ID CVE-2009-2904
Summary A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
References
Vulnerable Configurations
  • OpenBSD OpenSSH 4.8
    cpe:2.3:a:openbsd:openssh:4.8
  • OpenBSD OpenSSH 4.3
    cpe:2.3:a:openbsd:openssh:4.3
  • cpe:2.3:o:redhat:enterprise_linux_desktop:5:-:client
    cpe:2.3:o:redhat:enterprise_linux_desktop:5:-:client
  • cpe:2.3:o:redhat:enterprise_linux_eus:5
    cpe:2.3:o:redhat:enterprise_linux_eus:5
  • Red Hat Enterprise Linux 5 (Server)
    cpe:2.3:o:redhat:enterprise_linux:5:-:server
  • Fedora 11
    cpe:2.3:o:fedoraproject:fedora:11
CVSS
Base: 6.9 (as of 08-08-2014 - 16:55)
Impact:
Exploitability:
CWE CWE-16
CAPEC
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1470.NASL
    description Updated openssh packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. A Red Hat specific patch used in the openssh packages as shipped in Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain ownership requirements for directories used as arguments for the ChrootDirectory configuration options. A malicious user that also has or previously had non-chroot shell access to a system could possibly use this flaw to escalate their privileges and run commands as any system user. (CVE-2009-2904) All OpenSSH users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43797
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43797
    title CentOS 5 : openssh (CESA-2009:1470)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1470.NASL
    description From Red Hat Security Advisory 2009:1470 : Updated openssh packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. A Red Hat specific patch used in the openssh packages as shipped in Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain ownership requirements for directories used as arguments for the ChrootDirectory configuration options. A malicious user that also has or previously had non-chroot shell access to a system could possibly use this flaw to escalate their privileges and run commands as any system user. (CVE-2009-2904) All OpenSSH users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67933
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67933
    title Oracle Linux 5 : openssh (ELSA-2009-1470)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1470.NASL
    description Updated openssh packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. A Red Hat specific patch used in the openssh packages as shipped in Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain ownership requirements for directories used as arguments for the ChrootDirectory configuration options. A malicious user that also has or previously had non-chroot shell access to a system could possibly use this flaw to escalate their privileges and run commands as any system user. (CVE-2009-2904) All OpenSSH users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 41951
    published 2009-10-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41951
    title RHEL 5 : openssh (RHSA-2009:1470)
  • NASL family Misc.
    NASL id OPENSSH_RHEL_43.NASL
    description According to its banner, the version of OpenSSH running on the remote host may have a privilege escalation vulnerability. OpenSSH on Red Hat Enterprise Linux 5, Fedora 11, and possibly other platforms use an insecure implementation of the 'ChrootDirectory' configuration setting, which could allow privilege escalation. Upstream OpenSSH is not affected. The fix for this issue does not change the version in the OpenSSH banner, so this may be a false positive.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 17706
    published 2011-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17706
    title Red Hat Enterprise Linux OpenSSH ChrootDirectory Local Privilege Escalation
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL15156.NASL
    description A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership. (CVE-2009-2904)
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 78162
    published 2014-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78162
    title F5 Networks BIG-IP : OpenSSH vulnerability (SOL15156)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090930_OPENSSH_ON_SL5_X.NASL
    description A Red Hat specific patch used in the openssh packages as shipped in Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain ownership requirements for directories used as arguments for the ChrootDirectory configuration options. A malicious user that also has or previously had non-chroot shell access to a system could possibly use this flaw to escalate their privileges and run commands as any system user. (CVE-2009-2904) After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60671
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60671
    title Scientific Linux Security Update : openssh on SL5.x i386/x86_64
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2010-0004_REMOTE.NASL
    description The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries : - bind - expat - glib2 - Kernel - newt - nfs-utils - NTP - OpenSSH - OpenSSL
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 89737
    published 2016-03-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89737
    title VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2010-0004) (remote check)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-5429.NASL
    description Rollback chroot patch Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 47388
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47388
    title Fedora 11 : openssh-5.2p1-6.fc11 (2010-5429)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2010-0004.NASL
    description a. vMA and Service Console update for newt to 0.52.2-12.el5_4.1 Newt is a programming library for color text mode, widget based user interfaces. Newt can be used to add stacked windows, entry widgets, checkboxes, radio buttons, labels, plain text fields, scrollbars, etc., to text mode user interfaces. A heap-based buffer overflow flaw was found in the way newt processes content that is to be displayed in a text dialog box. A local attacker could issue a specially crafted text dialog box display request (direct or via a custom application), leading to a denial of service (application crash) or, potentially, arbitrary code execution with the privileges of the user running the application using the newt library. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-2905 to this issue. b. vMA and Service Console update for vMA package nfs-utils to 1.0.9-42.el5 The nfs-utils package provides a daemon for the kernel NFS server and related tools. It was discovered that nfs-utils did not use tcp_wrappers correctly. Certain hosts access rules defined in '/etc/hosts.allow' and '/etc/hosts.deny' may not have been honored, possibly allowing remote attackers to bypass intended access restrictions. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-4552 to this issue. c. vMA and Service Console package glib2 updated to 2.12.3-4.el5_3.1 GLib is the low-level core library that forms the basis for projects such as GTK+ and GNOME. It provides data structure handling for C, portability wrappers, and interfaces for such runtime functionality as an event loop, threads, dynamic loading, and an object system. Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow context-dependent attackers to execute arbitrary code via a long string that is converted either from or to a base64 representation. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-4316 to this issue. d. vMA and Service Console update for openssl to 0.9.8e-12.el5 SSL is a toolkit implementing SSL v2/v3 and TLS protocols with full- strength cryptography world-wide. Multiple denial of service flaws were discovered in OpenSSL's DTLS implementation. A remote attacker could use these flaws to cause a DTLS server to use excessive amounts of memory, or crash on an invalid memory access or NULL pointer dereference. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386, CVE-2009-1387 to these issues. An input validation flaw was found in the handling of the BMPString and UniversalString ASN1 string types in OpenSSL's ASN1_STRING_print_ex() function. An attacker could use this flaw to create a specially crafted X.509 certificate that could cause applications using the affected function to crash when printing certificate contents. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0590 to this issue. e. vMA and Service Console package bind updated to 9.3.6-4.P1.el5_4.1 It was discovered that BIND was incorrectly caching responses without performing proper DNSSEC validation, when those responses were received during the resolution of a recursive client query that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-4022 to this issue. f. vMA and Service Console package expat updated to 1.95.8-8.3.el5_4.2. Two buffer over-read flaws were found in the way Expat handled malformed UTF-8 sequences when processing XML files. A specially- crafted XML file could cause applications using Expat to fail while parsing the file. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2009-3560 and CVE-2009-3720 to these issues. g. vMA and Service Console package openssh update to 4.3p2-36.el5_4.2 A Red Hat specific patch used in the openssh packages as shipped in Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain ownership requirements for directories used as arguments for the ChrootDirectory configuration options. A malicious user that also has or previously had non-chroot shell access to a system could possibly use this flaw to escalate their privileges and run commands as any system user. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-2904 to this issue. h. vMA and Service Console package ntp updated to ntp-4.2.2p1-9.el5_4.1.i386.rpm A flaw was discovered in the way ntpd handled certain malformed NTP packets. ntpd logged information about all such packets and replied with an NTP packet that was treated as malformed when received by another ntpd. A remote attacker could use this flaw to create an NTP packet reply loop between two ntpd servers through a malformed packet with a spoofed source IP address and port, causing ntpd on those servers to use excessive amounts of CPU time and fill disk space with log messages. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-3563 to this issue. i. vMA update for package kernel to 2.6.18-164.9.1.el5 Updated vMA package kernel addresses the security issues listed below. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2849 to the security issue fixed in kernel 2.6.18-128.2.1 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2695, CVE-2009-2908, CVE-2009-3228, CVE-2009-3286, CVE-2009-3547, CVE-2009-3613 to the security issues fixed in kernel 2.6.18-128.6.1 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-3612, CVE-2009-3620, CVE-2009-3621, CVE-2009-3726 to the security issues fixed in kernel 2.6.18-128.9.1 j. vMA 4.0 updates for the packages kpartx, libvolume-id, device-mapper-multipath, fipscheck, dbus, dbus-libs, and ed kpartx updated to 0.4.7-23.el5_3.4, libvolume-id updated to 095-14.20.el5 device-mapper-multipath package updated to 0.4.7-23.el5_3.4, fipscheck updated to 1.0.3-1.el5, dbus updated to 1.1.2-12.el5, dbus-libs updated to 1.1.2-12.el5, and ed package updated to 0.2-39.el5_2. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2008-3916, CVE-2009-1189 and CVE-2009-0115 to these issues.
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 44993
    published 2010-03-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44993
    title VMSA-2010-0004 : ESX Service Console and vMA third-party updates
oval via4
accepted 2013-04-29T04:22:51.644-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
family unix
id oval:org.mitre.oval:def:9862
status accepted
submitted 2010-07-09T03:56:16-04:00
title A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
version 18
redhat via4
advisories
bugzilla
id 522141
title CVE-2009-2904 openssh: possible privilege escalation when using ChrootDirectory setting
oval
AND
  • comment Red Hat Enterprise Linux 5 is installed
    oval oval:com.redhat.rhba:tst:20070331001
  • OR
    • AND
      • comment openssh is earlier than 0:4.3p2-36.el5_4.2
        oval oval:com.redhat.rhsa:tst:20091470002
      • comment openssh is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070540003
    • AND
      • comment openssh-askpass is earlier than 0:4.3p2-36.el5_4.2
        oval oval:com.redhat.rhsa:tst:20091470006
      • comment openssh-askpass is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070540009
    • AND
      • comment openssh-clients is earlier than 0:4.3p2-36.el5_4.2
        oval oval:com.redhat.rhsa:tst:20091470004
      • comment openssh-clients is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070540007
    • AND
      • comment openssh-server is earlier than 0:4.3p2-36.el5_4.2
        oval oval:com.redhat.rhsa:tst:20091470008
      • comment openssh-server is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070540005
rhsa
id RHSA-2009:1470
released 2009-09-30
severity Moderate
title RHSA-2009:1470: openssh security update (Moderate)
rpms
  • openssh-0:4.3p2-36.el5_4.2
  • openssh-askpass-0:4.3p2-36.el5_4.2
  • openssh-clients-0:4.3p2-36.el5_4.2
  • openssh-server-0:4.3p2-36.el5_4.2
refmap via4
bid 36552
confirm https://bugzilla.redhat.com/show_bug.cgi?id=522141
fedora FEDORA-2010-5429
mlist [security-announce] 20100303 VMSA-2010-0004 ESX Service Console and vMA third party updates
osvdb 58495
secunia
  • 38794
  • 38834
  • 39182
vupen ADV-2010-0528
Last major update 08-08-2014 - 16:55
Published 01-10-2009 - 11:30
Last modified 18-09-2017 - 21:29
Back to Top