ID CVE-2009-2904
Summary A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
References
Vulnerable Configurations
  • cpe:2.3:a:openbsd:openssh:4.3:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openbsd:openssh:4.8:*:*:*:*:*:*:*
    cpe:2.3:a:openbsd:openssh:4.8:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:11:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:11:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:5:*:server:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:5:*:server:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:5:*:client:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:5:*:client:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_eus:5:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_eus:5:*:*:*:*:*:*:*
CVSS
Base: 6.9 (as of 19-09-2017 - 01:29)
Impact:
Exploitability:
CWE CWE-16
CAPEC
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:L/AC:M/Au:N/C:C/I:C/A:C
oval via4
accepted 2013-04-29T04:22:51.644-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
family unix
id oval:org.mitre.oval:def:9862
status accepted
submitted 2010-07-09T03:56:16-04:00
title A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
version 18
redhat via4
advisories
bugzilla
id 522141
title CVE-2009-2904 openssh: possible privilege escalation when using ChrootDirectory setting
oval
AND
  • comment Red Hat Enterprise Linux 5 is installed
    oval oval:com.redhat.rhba:tst:20070331001
  • OR
    • AND
      • comment openssh is earlier than 0:4.3p2-36.el5_4.2
        oval oval:com.redhat.rhsa:tst:20091470002
      • comment openssh is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070540003
    • AND
      • comment openssh-askpass is earlier than 0:4.3p2-36.el5_4.2
        oval oval:com.redhat.rhsa:tst:20091470006
      • comment openssh-askpass is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070540009
    • AND
      • comment openssh-clients is earlier than 0:4.3p2-36.el5_4.2
        oval oval:com.redhat.rhsa:tst:20091470004
      • comment openssh-clients is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070540007
    • AND
      • comment openssh-server is earlier than 0:4.3p2-36.el5_4.2
        oval oval:com.redhat.rhsa:tst:20091470008
      • comment openssh-server is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070540005
rhsa
id RHSA-2009:1470
released 2009-09-30
severity Moderate
title RHSA-2009:1470: openssh security update (Moderate)
rpms
  • openssh-0:4.3p2-36.el5_4.2
  • openssh-askpass-0:4.3p2-36.el5_4.2
  • openssh-clients-0:4.3p2-36.el5_4.2
  • openssh-server-0:4.3p2-36.el5_4.2
refmap via4
bid 36552
confirm https://bugzilla.redhat.com/show_bug.cgi?id=522141
fedora FEDORA-2010-5429
mlist [security-announce] 20100303 VMSA-2010-0004 ESX Service Console and vMA third party updates
osvdb 58495
secunia
  • 38794
  • 38834
  • 39182
vupen ADV-2010-0528
Last major update 19-09-2017 - 01:29
Published 01-10-2009 - 15:30
Back to Top