Globus GSI-OpenSSH versions 4.2 and prior and OpenSSH versions 4.9p1 and prior contain a vulnerability that could allow a local attacker to disclose sensitive information.
The vulnerability exists because of an error in OpenSSH when binding TCP ports on the local IPv6 and IPv4 interfaces. An attacker may exploit the vulnerability to hijack X11 connections to intercept sensitive information.
Exploit code is not required.
Globus and OpenSSH have confirmed the vulnerability and released updated software.
Indicators of Compromise
OpenSSH versions 4.9p1 and prior are vulnerable. Because Globus GSI-OpenSSH is a modified version of OpenSSH, versions 4.2 and prior of this product are vulnerable.
An attacker with local account access could exploit the vulnerability. Additional authentication is not required.
The vulnerability exists because the sshd daemon does not properly bind and use TCP ports on the local IPv6 interface if required ports on the IPv4 interface are in use. A local attacker could exploit the vulnerability by causing OpenSSH to set DISPLAY to :10. This setting allows attackers to listen on TCP port 6010 on the IPv4 interface even if another process is listening on the associated port. The attacker could hijack forwarded X11 connections and intercept the session. An exploit could result in the disclosure of sensitive information.
To exploit the vulnerability, an attacker must have local account access on the system. This requirement decreases the likelihood of an attack. Successful exploitation could allow an attacker to hijack forwarded X11 connections simply by listening on TCP port 6010 to intercept the session. An exploit could lead to sensitive information disclosure.
Administrators are advised to apply the appropriate updates.
Administrators are advised to restrict local account access.
Administrators are advised to restrict access to TCP port 6010.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.