Vulnerability Name:

CVE-2009-2904 (CCN-53596)

Assigned:2009-09-30
Published:2009-09-30
Updated:2017-09-19
Summary:A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
CVSS v3 Severity:8.1 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)
5.1 Medium (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.2 Medium (CCN CVSS v2 Vector: AV:L/AC:H/Au:N/C:C/I:C/A:C)
4.6 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.2 Medium (REDHAT CVSS v2 Vector: AV:L/AC:H/Au:N/C:C/I:C/A:C)
4.6 Medium (REDHAT Temporal CVSS v2 Vector: AV:L/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-16
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2009-2904

Source: FEDORA
Type: UNKNOWN
FEDORA-2010-5429

Source: CCN
Type: VMware Security Announcements
VMSA-2010-0004 ESX Service Console and vMA third party updates

Source: MLIST
Type: UNKNOWN
[security-announce] 20100303 VMSA-2010-0004 ESX Service Console and vMA third party updates

Source: OSVDB
Type: UNKNOWN
58495

Source: CCN
Type: RHSA-2009-1470
Moderate: openssh security update

Source: CCN
Type: SA38794
VMware vMA Update for Multiple Packages

Source: SECUNIA
Type: UNKNOWN
38794

Source: CCN
Type: SA38834
VMware ESX Server 4 Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
38834

Source: SECUNIA
Type: UNKNOWN
39182

Source: CCN
Type: OSVDB ID: 58495
OpenSSH sshd ChrootDirectory Feature SetUID Hard Link Local Privilege Escalation

Source: BID
Type: UNKNOWN
36552

Source: CCN
Type: BID-36552
Red Hat Enterprise Linux OpenSSH 'ChrootDirectory' Option Local Privilege Escalation Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2010-0528

Source: CCN
Type: Redhat Bugzilla Bug 522141
CVE-2009-2904 openssh: possible privilege escalation when using ChrootDirectory setting

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=522141

Source: XF
Type: UNKNOWN
rhel-chrootdirectory-priv-escalation(53596)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:9862

Source: REDHAT
Type: Vendor Advisory
RHSA-2009:1470

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openbsd:openssh:4.3:-:*:*:*:*:*:*
  • OR cpe:/a:openbsd:openssh:4.8:-:*:*:*:*:*:*
  • AND
  • cpe:/o:fedoraproject:fedora:11:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:server:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_desktop:5:*:client:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_eus:5:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:redhat:enterprise_linux:5:*:server:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_desktop:5::client:*:*:*:*:*
  • AND
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*
  • OR cpe:/a:vmware:esx_server:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:vma:4.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:29271
    P
    		RHSA-2009:1470 -- openssh security update (Moderate)
    2015-08-17
    oval:org.mitre.oval:def:22800
    P
    		ELSA-2009:1470: openssh security update (Moderate)
    2014-05-26
    oval:org.mitre.oval:def:9862
    V
    		A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
    2013-04-29
    oval:com.redhat.rhsa:def:20091470
    P
    		RHSA-2009:1470: openssh security update (Moderate)
    2009-09-30
    BACK
    openbsd openssh 4.3
    openbsd openssh 4.8
    fedoraproject fedora 11
    redhat enterprise linux 5
    redhat enterprise linux desktop 5
    redhat enterprise linux eus 5
    redhat enterprise linux 5
    redhat enterprise linux desktop 5
    redhat enterprise linux 5
    redhat enterprise linux 5
    vmware esx server 4.0
    vmware vma 4.0