TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | A vulnerability was reported in OpenSSH on Red Hat Enterprise Linux. A remote authenticated user can obtain elevated privileges on the target system. |
| PLATFORM: | Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Enterprise Linux EUS (v. 5.4.z server) |
| ABSTRACT: | The Red Hat openssh patch described in Red Hat Advisory RHSA-2009:1287, modified ownership requirements for directories used as arguments for the ChrootDirectory configuration options. A remote authenticated user with a non-chroot shell access or a remote authenticated user that previously had a non-chroot shell access can run arbitrary commands with arbitrary privileges. |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-243.shtml |
| OTHER LINKS: |
Security Focus http://www.securityfocus.com/bid/36552/info Security Tracker http://www.securitytracker.com/alerts/2009/Sep/1022967.html |
| CVE: |
CVE-2009-2904 |
| IMPACT ASSESSMENT: | This risk is medium. A remote authenticated user can obtain elevated privileges on the target system. |
[***** Start CVE-2009-2904 *****] Discussion: OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. A Red Hat specific patch used in the openssh packages as shipped in Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain ownership requirements for directories used as arguments for the ChrootDirectory configuration options. A malicious user that also has or previously had non-chroot shell access to a system could possibly use this flaw to escalate their privileges and run commands as any system user. Solution: The vendor has released a patch to resolve this issue. See below for details. Red Hat Enterprise Linux (v. 5 server) SRPMS: openssh-4.3p2-36.el5_4.2.src.rpm ff14a4ab0ae5ad7ffdddef280c323d88 IA-32: openssh-4.3p2-36.el5_4.2.i386.rpm c4f9f9a8850bba515c94e07c90e0a6b6 openssh-askpass-4.3p2-36.el5_4.2.i386.rpm cadce6d50d8243e6e9e984ab0e25e970 openssh-clients-4.3p2-36.el5_4.2.i386.rpm 5e852bbb05c7a5c3c3384666401b9f75 openssh-server-4.3p2-36.el5_4.2.i386.rpm 3f8dbf62305e07513bb5e303faf30930 IA-64: openssh-4.3p2-36.el5_4.2.ia64.rpm db1b730c842bffa66d225391e0a3a288 openssh-askpass-4.3p2-36.el5_4.2.ia64.rpm ed2d15b5c5c2585bb1c55255887fb505 openssh-clients-4.3p2-36.el5_4.2.ia64.rpm f38174b2adf224273550d29911c3e311 openssh-server-4.3p2-36.el5_4.2.ia64.rpm aa6a156e4c1f1a203043961ff2fdf588 PPC: openssh-4.3p2-36.el5_4.2.ppc.rpm 1b0ad6a5b4084db5611fa59997adace1 openssh-askpass-4.3p2-36.el5_4.2.ppc.rpm 849d9d34593e64607d8828b3d94512b8 openssh-clients-4.3p2-36.el5_4.2.ppc.rpm 55ec7577db379a69d18ee6f2dd6aac0c openssh-server-4.3p2-36.el5_4.2.ppc.rpm 9bbb25b2625e7cc69d127e4d67fcd0b8 s390x: openssh-4.3p2-36.el5_4.2.s390x.rpm 911fe40f6bbf61ea91c134ad69311ceb openssh-askpass-4.3p2-36.el5_4.2.s390x.rpm fc21e3d50ae36de48e6c9075eecc62f9 openssh-clients-4.3p2-36.el5_4.2.s390x.rpm 17ab5e824eac23f811b1ab1a8e8a4283 openssh-server-4.3p2-36.el5_4.2.s390x.rpm ba6b3eacacee3cbe54d5eec9e39115e2 x86_64: openssh-4.3p2-36.el5_4.2.x86_64.rpm a5c6d4af3030d48c88a02418cbfa81b9 openssh-askpass-4.3p2-36.el5_4.2.x86_64.rpm 0b56f6c35f610c4105d030ef424b6f33 openssh-clients-4.3p2-36.el5_4.2.x86_64.rpm 8ef442b49c8228ca38bc53ad8cc35b05 openssh-server-4.3p2-36.el5_4.2.x86_64.rpm 0a3ed69d32a387b07b549925e1f50601 Red Hat Enterprise Linux Desktop (v. 5 client) SRPMS: openssh-4.3p2-36.el5_4.2.src.rpm ff14a4ab0ae5ad7ffdddef280c323d88 IA-32: openssh-4.3p2-36.el5_4.2.i386.rpm c4f9f9a8850bba515c94e07c90e0a6b6 openssh-askpass-4.3p2-36.el5_4.2.i386.rpm cadce6d50d8243e6e9e984ab0e25e970 openssh-clients-4.3p2-36.el5_4.2.i386.rpm 5e852bbb05c7a5c3c3384666401b9f75 openssh-server-4.3p2-36.el5_4.2.i386.rpm 3f8dbf62305e07513bb5e303faf30930 x86_64: openssh-4.3p2-36.el5_4.2.x86_64.rpm a5c6d4af3030d48c88a02418cbfa81b9 openssh-askpass-4.3p2-36.el5_4.2.x86_64.rpm 0b56f6c35f610c4105d030ef424b6f33 openssh-clients-4.3p2-36.el5_4.2.x86_64.rpm 8ef442b49c8228ca38bc53ad8cc35b05 openssh-server-4.3p2-36.el5_4.2.x86_64.rpm 0a3ed69d32a387b07b549925e1f50601 Red Hat Enterprise Linux EUS (v. 5.4.z server) SRPMS: openssh-4.3p2-36.el5_4.2.src.rpm ff14a4ab0ae5ad7ffdddef280c323d88 IA-32: openssh-4.3p2-36.el5_4.2.i386.rpm c4f9f9a8850bba515c94e07c90e0a6b6 openssh-askpass-4.3p2-36.el5_4.2.i386.rpm cadce6d50d8243e6e9e984ab0e25e970 openssh-clients-4.3p2-36.el5_4.2.i386.rpm 5e852bbb05c7a5c3c3384666401b9f75 openssh-server-4.3p2-36.el5_4.2.i386.rpm 3f8dbf62305e07513bb5e303faf30930 IA-64: openssh-4.3p2-36.el5_4.2.ia64.rpm db1b730c842bffa66d225391e0a3a288 openssh-askpass-4.3p2-36.el5_4.2.ia64.rpm ed2d15b5c5c2585bb1c55255887fb505 openssh-clients-4.3p2-36.el5_4.2.ia64.rpm f38174b2adf224273550d29911c3e311 openssh-server-4.3p2-36.el5_4.2.ia64.rpm aa6a156e4c1f1a203043961ff2fdf588 PPC: openssh-4.3p2-36.el5_4.2.ppc.rpm 1b0ad6a5b4084db5611fa59997adace1 openssh-askpass-4.3p2-36.el5_4.2.ppc.rpm 849d9d34593e64607d8828b3d94512b8 openssh-clients-4.3p2-36.el5_4.2.ppc.rpm 55ec7577db379a69d18ee6f2dd6aac0c openssh-server-4.3p2-36.el5_4.2.ppc.rpm 9bbb25b2625e7cc69d127e4d67fcd0b8 s390x: openssh-4.3p2-36.el5_4.2.s390x.rpm 911fe40f6bbf61ea91c134ad69311ceb openssh-askpass-4.3p2-36.el5_4.2.s390x.rpm fc21e3d50ae36de48e6c9075eecc62f9 openssh-clients-4.3p2-36.el5_4.2.s390x.rpm 17ab5e824eac23f811b1ab1a8e8a4283 openssh-server-4.3p2-36.el5_4.2.s390x.rpm ba6b3eacacee3cbe54d5eec9e39115e2 x86_64: openssh-4.3p2-36.el5_4.2.x86_64.rpm a5c6d4af3030d48c88a02418cbfa81b9 openssh-askpass-4.3p2-36.el5_4.2.x86_64.rpm 0b56f6c35f610c4105d030ef424b6f33 openssh-clients-4.3p2-36.el5_4.2.x86_64.rpm 8ef442b49c8228ca38bc53ad8cc35b05 openssh-server-4.3p2-36.el5_4.2.x86_64.rpm 0a3ed69d32a387b07b549925e1f50601 The packages above are available at the Red Hat Network: http://rhn.redhat.com/ [***** End CVE-2009-2904 *****]
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov