packet that contains duplicate blocks that could result in a loss of availability for the service. - On Fedora Core 6 (and possibly other systems), an unspecified vulnerability in the linux_audit_record_event() function allows remote attackers to inject incorrect information into audit logs.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 22466
    published 2006-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22466
    title OpenSSH < 4.4 Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0698.NASL
    description Updated openssh packages that fix several security issues in sshd are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. Mark Dowd discovered a signal handler race condition in the OpenSSH sshd server. A remote attacker could possibly leverage this flaw to cause a denial of service (crash). (CVE-2006-5051) The OpenSSH project believes the likelihood of successful exploitation leading to arbitrary code execution appears remote. However, the Red Hat Security Response Team have not yet been able to verify this claim due to lack of upstream vulnerability information. We are therefore including a fix for this flaw and have rated it important security severity in the event our continued investigation finds this issue to be exploitable. Tavis Ormandy of the Google Security Team discovered a denial of service bug in the OpenSSH sshd server. A remote attacker can send a specially crafted SSH-1 request to the server causing sshd to consume a large quantity of CPU resources. (CVE-2006-4924) An arbitrary command execution flaw was discovered in the way scp copies files locally. It is possible for a local attacker to create a file with a carefully crafted name that could execute arbitrary commands as the user running scp to copy files locally. (CVE-2006-0225) The SSH daemon, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass 'from=' and 'user@host' address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. (CVE-2003-0386) All users of openssh should upgrade to these updated packages, which contain backported patches that resolve these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 22474
    published 2006-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22474
    title RHEL 2.1 : openssh (RHSA-2006:0698)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1638.NASL
    description It has been discovered that the signal handler implementing the login timeout in Debian's version of the OpenSSH server uses functions which are not async-signal-safe, leading to a denial of service vulnerability (CVE-2008-4109 ). The problem was originally corrected in OpenSSH 4.4p1 (CVE-2006-5051 ), but the patch backported to the version released with etch was incorrect. Systems affected by this issue suffer from lots of zombie sshd processes. Processes stuck with a '[net]' process title have also been observed. Over time, a sufficient number of processes may accumulate such that further login attempts are impossible. Presence of these processes does not indicate active exploitation of this vulnerability. It is possible to trigger this denial of service condition by accident.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 34223
    published 2008-09-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34223
    title Debian DSA-1638-1 : openssh - denial of service
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-179.NASL
    description Tavis Ormandy of the Google Security Team discovered a Denial of Service vulnerability in the SSH protocol version 1 CRC compensation attack detector. This could allow a remote unauthenticated attacker to trigger excessive CPU utilization by sending a specially crafted SSH message, which would then deny ssh services to other users or processes (CVE-2006-4924, CVE-2006-4925). Please note that Mandriva ships with only SSH protocol version 2 enabled by default. Next, an unsafe signal handler was found by Mark Dowd. This signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication DoS, and theoretically a pre-authentication remote code execution in the case where some authentication methods like GSSAPI are enabled (CVE-2006-5051). Updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24565
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24565
    title Mandrake Linux Security Advisory : openssh (MDKSA-2006:179)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_32DB37A550C311DBACF3000C6EC775D9.NASL
    description Problem Description The CRC compensation attack detector in the sshd(8) daemon, upon receipt of duplicate blocks, uses CPU time cubic in the number of duplicate blocks received. [CVE-2006-4924] A race condition exists in a signal handler used by the sshd(8) daemon to handle the LoginGraceTime option, which can potentially cause some cleanup routines to be executed multiple times. [CVE-2006-5051] Impact An attacker sending specially crafted packets to sshd(8) can cause a Denial of Service by using 100% of CPU time until a connection timeout occurs. Since this attack can be performed over multiple connections simultaneously, it is possible to cause up to MaxStartups (10 by default) sshd processes to use all the CPU time they can obtain. [CVE-2006-4924] The OpenSSH project believe that the race condition can lead to a Denial of Service or potentially remote code execution, but the FreeBSD Security Team has been unable to verify the exact impact. [CVE-2006-5051] Workaround The attack against the CRC compensation attack detector can be avoided by disabling SSH Protocol version 1 support in sshd_config(5). There is no workaround for the second issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 22488
    published 2006-10-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22488
    title FreeBSD : openssh -- multiple vulnerabilities (32db37a5-50c3-11db-acf3-000c6ec775d9)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2006-0697.NASL
    description From Red Hat Security Advisory 2006:0697 : Updated openssh packages that fix two security flaws are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. Mark Dowd discovered a signal handler race condition in the OpenSSH sshd server. A remote attacker could possibly leverage this flaw to cause a denial of service (crash). (CVE-2006-5051) The OpenSSH project believes the likelihood of successful exploitation leading to arbitrary code execution appears remote. However, the Red Hat Security Response Team have not yet been able to verify this claim due to lack of upstream vulnerability information. We are therefore including a fix for this flaw and have rated it important security severity in the event our continued investigation finds this issue to be exploitable. Tavis Ormandy of the Google Security Team discovered a denial of service bug in the OpenSSH sshd server. A remote attacker can send a specially crafted SSH-1 request to the server causing sshd to consume a large quantity of CPU resources. (CVE-2006-4924) All users of openssh should upgrade to these updated packages, which contain backported patches that resolves these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67412
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67412
    title Oracle Linux 4 : openssh (ELSA-2006-0697)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_OPENSSH-2183.NASL
    description Several security problems were fixed in OpenSSH : - CVE-2006-4924: A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. - CVE-2006-4925: If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. - CVE-2006-5051: Fixed an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. - CVE-2006-5052: Fixed a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27365
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27365
    title openSUSE 10 Security Update : openssh (openssh-2183)
  • NASL family Misc.
    NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL
    description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 55992
    published 2011-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55992
    title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure
oval via4
accepted 2013-04-29T04:13:43.866-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
family unix
id oval:org.mitre.oval:def:11387
status accepted
submitted 2010-07-09T03:56:16-04:00
title Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
version 23
redhat via4
advisories
  • bugzilla
    id 208347
    title CVE-2006-5051 unsafe GSSAPI signal handler
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 3 is installed
        oval oval:com.redhat.rhba:tst:20070026001
      • OR
        • AND
          • comment openssh is earlier than 0:3.6.1p2-33.30.12
            oval oval:com.redhat.rhsa:tst:20060697002
          • comment openssh is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060697003
        • AND
          • comment openssh-askpass is earlier than 0:3.6.1p2-33.30.12
            oval oval:com.redhat.rhsa:tst:20060697010
          • comment openssh-askpass is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060697011
        • AND
          • comment openssh-askpass-gnome is earlier than 0:3.6.1p2-33.30.12
            oval oval:com.redhat.rhsa:tst:20060697008
          • comment openssh-askpass-gnome is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060697009
        • AND
          • comment openssh-clients is earlier than 0:3.6.1p2-33.30.12
            oval oval:com.redhat.rhsa:tst:20060697004
          • comment openssh-clients is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060697005
        • AND
          • comment openssh-server is earlier than 0:3.6.1p2-33.30.12
            oval oval:com.redhat.rhsa:tst:20060697006
          • comment openssh-server is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060697007
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhba:tst:20070304001
      • OR
        • AND
          • comment openssh is earlier than 0:3.9p1-8.RHEL4.17
            oval oval:com.redhat.rhsa:tst:20060697013
          • comment openssh is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060697003
        • AND
          • comment openssh-askpass is earlier than 0:3.9p1-8.RHEL4.17
            oval oval:com.redhat.rhsa:tst:20060697017
          • comment openssh-askpass is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060697011
        • AND
          • comment openssh-askpass-gnome is earlier than 0:3.9p1-8.RHEL4.17
            oval oval:com.redhat.rhsa:tst:20060697014
          • comment openssh-askpass-gnome is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060697009
        • AND
          • comment openssh-clients is earlier than 0:3.9p1-8.RHEL4.17
            oval oval:com.redhat.rhsa:tst:20060697016
          • comment openssh-clients is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060697005
        • AND
          • comment openssh-server is earlier than 0:3.9p1-8.RHEL4.17
            oval oval:com.redhat.rhsa:tst:20060697015
          • comment openssh-server is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060697007
    rhsa
    id RHSA-2006:0697
    released 2006-09-28
    severity Important
    title RHSA-2006:0697: openssh security update (Important)
  • rhsa
    id RHSA-2006:0698
rpms
  • openssh-0:3.6.1p2-33.30.12
  • openssh-askpass-0:3.6.1p2-33.30.12
  • openssh-askpass-gnome-0:3.6.1p2-33.30.12
  • openssh-clients-0:3.6.1p2-33.30.12
  • openssh-server-0:3.6.1p2-33.30.12
  • openssh-0:3.9p1-8.RHEL4.17
  • openssh-askpass-0:3.9p1-8.RHEL4.17
  • openssh-askpass-gnome-0:3.9p1-8.RHEL4.17
  • openssh-clients-0:3.9p1-8.RHEL4.17
  • openssh-server-0:3.9p1-8.RHEL4.17
refmap via4
apple APPLE-SA-2007-03-13
bid 20241
cert TA07-072A
cert-vn VU#851340
confirm
debian
  • DSA-1189
  • DSA-1212
freebsd
  • FreeBSD-SA-06:22
  • FreeBSD-SA-06:22.openssh
gentoo GLSA-200611-06
mandriva MDKSA-2006:179
mlist
  • [freebsd-security] 20061002 FreeBSD Security Advisory FreeBSD-SA-06:22.openssh
  • [openssh-unix-dev] 20060927 Announce: OpenSSH 4.4 released
  • [security-announce] 20070409 Globus Security Advisory 2007-02: GSI-OpenSSH vulnerability
openbsd [2.9] 015: SECURITY FIX: October 12, 2006
openpkg OpenPKG-SA-2006.022
osvdb 29264
sectrack 1016940
secunia
  • 22158
  • 22173
  • 22183
  • 22196
  • 22208
  • 22236
  • 22245
  • 22270
  • 22352
  • 22362
  • 22487
  • 22495
  • 22823
  • 22926
  • 23680
  • 24479
  • 24799
  • 24805
sgi 20061001-01-P
slackware SSA:2006-272-02
suse SUSE-SA:2006:062
ubuntu USN-355-1
vupen
  • ADV-2006-4018
  • ADV-2006-4329
  • ADV-2007-0930
  • ADV-2007-1332
xf openssh-signal-handler-race-condition(29254)
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 17-10-2016 - 23:41
Published 27-09-2006 - 19:07
Last modified 10-10-2017 - 21:31
Back to Top