Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.10439
Category:Gain root remotely
Title:OpenSSH < 2.1.1 UseLogin feature
Summary:NOSUMMARY
Description:Description:

You are running a version of OpenSSH which is older
than 2.1.1.

If the UseLogin option is enabled, then sshd
does not switch to the uid of the user logging
in. Instead, sshd relies on login(1) to do the
job. However, if the user specifies a command
for remote execution, login(1) cannot be used
and sshd fails to set the correct user id,
so the command is run with the same privilege as sshd
(usually root privileges).

*** Note that Nessus did not determine whether the UseLogin
*** option was activated or not, so this message may
*** be a false alarm

Solution : Upgrade to OpenSSH 2.1.1 or make sure
that the option UseLogin is set to no in sshd_config

Risk factor : High

Cross-Ref: BugTraq ID: 1334
Common Vulnerability Exposure (CVE) ID: CVE-2000-0525
http://www.securityfocus.com/bid/1334
Bugtraq: 20000609 OpenSSH's UseLogin option allows remote access with root privilege. (Google Search)
http://archives.neohapsis.com/archives/bugtraq/2000-06/0065.html
OpenBSD Security Advisory: 20000606 The non-default UseLogin feature in /etc/sshd_config is broken and should not be used.
http://www.openbsd.org/errata.html#uselogin
http://www.osvdb.org/341
XForce ISS Database: openssh-uselogin-remote-exec(4646)
https://exchange.xforce.ibmcloud.com/vulnerabilities/4646
CopyrightThis script is Copyright (C) 2000 Renaud Deraison

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2024 E-Soft Inc. All rights reserved.