OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file.

The version of OpenSSH running on the remote host is affected by the following vulnerabilities :

  - OpenSSH 4.3p2, and probably other versions, allows local     users to hijack forwarded X connections by causing ssh     to set DISPLAY to :10, even when another process is     listening on the associated port, as demonstrated by     opening TCP port 6010 (IPv4) and sniffing a cookie sent     by Emacs. (CVE-2008-1483)

  - OpenSSH before 4.9 allows remote authenticated users to     bypass the sshd_config ForceCommand directive by     modifying the .ssh/rc session file. (CVE-2008-1657)

According to its banner, the version of OpenSSH installed on the remote host is earlier than 4.9.  It may allow a remote, authenticated user to bypass the 'sshd_config' 'ForceCommand' directive by modifying the '.ssh/rc' session file.

The version of SunSSH running on the remote host has an information disclosure vulnerability.  A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration.  An attacker could exploit this to gain access to sensitive information.

Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.

It was discovered that the ForceCommand directive could be bypassed.
If a local user created a malicious ~/.ssh/rc file, they could execute arbitrary commands as their user id. This only affected Ubuntu 7.10.
(CVE-2008-1657)

USN-355-1 fixed vulnerabilities in OpenSSH. It was discovered that the fixes for this issue were incomplete. A remote attacker could attempt multiple logins, filling all available connection slots, leading to a denial of service. This only affected Ubuntu 6.06 and 7.04.
(CVE-2008-4109).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability in OpenSSH 4.4 through 4.8 allowed local attackers to bypass intended security restrictions enabling them to execute commands other than those specified by the ForceCommand directive, provided they are able to modify to ~/.ssh/rc (CVE-2008-1657).

The updated packages have been patched to correct this issue.

The remote host is running a version of Mac OS X 10.5 that is older than version 10.5.5.  Mac OS X 10.5.5 contains security fixes for a number of programs.

The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.5. 

Mac OS X 10.5.5 contains security fixes for a number of programs.

The remote host is running a version of Mac OS X 10.4 that does not have the security update 2008-006 applied. 

This update contains security fixes for a number of programs.

The version of Attachmate Reflection for Secure IT UNIX Server installed on the remote host is lower than 7.0 SP1 and thus reportedly affected by several issues : 

  - There is an inherited vulnerability in OpenSSL when parsing malformed ASN.1 structures leading to a denial of service vulnerability (CVE-2006-2937).
  - There is an inherited vulnerability in OpenSSL when parsing parasitic public keys leading to a denial of service vulnerability (CVE-2006-2940).
  - There is an inherited vulnerability in OpenSSL when performing Montgomery multiplication, leading to a side-channel attack vulnerability (CVE-2007-3108).
  - There is an inherited vulnerability in OpenSSH with the execution of the ~/.ssh2/rc session file (CVE-2008-1657).
  - There is an issue with the security of forwarded X11 connections, leading to possible hijacking. (CVE-2008-1483)
  - There are multiple unspecified other vulnerabilities.

The version of Attachmate Reflection for Secure IT UNIX server installed on the remote host is less than 7.0 SP1 and thus reportedly affected by several issues :

  - There is an inherited vulnerability in OpenSSL when     parsing malformed ASN.1 structures leading to a     denial of service vulnerability (CVE-2006-2937).

  - There is an inherited vulnerability in OpenSSL when     parsing parasitic public keys leading to a     denial of service vulnerability (CVE-2006-2940).

  - There is an inherited vulnerability in OpenSSL when     performing Montgomery multiplication, leading to a     side-channel attack vulnerability (CVE-2007-3108).

  - There is an inherited vulnerability in OpenSSH with the     execution of the ~/.ssh2/rc session file     (CVE-2008-1657).

  - There is an issue with the security of forwarded X11     connections, leading to possible hijacking.
    (CVE-2008-1483)

  - There are multiple unspecified other vulnerabilities.
    (CVE-2008-6021)

A flaw in the X forwarding code of openssh allowed malicious users to steal the X access credentials of other users (CVE-2008-1483).

Due to another flaw users could bypass the option 'ForceCommand' (CVE-2008-1657).

The remote host is affected by the vulnerability described in GLSA-200804-03 (OpenSSH: Privilege escalation)

    Two issues have been discovered in OpenSSH:
    Timo Juhani     Lindfors discovered that OpenSSH sets the DISPLAY variable in SSH     sessions using X11 forwarding even when it cannot bind the X11 server     to a local port in all address families (CVE-2008-1483).
    OpenSSH will execute the contents of the '.ssh/rc' file even when     the 'ForceCommand' directive is enabled in the global sshd_config     (CVE-2008-1657).
  Impact :

    A local attacker could exploit the first vulnerability to hijack     forwarded X11 sessions of other users and possibly execute code with     their privileges, disclose sensitive data or cause a Denial of Service,     by binding a local X11 server to a port using only one address family.
    The second vulnerability might allow local attackers to bypass intended     security restrictions and execute commands other than those specified     by 'ForceCommand' if they are able to write to their home directory.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
73565	AIX OpenSSH Advisory : ssh_advisory.asc	Nessus	AIX Local Security Checks	medium
44079	OpenSSH < 4.9 'ForceCommand' Directive Bypass	Nessus	Misc.	medium
55992	SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure	Nessus	Misc.	critical
36855	Ubuntu 6.06 LTS / 7.04 / 7.10 : openssh vulnerabilities (USN-649-1)	Nessus	Ubuntu Local Security Checks	high
36276	Mandriva Linux Security Advisory : openssh (MDVSA-2008:098)	Nessus	Mandriva Local Security Checks	medium
4682	Mac OS X < 10.5.5 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
34211	Mac OS X 10.5.x < 10.5.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
34210	Mac OS X Multiple Vulnerabilities (Security Update 2008-006)	Nessus	MacOS X Local Security Checks	critical
4632	Attachmate Reflection for Secure IT UNIX Server < 7.0 SP1 Multiple Vulnerabilities	Nessus Network Monitor	SSH	medium
33948	Attachmate Reflection for Secure IT UNIX server < 7.0 SP1 Multiple Vulnerabilities	Nessus	Misc.	critical
31843	openSUSE 10 Security Update : openssh (openssh-5149)	Nessus	SuSE Local Security Checks	medium
31834	GLSA-200804-03 : OpenSSH: Privilege escalation	Nessus	Gentoo Local Security Checks	medium

Detections

Analytics

CVE-2008-1657

medium

Tenable Plugins

medium

medium

critical

high

medium

critical

critical

critical

medium

critical

medium

medium