Vulnerability Name:

CVE-2006-0705 (CCN-24651)

Assigned:2006-02-13
Published:2006-02-13
Updated:2017-07-20
Summary:Format string vulnerability in a logging function as used by various SFTP servers, including (1) AttachmateWRQ Reflection for Secure IT UNIX Server before 6.0.0.9, (2) Reflection for Secure IT Windows Server before 6.0 build 38, (3) F-Secure SSH Server for Windows before 5.3 build 35, (4) F-Secure SSH Server for UNIX 3.0 through 5.0.8, (5) SSH Tectia Server 4.3.6 and earlier and 4.4.0, and (6) SSH Shell Server 3.2.9 and earlier, allows remote authenticated users to execute arbitrary commands via unspecified vectors, involving crafted filenames and the stat command.
CVSS v3 Severity:5.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
4.8 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.1 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
3.8 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-134
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2006-0705

Source: HP
Type: UNKNOWN
HPSBTU02322

Source: CCN
Type: SA18828
SSH Tectia Server SFTP Service Unspecified Vulnerability

Source: SECUNIA
Type: Patch, Vendor Advisory
18828

Source: CCN
Type: SA18843
WRQ Reflection Secure IT SFTP Format String Vulnerability

Source: SECUNIA
Type: Patch, Vendor Advisory
18843

Source: CCN
Type: SA24516
Gentoo net-misc/ssh Vulnerability

Source: SECUNIA
Type: Vendor Advisory
24516

Source: CCN
Type: SA29552
HP Tru64 UNIX SSH SFTP Server Vulnerability

Source: SECUNIA
Type: Vendor Advisory
29552

Source: GENTOO
Type: UNKNOWN
GLSA-200703-13

Source: CCN
Type: SECTRACK ID: 1015619
SSH Tectia Server SFTP Logging Bug May Let Remote Authenticated Users Execute Arbitrary Commands

Source: SECTRACK
Type: Patch
1015619

Source: CCN
Type: WRQ Tech Note 1882
Reflection for Secure IT Server Security Vulnerability Update and Workaround

Source: CONFIRM
Type: Patch
http://support.wrq.com/techdocs/1882.html

Source: CCN
Type: GLSA-200703-13
SSH Communications Security's Secure Shell Server: SFTP privilege escalation

Source: CCN
Type: US-CERT VU#419241
Multiple vendor SFTP logging format string vulnerability

Source: CERT-VN
Type: Patch, US Government Resource
VU#419241

Source: CCN
Type: OSVDB ID: 23120
SSH Tectia Server SFTP Service Filename Logging Format String

Source: CCN
Type: OSVDB ID: 23172
WRQ Reflection Secure IT SFTP Service Filename Logging Format String

Source: CCN
Type: BID-14733
AttachmateWRQ Reflection for Secure IT Windows Server Renamed Account Remote Login Vulnerability

Source: CCN
Type: BID-14734
AttachmateWRQ Reflection for Secure IT Windows Server Insecure Private Key Permissions Vulnerability

Source: CCN
Type: BID-14735
AttachmateWRQ Reflection for Secure IT Windows Server Access Restriction Bypass Vulnerability

Source: BID
Type: Patch
16625

Source: CCN
Type: BID-16625
AttachmateWRQ Reflection for Secure IT Remote Format String Vulnerability

Source: BID
Type: UNKNOWN
16640

Source: CCN
Type: BID-16640
SSH Tectia Server Remote Format String Vulnerability

Source: CCN
Type: SSH Communications Security Web site
SSH Tectia Server Downloads

Source: VUPEN
Type: Vendor Advisory
ADV-2006-0554

Source: VUPEN
Type: Vendor Advisory
ADV-2006-0555

Source: VUPEN
Type: Vendor Advisory
ADV-2008-1008

Source: CCN
Type: HP IT resource center Web site
HP Tru64 UNIX - SSRT080011: SSH Running on HP Tru64 UNIX, Remote Execution of Arbitrary Code or Denial of Service (DoS)

Source: CCN
Type: AttachmateWRQ Web site
Using the AttachmateWRQ Upgrade Process

Source: XF
Type: UNKNOWN
sftp-logging-format-string(24651)

Source: XF
Type: UNKNOWN
sftp-logging-format-string(24651)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:attachmatewrq:reflection_for_secure_it_server:6.0:*:unix:*:*:*:*:*
  • OR cpe:/a:attachmatewrq:reflection_for_secure_it_server:6.0:*:win:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:3.0.1:*:unix:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:3.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:3.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:3.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:3.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:3.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:3.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:3.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:3.1.0:*:unix:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:3.1.0_build9:*:*:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:3.2.0:*:unix:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:3.2.3:*:unix:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:5.1:*:win:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:5.2:*:win:*:*:*:*:*
  • OR cpe:/a:f-secure:f-secure_ssh_server:5.3:*:win:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ssh:tectia_server:4.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ssh:tectia_server:4.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ssh:tectia_server:4.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:ssh:tectia_server:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ssh:tectia_server:4.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ssh:tectia_server:4.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ssh:tectia_server:4.3:*:*:*:*:*:*:*
  • OR cpe:/a:ssh:tectia_server:4.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ssh:tectia_server:4.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ssh:tectia_server:4.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ssh:tectia_server:4.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:ssh:tectia_server:4.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:ssh:tectia_server:4.4:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    attachmatewrq reflection for secure it server 6.0
    attachmatewrq reflection for secure it server 6.0
    f-secure f-secure ssh server 3.0.0
    f-secure f-secure ssh server 3.0.1
    f-secure f-secure ssh server 3.0.1
    f-secure f-secure ssh server 3.0.2
    f-secure f-secure ssh server 3.0.3
    f-secure f-secure ssh server 3.0.4
    f-secure f-secure ssh server 3.0.5
    f-secure f-secure ssh server 3.0.6
    f-secure f-secure ssh server 3.0.7
    f-secure f-secure ssh server 3.0.8
    f-secure f-secure ssh server 3.0.9
    f-secure f-secure ssh server 3.1.0
    f-secure f-secure ssh server 3.1.0
    f-secure f-secure ssh server 3.1.0_build9
    f-secure f-secure ssh server 3.2.0
    f-secure f-secure ssh server 3.2.3
    f-secure f-secure ssh server 5.0
    f-secure f-secure ssh server 5.1
    f-secure f-secure ssh server 5.2
    f-secure f-secure ssh server 5.3
    ssh tectia server 4.0.3
    ssh tectia server 4.0.4
    ssh tectia server 4.3.6
    ssh tectia server 4.0
    ssh tectia server 4.0.5
    ssh tectia server 4.2.1
    ssh tectia server 4.3
    ssh tectia server 4.3.1
    ssh tectia server 4.3.2
    ssh tectia server 4.3.3
    ssh tectia server 4.3.4
    ssh tectia server 4.3.5
    ssh tectia server 4.4
    gentoo linux *