ID CVE-2006-5794
Summary Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist.
References
Vulnerable Configurations
  • OpenBSD OpenSSH 4.4
    cpe:2.3:a:openbsd:openssh:4.4
CVSS
Base: 7.5 (as of 09-11-2006 - 11:22)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2006-0738.NASL
    description From Red Hat Security Advisory 2006:0738 : Updated openssh packages that fix an authentication flaw are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. An authentication flaw was found in OpenSSH's privilege separation monitor. If it ever becomes possible to alter the behavior of the unprivileged process when OpenSSH is using privilege separation, an attacker may then be able to login without possessing proper credentials. (CVE-2006-5794) Please note that this flaw by itself poses no direct threat to OpenSSH users. Without another security flaw that could allow an attacker to alter the behavior of OpenSSH's unprivileged process, this flaw cannot be exploited. There are currently no known flaws to exploit this behavior. However, we have decided to issue this erratum to fix this flaw to reduce the security impact if an unprivileged process flaw is ever found. Users of openssh should upgrade to these updated packages, which contain a backported patch to resolve this issue.
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 67425
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67425
    title Oracle Linux 3 / 4 : openssh (ELSA-2006-0738)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-204.NASL
    description A vulnerability in the privilege separation functionality in OpenSSH was discovered, caused by an incorrect checking for bad signatures in sshd's privsep monitor. As a result, the monitor and the unprivileged process can get out sync. The OpenSSH team indicated that this bug is not known to be exploitable in the abence of additional vulnerabilities. Updated packages have been patched to correct this issue, and Mandriva Linux 2007 has received the latest version of OpenSSH.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24589
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24589
    title Mandrake Linux Security Advisory : openssh (MDKSA-2006:204)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0738.NASL
    description Updated openssh packages that fix an authentication flaw are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. An authentication flaw was found in OpenSSH's privilege separation monitor. If it ever becomes possible to alter the behavior of the unprivileged process when OpenSSH is using privilege separation, an attacker may then be able to login without possessing proper credentials. (CVE-2006-5794) Please note that this flaw by itself poses no direct threat to OpenSSH users. Without another security flaw that could allow an attacker to alter the behavior of OpenSSH's unprivileged process, this flaw cannot be exploited. There are currently no known flaws to exploit this behavior. However, we have decided to issue this erratum to fix this flaw to reduce the security impact if an unprivileged process flaw is ever found. Users of openssh should upgrade to these updated packages, which contain a backported patch to resolve this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 37366
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37366
    title CentOS 3 / 4 : openssh (CESA-2006:0738)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_OPENSSH-2256.NASL
    description The OpenSSH release 4.5 contains a security fix which has been backported to the openssh versions in our old products. CVE-2006-5794: Incorrect return argument checking in the privilege separation monitor was fixed. In case of an exploitable unprivileged helper this could have been used to elevate privileges.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27366
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27366
    title openSUSE 10 Security Update : openssh (openssh-2256)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0738.NASL
    description Updated openssh packages that fix an authentication flaw are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. An authentication flaw was found in OpenSSH's privilege separation monitor. If it ever becomes possible to alter the behavior of the unprivileged process when OpenSSH is using privilege separation, an attacker may then be able to login without possessing proper credentials. (CVE-2006-5794) Please note that this flaw by itself poses no direct threat to OpenSSH users. Without another security flaw that could allow an attacker to alter the behavior of OpenSSH's unprivileged process, this flaw cannot be exploited. There are currently no known flaws to exploit this behavior. However, we have decided to issue this erratum to fix this flaw to reduce the security impact if an unprivileged process flaw is ever found. Users of openssh should upgrade to these updated packages, which contain a backported patch to resolve this issue.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 23683
    published 2006-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23683
    title RHEL 3 / 4 : openssh (RHSA-2006:0738)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_OPENSSH-2257.NASL
    description The OpenSSH release 4.5 contains a security fix which has been backported to the openssh versions in our old products. - Incorrect return argument checking in the privilege separation monitor was fixed. In case of an exploitable unprivileged helper this could have been used to elevate privileges. (CVE-2006-5794)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29539
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29539
    title SuSE 10 Security Update : OpenSSH (ZYPP Patch Number 2257)
  • NASL family Misc.
    NASL id OPENSSH_45.NASL
    description According to its banner, the remote host is running a version of OpenSSH prior to 4.5. Versions before 4.5 are affected by the following vulnerabilities : - A client-side NULL pointer dereference, caused by a protocol error from a malicious server, which could cause the client to crash. (CVE-2006-4925) - A privilege separation vulnerability exists, which could allow attackers to bypass authentication. The vulnerability is caused by a design error between privileged processes and their child processes. Note that this particular issue is only exploitable when other vulnerabilities are present. (CVE-2006-5794) - An attacker that connects to the service before it has finished creating keys could force the keys to be recreated. This could result in a denial of service for any processes that relies on a trust relationship with the server. Note that this particular issue only affects the Apple implementation of OpenSSH on Mac OS X. (CVE-2007-0726)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 44077
    published 2011-10-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44077
    title OpenSSH < 4.5 Multiple Vulnerabilities
  • NASL family Misc.
    NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL
    description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 55992
    published 2011-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55992
    title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure
oval via4
accepted 2013-04-29T04:15:56.162-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist.
family unix
id oval:org.mitre.oval:def:11840
status accepted
submitted 2010-07-09T03:56:16-04:00
title Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist.
version 23
redhat via4
advisories
bugzilla
id 214640
title CVE-2006-5794 OpenSSH privilege separation flaw
oval
OR
  • AND
    • comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhsa:tst:20060015001
    • OR
      • AND
        • comment openssh is earlier than 0:3.6.1p2-33.30.13
          oval oval:com.redhat.rhsa:tst:20060738002
        • comment openssh is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060697003
      • AND
        • comment openssh-askpass is earlier than 0:3.6.1p2-33.30.13
          oval oval:com.redhat.rhsa:tst:20060738010
        • comment openssh-askpass is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060697011
      • AND
        • comment openssh-askpass-gnome is earlier than 0:3.6.1p2-33.30.13
          oval oval:com.redhat.rhsa:tst:20060738008
        • comment openssh-askpass-gnome is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060697009
      • AND
        • comment openssh-clients is earlier than 0:3.6.1p2-33.30.13
          oval oval:com.redhat.rhsa:tst:20060738004
        • comment openssh-clients is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060697005
      • AND
        • comment openssh-server is earlier than 0:3.6.1p2-33.30.13
          oval oval:com.redhat.rhsa:tst:20060738006
        • comment openssh-server is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060697007
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhsa:tst:20060016001
    • OR
      • AND
        • comment openssh is earlier than 0:3.9p1-8.RHEL4.17.1
          oval oval:com.redhat.rhsa:tst:20060738013
        • comment openssh is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060697003
      • AND
        • comment openssh-askpass is earlier than 0:3.9p1-8.RHEL4.17.1
          oval oval:com.redhat.rhsa:tst:20060738017
        • comment openssh-askpass is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060697011
      • AND
        • comment openssh-askpass-gnome is earlier than 0:3.9p1-8.RHEL4.17.1
          oval oval:com.redhat.rhsa:tst:20060738015
        • comment openssh-askpass-gnome is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060697009
      • AND
        • comment openssh-clients is earlier than 0:3.9p1-8.RHEL4.17.1
          oval oval:com.redhat.rhsa:tst:20060738016
        • comment openssh-clients is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060697005
      • AND
        • comment openssh-server is earlier than 0:3.9p1-8.RHEL4.17.1
          oval oval:com.redhat.rhsa:tst:20060738014
        • comment openssh-server is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060697007
rhsa
id RHSA-2006:0738
released 2006-11-15
severity Low
title RHSA-2006:0738: openssh security update (Low)
rpms
  • openssh-0:3.6.1p2-33.30.13
  • openssh-askpass-0:3.6.1p2-33.30.13
  • openssh-askpass-gnome-0:3.6.1p2-33.30.13
  • openssh-clients-0:3.6.1p2-33.30.13
  • openssh-server-0:3.6.1p2-33.30.13
  • openssh-0:3.9p1-8.RHEL4.17.1
  • openssh-askpass-0:3.9p1-8.RHEL4.17.1
  • openssh-askpass-gnome-0:3.9p1-8.RHEL4.17.1
  • openssh-clients-0:3.9p1-8.RHEL4.17.1
  • openssh-server-0:3.9p1-8.RHEL4.17.1
refmap via4
bid 20956
bugtraq 20061109 rPSA-2006-0207-1 openssh openssh-client openssh-server
confirm
mandriva MDKSA-2006:204
openpkg OpenPKG-SA-2006.032
sectrack 1017183
secunia
  • 22771
  • 22772
  • 22773
  • 22778
  • 22814
  • 22872
  • 22932
  • 23513
  • 23680
  • 24055
sgi 20061201-01-P
suse SUSE-SR:2006:026
vupen
  • ADV-2006-4399
  • ADV-2006-4400
xf openssh-separation-verificaton-weakness(30120)
statements via4
contributor Joshua Bressers
lastmodified 2009-09-24
organization Red Hat
statement This issue did not affect Red Hat Enterprise Linux 2.1. This issue was addressed in Red Hat Enterprise Linux 3 and 4 via https://rhn.redhat.com/errata/RHSA-2006-0738.html . Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 07-03-2011 - 21:43
Published 08-11-2006 - 15:07
Last modified 17-10-2018 - 17:45
Back to Top