Mailinglist Archive: opensuse-security (81 mails)

< Previous Next >
Re: [suse-security] OpenSSH scp command expansion bug - is it local or remote?
  • From: Marcus Meissner <meissner@xxxxxxx>
  • Date: Tue, 14 Feb 2006 16:36:12 +0100
  • Message-id: <20060214153611.GB21702@xxxxxxx>
On Tue, Feb 14, 2006 at 03:19:58PM +0000, David Corking wrote:
> 1. Thanks for the patch and announcement today : SUSE-SA:2006:008
>
> 2. There seems to have been a co-ordinated disclosure and release of
> patches for CVE-2006-0225 on January 25. Why did SuSE (and Debian)
> not participate in that? Did the other vendors choose not to
> co-ordinate with SuSE (and Debian) ?
>
> 3. I have now avidly read the majorr reports of CVE-2006-0225, most of
> whom classify it as low priority, and all classify as local. It
> seems to me, from the reports I read, that it is a local privilege
> escalation that allows an
> authenticated scp user to execute arbitrary shell commands, even if
> they have scp-only privileges.
>
> I am not in any way a skilled penetration tester - so I have to make a
> judgement based on what I read. Have I misunderstood the other
> reports, or have the other reports got it right, or have SuSE
> discovered something new that makes it indeed a *remote*
> vulnerability?

I was undecided too when chosing it, and I do not see a direct threat.

It is post authentication.

The only way I understand this is problematic is when you have a scp-only
remote configuration and can then execute programs on the remote machine.

Ciao, Marcus

< Previous Next >
Follow Ups
References