CVE-2004-2069
CVSS5.0
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 23:05:56
NMCOPS    

[原文]sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption).


[CNNVD]OpenSSH LoginGraceTime远程拒绝服务漏洞(CNNVD-200412-892)

        
        OpenSSH是一种开放源码的SSH协议的实现,初始版本用于OpenBSD平台,现在已经被移植到多种Unix/Linux类操作系统下。
        OpenSSH服务器处理MaxStartups和LoginGraceTime配置变量的方式存在拒绝服务漏洞,远程攻击者可能利用此漏洞导致合法用户无法访问。
        sshd启动时LoginGraceTime为1分钟,使用了3个窗口初始化ssh客户端。在启动了2个客户端后sshd会等待一段没有输入口令的宽限期,在检查syslog.log时关闭连接。但是,如果发送了以下命令:
        #netstat -an|grep 22
        就会继续创建连接,允许第三个客户端连接到服务器。如果这种行为继续的话,能够连接的用户就会减少。
        SSH使用alarm/SIGALRM实现LoginGraceTime。如果使用权限分离的话,则在超时的时候特权进程会接收到alarm信号并退出;但是,非特权的sshd进程会继续保持连接,直到客户端发送某些数据或断开。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:openbsd:openssh:3.6.1p2OpenBSD OpenSSH 3.6.1 p2
cpe:/a:openbsd:openssh:3.7.1p2OpenBSD OpenSSH 3.7.1 p2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11541sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privile...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2069
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2069
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-892
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=openssh-unix-dev&m=107520317020444&w=2
(UNKNOWN)  MLIST  [openssh-unix-dev] 20040127 OpenSSH - Connection problem when LoginGraceTime exceeds time
http://marc.info/?l=openssh-unix-dev&m=107529205602320&w=2
(UNKNOWN)  MLIST  [openssh-unix-dev] 20040128 Re: OpenSSH - Connection problem when LoginGraceTime exceeds time
http://rhn.redhat.com/errata/RHSA-2005-550.html
(UNKNOWN)  REDHAT  RHSA-2005:550
http://support.avaya.com/elmodocs2/security/ASA-2005-216.pdf
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2005-216.pdf
http://support.avaya.com/elmodocs2/security/ASA-2005-223.pdf
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2005-223.pdf
http://www.securityfocus.com/archive/1/archive/1/425397/100/0/threaded
(UNKNOWN)  FEDORA  FLSA-2006:168935
http://www.securityfocus.com/archive/1/archive/1/451404/100/0/threaded
(UNKNOWN)  BUGTRAQ  20061113 VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 4
http://www.securityfocus.com/archive/1/archive/1/451417/100/200/threaded
(UNKNOWN)  BUGTRAQ  20061113 VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 2
http://www.securityfocus.com/archive/1/archive/1/451426/100/200/threaded
(UNKNOWN)  BUGTRAQ  20061113 VMSA-2006-0008 - VMware ESX Server 2.0.2 Upgrade Patch 2
http://www.securityfocus.com/bid/14963
(UNKNOWN)  BID  14963
http://www.vmware.com/download/esx/esx-202-200610-patch.html
(UNKNOWN)  CONFIRM  http://www.vmware.com/download/esx/esx-202-200610-patch.html
http://www.vmware.com/download/esx/esx-213-200610-patch.html
(UNKNOWN)  CONFIRM  http://www.vmware.com/download/esx/esx-213-200610-patch.html
http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
(UNKNOWN)  CONFIRM  http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
(UNKNOWN)  CONFIRM  http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
http://www.vupen.com/english/advisories/2006/4502
(UNKNOWN)  VUPEN  ADV-2006-4502
http://xforce.iss.net/xforce/xfdb/20930
(UNKNOWN)  XF  openssh-sshdc-logingracetime-dos(20930)

- 漏洞信息

OpenSSH LoginGraceTime远程拒绝服务漏洞
中危 设计错误
2004-12-31 00:00:00 2006-03-28 00:00:00
远程  
        
        OpenSSH是一种开放源码的SSH协议的实现,初始版本用于OpenBSD平台,现在已经被移植到多种Unix/Linux类操作系统下。
        OpenSSH服务器处理MaxStartups和LoginGraceTime配置变量的方式存在拒绝服务漏洞,远程攻击者可能利用此漏洞导致合法用户无法访问。
        sshd启动时LoginGraceTime为1分钟,使用了3个窗口初始化ssh客户端。在启动了2个客户端后sshd会等待一段没有输入口令的宽限期,在检查syslog.log时关闭连接。但是,如果发送了以下命令:
        #netstat -an|grep 22
        就会继续创建连接,允许第三个客户端连接到服务器。如果这种行为继续的话,能够连接的用户就会减少。
        SSH使用alarm/SIGALRM实现LoginGraceTime。如果使用权限分离的话,则在超时的时候特权进程会接收到alarm信号并退出;但是,非特权的sshd进程会继续保持连接,直到客户端发送某些数据或断开。
        

- 公告与补丁

        厂商补丁:
        OpenSSH
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.8.tgz
        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2005:550-01)以及相应补丁:
        RHSA-2005:550-01:Low: openssh security update
        链接:
        http://lwn.net/Alerts/153518/?format=printable

        VMWare
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://www.vmware.com/download/esx/esx-253-200610-patch.html

        
        http://www.vmware.com/download/esx/esx-254-200610-patch.html

        
        http://www.vmware.com/download/esx/esx-213-200610-patch.html

        
        http://www.vmware.com/download/esx/esx-202-200610-patch.html

- 漏洞信息 (F52052)

VMware Security Advisory 2006-0008 (PacketStormID:F52052)
2006-11-14 00:00:00
VMware  vmware.com
advisory,vulnerability,python
CVE-2004-2069,CVE-2006-3403,CVE-2005-2177,CVE-2006-3467,CVE-2006-1056,CVE-2006-1342,CVE-2006-1343,CVE-2006-1864,CVE-2006-2071
[点击下载]

VMware Security Advisory - A new update has been released for VMware ESX 2.0.2 versions prior to upgrade patch 2. This patch addresses vulnerabilities in Openssh, samba, Python, ucd-snmp, XFree86, and more.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2006-0008
Synopsis:          VMware ESX Server 2.0.2 Upgrade Patch 2
Patch URL: http://www.vmware.com/download/esx/esx-202-200610-patch.html
Issue date:        2006-10-31
Updated on:        2006-11-13
CVE Names:         CAN-2004-2069 CVE-2006-3403 CVE-2005-2177
                   CVE-2006-3467 CVE-2006-1342 CVE-2006-1343
                   CVE-2006-1864 CVE-2006-2071
- - -------------------------------------------------------------------

1. Summary:

Updated package addresses several security issues.

2. Relevant releases:

VMware ESX 2.0.2 prior to upgrade patch 2

3. Problem description:

This patch addresses the following security issues:

Openssh -- A bug was found in the way the OpenSSH server handled the
MaxStartups and LoginGraceTime configuration variables. The Common
Vulnerabilities and Exposures project (cve.mitre.org) assigned the name
CAN-2004-2069 to this issue.

samba -- A denial of service bug was found in the way the smbd daemon
tracks active connections to shares. It was possible for a remote
attacker to cause the smbd daemon to consume a large amount of system
memory by sending carefully crafted smb requests. The Common
Vulnerabilities and Exposures project (cve.mitre.org) assigned the name
CVE-2006-3403 to this issue.

Python -- An integer overflow flaw was found in Python's PCRE library
that could be triggered by a maliciously crafted regular expression. On
systems that accept arbitrary regular expressions from untrusted users,
this could be exploited to execute arbitrary code with the privileges of
the application using the library. The Common Vulnerabilities and
Exposures project (cve.mitre.org) assigned the name CVE-2005-2491 to
this issue.

ucd-snmp -- A denial of service bug was found in the way ucd-snmp uses
network stream protocols. A remote attacker could send a ucd-snmp agent
a specially crafted packet which will cause the agent to crash. The
Common Vulnerabilities and Exposures project (cve.mitre.org) assigned
the name CAN-2005-2177 to this issue.

XFree86 -- An integer overflow flaw in the way the XFree86 server
processes PCF font files was discovered. A malicious authorized client
could exploit this issue to cause a denial of service (crash) or
potentially execute arbitrary code with root privileges on the XFree86
server. The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the name CVE-2006-3467 to this issue.

A minor info leak in socket name handling in the network code
(CVE-2006-1342).
A minor info leak in socket option handling in the network code
(CVE-2006-1343).
A directory traversal vulnerability in smbfs that allowed a local user
to escape chroot restrictions for an SMB-mounted filesystem via "..\\"
sequences (CVE-2006-1864).
A flaw in the mprotect system call that allowed to give write permission
to a readonly attachment of shared memory (CVE-2006-2071).

NOTE: AMD processers were not supported in the VMware ESX 2.0.2 release
so CVE-2006-1056 is not applicable to this version of the product.

The non-security-related fixes are documented on the patch download page.

4. Solution:

Upgrade to the latest update package for your release of ESX.
http://www.vmware.com/download/esx/

http://www.vmware.com/download/esx/esx-202-200610-patch.html

he md5 checksum output should match the following:
9e79d333ac9360122fb69bc8fc549405 esx-2.0.2-31924-upgrade.tar.gz

5. References:
http://www.vmware.com/download/esx/esx-202-200610-patch.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1343
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2071
http://www.vmware.com/products/esx/
http://www.vmware.com/download/esx/

6. Contact:

http://www.vmware.com/security

VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html

E-mail:  security@vmware.com

Copyright 2006 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFWP5W6KjQhy2pPmkRCDVzAJ9O3O4zIUSmEW9i4NyvxKxd1xUMLwCfRrYT
PiCazE9ioHCf33AaY31k8mU=
=U+XZ
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F52051)

VMware Security Advisory 2006-0007 (PacketStormID:F52051)
2006-11-14 00:00:00
VMware  vmware.com
advisory,vulnerability,python
CVE-2004-2069,CVE-2006-3403,CVE-2005-2177,CVE-2006-3467,CVE-2006-1056,CVE-2006-1342,CVE-2006-1343,CVE-2006-1864,CVE-2006-2071
[点击下载]

VMware Security Advisory - A new update has been released for VMware ESX 2.1.3 versions prior to upgrade patch 2. This patch addresses vulnerabilities in Openssh, samba, Python, ucd-snmp, XFree86, and more.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2006-0007
Synopsis:          VMware ESX Server 2.1.3 Upgrade Patch 2
Patch URL: http://www.vmware.com/download/esx/esx-213-200610-patch.html
Issue date:        2006-10-31
Updated on:        2006-11-13
CVE Names:         CAN-2004-2069 CVE-2006-3403 CVE-2005-2177
                   CVE-2006-3467 CVE-2006-1056 CVE-2006-1342
                   CVE-2006-1343 CVE-2006-1864 CVE-2006-2071
- - -------------------------------------------------------------------

1. Summary:

Updated package addresses several security issues.

2. Relevant releases:

VMware ESX 2.1.3 prior to upgrade patch 2

3. Problem description:

This patch addresses the following security issues:

Openssh -- A bug was found in the way the OpenSSH server handled the
MaxStartups and LoginGraceTime configuration variables. The Common
Vulnerabilities and Exposures project (cve.mitre.org) assigned the name
CAN-2004-2069 to this issue.

samba -- A denial of service bug was found in the way the smbd daemon
tracks active connections to shares. It was possible for a remote
attacker to cause the smbd daemon to consume a large amount of system
memory by sending carefully crafted smb requests. The Common
Vulnerabilities and Exposures project (cve.mitre.org) assigned the name
CVE-2006-3403 to this issue.

Python -- An integer overflow flaw was found in Python's PCRE library
that could be triggered by a maliciously crafted regular expression. On
systems that accept arbitrary regular expressions from untrusted users,
this could be exploited to execute arbitrary code with the privileges of
the application using the library. The Common Vulnerabilities and
Exposures project (cve.mitre.org) assigned the name CVE-2005-2491 to
this issue.

ucd-snmp -- A denial of service bug was found in the way ucd-snmp uses
network stream protocols. A remote attacker could send a ucd-snmp agent
a specially crafted packet which will cause the agent to crash. The
Common Vulnerabilities and Exposures project (cve.mitre.org) assigned
the name CAN-2005-2177 to this issue.

XFree86 -- An integer overflow flaw in the way the XFree86 server
processes PCF font files was discovered. A malicious authorized client
could exploit this issue to cause a denial of service (crash) or
potentially execute arbitrary code with root privileges on the XFree86
server. The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the name CVE-2006-3467 to this issue.

An AMD fxsave/restore security vulnerability. The instructions fxsave
and fxrstor on AMD CPUs are used to save or restore the FPU registers
(FOP, FIP and FDP). On AMD Opteron processors, these instructions do not
save/restore some exception related registers unless an exception is
currently being serviced. This could allow a local attacker to partially
monitor the execution path of FPU processes, possibly allowing them to
obtain sensitive information being passed through those processes.  The
Common Vulnerabilities and Exposures project (cve.mitre.org) assigned
the name CVE-2006-1056 to this issue.

A minor info leak in socket name handling in the network code
(CVE-2006-1342).
A minor info leak in socket option handling in the network code
(CVE-2006-1343).
A directory traversal vulnerability in smbfs that allowed a local user
to escape chroot restrictions for an SMB-mounted filesystem via "..\\"
sequences (CVE-2006-1864).
A flaw in the mprotect system call that allowed to give write permission
to a readonly attachment of shared memory (CVE-2006-2071).

The non-security-related fixes are documented on the patch download page.

4. Solution:

Upgrade to the latest update package for your release of ESX.
http://www.vmware.com/download/esx/

http://www.vmware.com/download/esx/esx-213-200610-patch.html

The md5 checksum output should match the following:
c7057896ee275ce28b0b94a2186c1232 esx-2.1.3-24171-upgrade.tar.gz

5. References:
http://www.vmware.com/download/esx/esx-213-200610-patch.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1056
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1343
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2071
http://www.vmware.com/products/esx/
http://www.vmware.com/download/esx/

6. Contact:

http://www.vmware.com/security

VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html

E-mail:  security@vmware.com

Copyright 2006 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFWP5M6KjQhy2pPmkRCGbTAJ9a4PnHLWO6HwHQKzVPj1VI9V0dVQCdETxH
ISqiyTar1d433nMH9q/JvxA=
=cesx
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F52050)

VMware Security Advisory 2006-0006 (PacketStormID:F52050)
2006-11-14 00:00:00
VMware  vmware.com
advisory,vulnerability,python
CVE-2004-2069,CVE-2006-3403,CVE-2005-2177,CVE-2006-3467,CVE-2006-1056,CVE-2006-1342,CVE-2006-1343,CVE-2006-1864,CVE-2006-2071
[点击下载]

VMware Security Advisory - A new update has been released for VMware ESX versions 2.5.3 prior to upgrade patch 4. This patch addresses vulnerabilities in Openssh, samba, Python, ucd-snmp, XFree86, and more.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2006-0006
Synopsis:          VMware ESX Server 2.5.3 Upgrade Patch 4
Patch URL: http://www.vmware.com/download/esx/esx-253-200610-patch.html
Issue date:        2006-10-31
Updated on:        2006-11-13
CVE Names:         CAN-2004-2069 CVE-2006-3403 CVE-2005-2177
                   CVE-2006-3467 CVE-2006-1056 CVE-2006-1342
                   CVE-2006-1343 CVE-2006-1864 CVE-2006-2071
- - -------------------------------------------------------------------

1. Summary:

Updated package addresses several security issues.

2. Relevant releases:

VMware ESX 2.5.3 prior to upgrade patch 4

3. Problem description:

This patch addresses the following security issues:

Openssh -- A bug was found in the way the OpenSSH server handled the
MaxStartups and LoginGraceTime configuration variables. The Common
Vulnerabilities and Exposures project (cve.mitre.org) assigned the name
CAN-2004-2069 to this issue.

samba -- A denial of service bug was found in the way the smbd daemon
tracks active connections to shares. It was possible for a remote
attacker to cause the smbd daemon to consume a large amount of system
memory by sending carefully crafted smb requests. The Common
Vulnerabilities and Exposures project (cve.mitre.org) assigned the name
CVE-2006-3403 to this issue.

Python -- An integer overflow flaw was found in Python's PCRE library
that could be triggered by a maliciously crafted regular expression. On
systems that accept arbitrary regular expressions from untrusted users,
this could be exploited to execute arbitrary code with the privileges of
the application using the library. The Common Vulnerabilities and
Exposures project (cve.mitre.org) assigned the name CVE-2005-2491 to
this issue.

ucd-snmp -- A denial of service bug was found in the way ucd-snmp uses
network stream protocols. A remote attacker could send a ucd-snmp agent
a specially crafted packet which will cause the agent to crash. The
Common Vulnerabilities and Exposures project (cve.mitre.org) assigned
the name CAN-2005-2177 to this issue.

XFree86 -- An integer overflow flaw in the way the XFree86 server
processes PCF font files was discovered. A malicious authorized client
could exploit this issue to cause a denial of service (crash) or
potentially execute arbitrary code with root privileges on the XFree86
server. The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the name CVE-2006-3467 to this issue.

An AMD fxsave/restore security vulnerability. The instructions fxsave
and fxrstor on AMD CPUs are used to save or restore the FPU registers
(FOP, FIP and FDP). On AMD Opteron processors, these instructions do not
save/restore some exception related registers unless an exception is
currently being serviced. This could allow a local attacker to partially
monitor the execution path of FPU processes, possibly allowing them to
obtain sensitive information being passed through those processes.  The
Common Vulnerabilities and Exposures project (cve.mitre.org) assigned
the name CVE-2006-1056 to this issue.

A minor info leak in socket name handling in the network code
(CVE-2006-1342).
A minor info leak in socket option handling in the network code
(CVE-2006-1343).
A directory traversal vulnerability in smbfs that allowed a local user
to escape chroot restrictions for an SMB-mounted filesystem via "..\\"
sequences (CVE-2006-1864).
A flaw in the mprotect system call that allowed to give write permission
to a readonly attachment of shared memory (CVE-2006-2071).

The non-security-related fixes are documented on the patch download page.

4. Solution:

Upgrade to the latest update package for your release of ESX.
http://www.vmware.com/download/esx/

http://www.vmware.com/download/esx/esx-253-200610-patch.html

The md5 checksum output should match the following:
4852f5a00e29b5780d9d0fadc0d28f3e esx-2.5.3-32134-upgrade.tar.gz

Please DO NOT apply this patch on SunFire X4100 or X4200 servers.
For further details, please refer to knowledge base article 2085:
Installing ESX 2.5.3 on SunFire x4100 and x4200 Servers.
http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=2085

5. References:
http://www.vmware.com/download/esx/esx-253-200610-patch.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1056
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1343
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2071
http://www.vmware.com/products/esx/
http://www.vmware.com/download/esx/

6. Contact:

http://www.vmware.com/security

VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html

E-mail:  security@vmware.com

Copyright 2006 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFWP476KjQhy2pPmkRCD9rAKC9xQ9ej+t23opBsZn5BY6w736lmQCfQ9WA
5PuJxKgAYF2RTeQoXM7lr1I=
=miw3
-----END PGP SIGNATURE-----
    

- 漏洞信息

16567
OpenSSH Privilege Separation LoginGraceTime DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

OpenSSH contains a flaw that may allow a remote denial of service. The issue is triggered when a session has been terminated after exceeding the LoginGraceTime setting. The connection is not properly closed and could lead to a connection consumption attack, causing further connections to be refused. This will result in loss of availability for the ssh service.

- 时间线

2004-01-28 Unknow
2004-01-27 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Darren Tucker has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

OpenSSH LoginGraceTime Remote Denial Of Service Vulnerability
Design Error 14963
Yes No
2004-01-28 12:00:00 2006-12-15 10:53:00
"Kumaresh" <kumaresh_ind@gmx.net> disclosed this issue to the vendor.

- 受影响的程序版本

VMWare ESX Server 2.5.4
VMWare ESX Server 2.5.3
VMWare ESX Server 2.1.3
VMWare ESX Server 2.0.2
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 3
RedHat Desktop 3.0
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 3
OpenSSH OpenSSH 3.7.1 p1
+ SCO Open Server 5.0.7
OpenSSH OpenSSH 3.7.1
OpenSSH OpenSSH 3.7 p1
OpenSSH OpenSSH 3.7 .1p2
OpenSSH OpenSSH 3.7
OpenSSH OpenSSH 3.6.1 p2
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Trustix Secure Linux 2.0
OpenSSH OpenSSH 3.6.1 p1
+ OpenPKG OpenPKG Current
+ Slackware Linux 9.0
+ Slackware Linux -current
OpenSSH OpenSSH 3.6.1
+ Novell Netware 6.5
OpenSSH OpenSSH 3.5 p1
+ Conectiva Linux 9.0
+ OpenPKG OpenPKG 1.2
+ RedHat Linux 9.0 i386
+ S.u.S.E. Linux Personal 8.2
+ Terra Soft Solutions Yellow Dog Linux 3.0
OpenSSH OpenSSH 3.5
OpenSSH OpenSSH 3.4 p1-1
OpenSSH OpenSSH 3.4 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux Enterprise Edition 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ FreeBSD FreeBSD 5.0
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ IBM AIX 5.1 L
+ IBM AIX 4.3.3
+ Immunix Immunix OS 7+
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ Slackware Linux 8.1
OpenSSH OpenSSH 3.4
OpenSSH OpenSSH 3.3 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
OpenSSH OpenSSH 3.3
+ Openwall Openwall GNU/*/Linux (Owl)-current
OpenSSH OpenSSH 3.2.3 p1
OpenSSH OpenSSH 3.2.2 p1
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.0.4
+ Apple Mac OS X 10.0.3
+ Apple Mac OS X 10.0.2
+ Apple Mac OS X 10.0.1
+ Apple Mac OS X 10.0
OpenSSH OpenSSH 3.2
+ OpenBSD OpenBSD 3.1
OpenSSH OpenSSH 3.1 p1
+ Juniper Networks NetScreen-IDP 10 3.0 r2
+ Juniper Networks NetScreen-IDP 10 3.0 r1
+ Juniper Networks NetScreen-IDP 10 3.0
+ Juniper Networks NetScreen-IDP 100 3.0 r2
+ Juniper Networks NetScreen-IDP 100 3.0 r1
+ Juniper Networks NetScreen-IDP 100 3.0
+ Juniper Networks NetScreen-IDP 1000 3.0 r2
+ Juniper Networks NetScreen-IDP 1000 3.0 r1
+ Juniper Networks NetScreen-IDP 1000 3.0
+ Juniper Networks NetScreen-IDP 500 3.0 r2
+ Juniper Networks NetScreen-IDP 500 3.0 r1
+ Juniper Networks NetScreen-IDP 500 3.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.3
+ RedHat Linux 7.2
+ RedHat Linux 7.1
+ RedHat Linux for iSeries 7.1
+ RedHat Linux for pSeries 7.1
+ Slackware Linux 8.1
+ Sun Linux 5.0.7
+ Sun Solaris 9
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
OpenSSH OpenSSH 3.1
OpenSSH OpenSSH 3.0.2 p1
+ Guardian Digital Engarde Secure Linux 1.0.1
+ HP VirtualVault 4.6
OpenSSH OpenSSH 3.0.2
- Debian Linux 3.0
+ FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
+ FreeBSD FreeBSD 4.5 -RELEASE
+ OpenPKG OpenPKG 1.0
+ Openwall Openwall GNU/*/Linux 0.1 -stable
+ S.u.S.E. Linux 8.0
OpenSSH OpenSSH 3.0.1 p1
OpenSSH OpenSSH 3.0.1
OpenSSH OpenSSH 3.0 p1
OpenSSH OpenSSH 3.0
OpenSSH OpenSSH 2.9.9
+ NetBSD NetBSD 1.5.2
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.2
OpenSSH OpenSSH 2.9 p2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
- Conectiva Linux 5.0
- Conectiva Linux graficas
- Conectiva Linux ecommerce
+ FreeBSD FreeBSD 4.4 -RELENG
+ HP Secure OS software for Linux 1.0
+ Immunix Immunix OS 7.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2
+ RedHat Linux 7.1
+ RedHat Linux 7.0
- S.u.S.E. Linux 7.3 sparc
- S.u.S.E. Linux 7.3 ppc
- S.u.S.E. Linux 7.3 i386
- S.u.S.E. Linux 7.2 i386
- S.u.S.E. Linux 7.1 x86
- S.u.S.E. Linux 7.1 sparc
- S.u.S.E. Linux 7.1 ppc
- S.u.S.E. Linux 7.1 alpha
+ Sun Cobalt RaQ 550
OpenSSH OpenSSH 2.9 p1
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- IBM AIX 4.3
OpenSSH OpenSSH 2.9
+ FreeBSD FreeBSD 4.6 -RELEASE
+ FreeBSD FreeBSD 4.6
+ FreeBSD FreeBSD 4.5 -RELEASE
+ FreeBSD FreeBSD 4.5
OpenSSH OpenSSH 2.5.2
- Caldera OpenUnix 8.0
- Caldera UnixWare 7.1.1
- Wirex Immunix OS 6.2
OpenSSH OpenSSH 2.5.1
+ NetBSD NetBSD 1.5.1
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Firewall on CD
+ S.u.S.E. SuSE eMail Server III
- SCO Open Server 5.0.6 a
- SCO Open Server 5.0.6
- SCO Open Server 5.0.5
- SCO Open Server 5.0.4
- SCO Open Server 5.0.3
- SCO Open Server 5.0.2
- SCO Open Server 5.0.1
- SCO Open Server 5.0
+ SuSE SUSE Linux Enterprise Server 7
OpenSSH OpenSSH 2.5
OpenSSH OpenSSH 2.3
- S.u.S.E. Linux 7.0 sparc
- S.u.S.E. Linux 7.0 ppc
- S.u.S.E. Linux 7.0 i386
- S.u.S.E. Linux 7.0 alpha
- S.u.S.E. Linux 6.4 ppc
- S.u.S.E. Linux 6.4 i386
- S.u.S.E. Linux 6.4 alpha
Avaya Intuity LX
Avaya Integrated Management 2.1
Avaya Integrated Management
Avaya CVLAN
VMWare ESX Server 2.5.4 Patch 1
VMWare ESX Server 2.5.3 Patch 4
VMWare ESX Server 2.1.3 Patch 2
VMWare ESX Server 2.0.2 Patch 2
OpenSSH OpenSSH 3.8 p1
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1

- 不受影响的程序版本

VMWare ESX Server 2.5.4 Patch 1
VMWare ESX Server 2.5.3 Patch 4
VMWare ESX Server 2.1.3 Patch 2
VMWare ESX Server 2.0.2 Patch 2
OpenSSH OpenSSH 3.8 p1
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1

- 漏洞讨论

OpenSSH is susceptible to a remote denial-of-service vulnerability. This issue is due to a design flaw when servicing timeouts related to the 'LoginGraceTime' server-configuration directive.

Specifically, when 'LoginGraceTime' in conjunction with 'MaxStartups' and 'UsePrivilegeSeparation' are configured and enabled in the server, a condition may arise where the server refuses further remote connection attempts.

This issue may be exploited by remote attackers to deny SSH service to legitimate users.

- 漏洞利用

An exploit is not required.

- 解决方案

Please see the referenced vendor advisories for more information and fixes.


OpenSSH OpenSSH 2.3

OpenSSH OpenSSH 2.5

OpenSSH OpenSSH 2.5.1

OpenSSH OpenSSH 2.5.2

OpenSSH OpenSSH 2.9 p2

OpenSSH OpenSSH 2.9

OpenSSH OpenSSH 2.9 p1

OpenSSH OpenSSH 2.9.9

OpenSSH OpenSSH 3.0

OpenSSH OpenSSH 3.0 p1

OpenSSH OpenSSH 3.0.1 p1

OpenSSH OpenSSH 3.0.1

OpenSSH OpenSSH 3.0.2

OpenSSH OpenSSH 3.0.2 p1

OpenSSH OpenSSH 3.1

OpenSSH OpenSSH 3.1 p1

OpenSSH OpenSSH 3.2

OpenSSH OpenSSH 3.2.2 p1

OpenSSH OpenSSH 3.2.3 p1

OpenSSH OpenSSH 3.3

OpenSSH OpenSSH 3.3 p1

OpenSSH OpenSSH 3.4

OpenSSH OpenSSH 3.4 p1

OpenSSH OpenSSH 3.4 p1-1

OpenSSH OpenSSH 3.5

OpenSSH OpenSSH 3.5 p1

OpenSSH OpenSSH 3.6.1 p1

OpenSSH OpenSSH 3.6.1 p2

OpenSSH OpenSSH 3.6.1

OpenSSH OpenSSH 3.7 p1

OpenSSH OpenSSH 3.7

OpenSSH OpenSSH 3.7 .1p2

OpenSSH OpenSSH 3.7.1

OpenSSH OpenSSH 3.7.1 p1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站