ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.

From Red Hat Security Advisory 2008:0855 :

Updated openssh packages are now available for Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, and Red Hat Enterprise Linux 4.5 Extended Update Support.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation.

Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers.

In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an updated version of these packages, and have published a list of the tampered packages and how to detect them at http://www.redhat.com/security/data/openssh-blacklist.html

To reiterate, our processes and efforts to date indicate that packages obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are not at risk.

These packages also fix a low severity flaw in the way ssh handles X11 cookies when creating X11 forwarding connections. When ssh was unable to create untrusted cookie, ssh used a trusted cookie instead, possibly allowing the administrative user of a untrusted remote server, or untrusted application run on the remote server, to gain unintended access to a users local X server. (CVE-2007-4752)

These packages fix a low severity flaw in the way ssh handles X11 cookies when creating X11 forwarding connections. When ssh was unable to create untrusted cookie, ssh used a trusted cookie instead, possibly allowing the administrative user of a untrusted remote server, or untrusted application run on the remote server, to gain unintended access to a users local X server. (CVE-2007-4752)

To address concerns about these, and past openssh packages, we have done an intensive review of the source rpm's of these, and past openssh packages. Our conclusion is that these, and past packages have NOT been compromised. Either at the source level, or the compiled binary level.

According to the banner, OpenSSH earlier than 4.7 is running on the remote host.  Such versions contain an authentication bypass vulnerability.  In the event that OpenSSH cannot create an untrusted cookie for X, for example due to the temporary partition being full, it will use a trusted cookie instead.  This allows attackers to violate intended policy and gain privileges by causing their X client to be treated as trusted.

The version of SunSSH running on the remote host has an information disclosure vulnerability.  A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration.  An attacker could exploit this to gain access to sensitive information.

Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.

Updated openssh packages are now available for Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, and Red Hat Enterprise Linux 4.5 Extended Update Support.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation.

Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers.

In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an updated version of these packages, and have published a list of the tampered packages and how to detect them at http://www.redhat.com/security/data/openssh-blacklist.html

To reiterate, our processes and efforts to date indicate that packages obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are not at risk.

These packages also fix a low severity flaw in the way ssh handles X11 cookies when creating X11 forwarding connections. When ssh was unable to create untrusted cookie, ssh used a trusted cookie instead, possibly allowing the administrative user of a untrusted remote server, or untrusted application run on the remote server, to gain unintended access to a users local X server. (CVE-2007-4752)

- This update fixes a bug in ssh's cookie handling code.
    It does not properly handle the situation when an     untrusted cookie cannot be created and uses a trusted     X11 cookie instead. This allows attackers to violate the     intended policy and gain privileges by causing an X     client to be treated as trusted. (CVE-2007-4752)

  - Additionally this update fixes a bug introduced with the     last security update for openssh. When the SSH daemon     wrote to stderr (for instance, to warn about the     presence of a deprecated option like     PAMAuthenticationViaKbdInt in its configuration file),     SIGALRM was blocked for SSH sessions. This resulted in     problems with processes which rely on SIGALRM, such as     ntpdate.

The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-002 applied. 

This update contains several security fixes for a number of programs.

Jan Pechanec discovered that ssh would forward trusted X11 cookies when untrusted cookie generation failed. This could lead to unintended privileges being forwarded to a remote host.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes a bug in ssh's cookie handling code. It does not properly handle the situation when an untrusted cookie cannot be created and uses a trusted X11 cookie instead. This allows attackers to violate the intended policy and gain privileges by causing an X client to be treated as trusted. (CVE-2007-4752) Additionally this update fixes a bug introduced with the last security update for openssh. When the SSH daemon wrote to stderr (for instance, to warn about the presence of a deprecated option like PAMAuthenticationViaKbdInt in its configuration file), SIGALRM was blocked for SSH sessions. This resulted in problems with processes which rely on SIGALRM, such as ntpdate.

A flaw in OpenSSH prior to 4.7 prevented ssh from properly handling when an untrusted cookie could not be created and used a trusted X11 cookie instead, which could allow attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.

The updated packages have been patched to correct these issue.

The remote host is affected by the vulnerability described in GLSA-200711-02 (OpenSSH: Security bypass)

    Jan Pechanec discovered that OpenSSH uses a trusted X11 cookie when it     cannot create an untrusted one.
  Impact :

    An attacker could bypass the SSH client security policy and gain     privileges by causing an X client to be treated as trusted.
  Workaround :

    There is no known workaround at this time.

- Tue Oct 2 2007 Tomas Mraz <tmraz at redhat.com> -     4.3p2-25

    - do not fall back on trusted X11 cookies       (CVE-2007-4752) (#280471)

    - Fri Jul 13 2007 Tomas Mraz <tmraz at redhat.com> -       4.3p2-24

    - fixed audit log injection problem (CVE-2007-3102)       (#248059)

    - Thu Jun 21 2007 Tomas Mraz <tmraz at redhat.com> -       4.3p2-23

    - document where the nss certificate and token dbs are       looked for

    - Wed Jun 20 2007 Tomas Mraz <tmraz at redhat.com> -       4.3p2-22

    - experimental support for PKCS#11 tokens through       libnss3 (#183423)

    - Tue Apr 3 2007 Tomas Mraz <tmraz at redhat.com> -       4.3p2-21

    - correctly setup context when empty level requested       (#234951)

    - and always request default level as returned by       getseuserbyname (#231695)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0 to fix a possible security issue. This version should also provide increased performance with certain ciphers.

The remote host is running a version of OpenSSH prior to 4.7 is affected by an authentication bypass vulnerability. In the event that OpenSSH cannot create an untrusted cookie for X, for example due to the temporary partition being full, it will use a trusted cookie instead. This allows attackers to violate intended policy and gain privileges by causing their X client to be treated as trusted.

ID	Name	Product	Family	Severity
67742	Oracle Linux 4 / 5 : openssh (ELSA-2008-0855)	Nessus	Oracle Linux Local Security Checks	high
60467	Scientific Linux Security Update : openssh on SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
44078	OpenSSH < 4.7 Trusted X11 Cookie Connection Policy Bypass	Nessus	Misc.	high
55992	SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure	Nessus	Misc.	critical
43708	CentOS 4 / 5 : openssh (CESA-2008:0855)	Nessus	CentOS Local Security Checks	high
41158	SuSE9 Security Update : OpenSSH (YOU Patch Number 11931)	Nessus	SuSE Local Security Checks	high
34034	RHEL 4 / 5 : openssh (RHSA-2008:0855)	Nessus	Red Hat Local Security Checks	high
31605	Mac OS X Multiple Vulnerabilities (Security Update 2008-002)	Nessus	MacOS X Local Security Checks	critical
29922	Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : openssh vulnerability (USN-566-1)	Nessus	Ubuntu Local Security Checks	high
29540	SuSE 10 Security Update : OpenSSH (ZYPP Patch Number 4580)	Nessus	SuSE Local Security Checks	high
29233	Mandrake Linux Security Advisory : openssh (MDKSA-2007:236)	Nessus	Mandriva Local Security Checks	high
27612	GLSA-200711-02 : OpenSSH: Security bypass	Nessus	Gentoo Local Security Checks	high
27589	openSUSE 10 Security Update : openssh (openssh-4579)	Nessus	SuSE Local Security Checks	high
27058	Fedora Core 6 : openssh-4.3p2-25.fc6 (2007-715)	Nessus	Fedora Local Security Checks	high
26053	Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 8.1 / 9.0 / 9.1 : openssh (SSA:2007-255-01)	Nessus	Slackware Local Security Checks	high
4209	OpenSSH < 4.7 Trusted X11 Cookie Connection Policy Bypass	Nessus Network Monitor	SSH	high

Detections

Analytics

CVE-2007-4752

critical

Tenable Plugins

high

high

high

critical

high

high

high

critical

high

high

high

high

high

high

high

high