Page 5 of 26 results (0.010 seconds)

CVSS: 7.5EPSS: 10%CPEs: 1EXPL: 1

Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket. Vulnerabilidad de ruta de búsqueda no confiable en ssh-agent.c en ssh-agent en OpenSSH en versiones anteriores a 7.4 permite a atacantes remotos ejecutar modulos locales PKCS#11 arbitrarios aprovechando el control sobre un agent-socket reenviado. It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. • https://www.exploit-db.com/exploits/40963 http://packetstormsecurity.com/files/140261/OpenSSH-Arbitrary-Library-Loading.html http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2023/Jul/31 http://www.openwall.com/lists/oss-security/2016/12/19/2 http://www.openwall.com/lists/oss-security/2023/07/19/9 http://www.openwall.com/lists/oss-security/2023/07/20/1 http://www.securityfocus.com/bid/94968 http&# • CWE-426: Untrusted Search Path •

CVSS: 7.8EPSS: 78%CPEs: 6EXPL: 0

The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue." ** DISPUTADA ** La función kex_input_kexinit en kex.c en OpenSSH 6.x y 7.x hasta la versión 7.3 permite a atacantes remotos provocar una denegación de servicio (consumo de memoria) enviando muchas peticiones duplicadas KEXINIT. NOTA: un tercero reporta que "OpenSSH upstream no considera esto como un problema de seguridad". • http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c.diff?r1=1.126&r2=1.127&f=h http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c?rev=1.127&content-type=text/x-cvsweb-markup http://www.openwall.com/lists/oss-security/2016/10/19/3 http://www.openwall.com/lists/oss-security/2016/10/20/1 http://www.securityfocus.com/bid/93776 http://www.securitytracker.com/id/1037057 https://bugzilla.redhat.com/show_bug.cgi?id=1384860 https: • CWE-399: Resource Management Errors •

CVSS: 9.8EPSS: 0%CPEs: 25EXPL: 0

The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server. El cliente en OpenSSH en versiones anteriores a 7.2 no maneja correctamente falló en la generación de cookies para el reenvío X11 no confiable y confía en el servidor X11 local para las decisiones de control de acceso, lo que permite a los clientes remotos X11 activar un fallback y obtener privilegios de reenvío X11 confiables aprovechando los problemas de configuración de este servidor X11, como lo demuestra la falta de la extensión SECURITY en este servidor X11. An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. • http://openwall.com/lists/oss-security/2016/01/15/13 http://rhn.redhat.com/errata/RHSA-2016-0465.html http://rhn.redhat.com/errata/RHSA-2016-0741.html http://www.openssh.com/txt/release-7.2 http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html http://www.securityfocus.com/bid/84427 http://www.securitytracker.com/id/1034705 https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c https://bugzilla.redhat.com/show_bug.cgi • CWE-284: Improper Access Control CWE-287: Improper Authentication •

CVSS: 4.0EPSS: 0%CPEs: 84EXPL: 3

The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. La (1) función remote_glob en sftp-glob.c y (2) la función process_put en sftp.c en OpenSSH v5.8 y versiones anteriores, como se usa en FreeBSD v7.3 y v8.1, NetBSD v5.0.2, OpenBSD v4.7 y otros productos, permiten a usuarios remotos autenticados causar una denegación de servicio (por excesivo uso de CPU y consumo de memoria) a través de expresiones glob debidamente modificadas que no coinciden con ningún nombre de ruta, como lo demuestran las expresiones glob en las solicitudes SSH_FXP_STAT a un demonio de sftp. Se trata de una vulnerabilidad diferente a CVE-2010-2632. • http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c#rev1.13.12.1 http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp.c#rev1.21.6.1 http://cxib.net/stuff/glob-0day.c http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2010-008.txt.asc http://securityreason.com/achievement_securityalert/89 http://securityreason.com/exploitalert/9223 http://securityreason.com/securityalert/8116 • CWE-399: Resource Management Errors •

CVSS: 10.0EPSS: 1%CPEs: 38EXPL: 1

Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges. Error 'off-by-one' en el código de canal de OpenSSH 2.0 a 3.0.2 permite a usuarios locales o a servidores remotos ganar privilegios. • https://www.exploit-db.com/exploits/21314 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:13.openssh.asc ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-004.txt.asc ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.10/CSSA-2002-SCO.10.txt ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.11/CSSA-2002-SCO.11.txt http://archives.neohapsis.com/archives/bugtraq/2002-03/0108.html http://archives.neohapsis.com/archives/vulnw • CWE-193: Off-by-one Error •