Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak Local Information Disclosure

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

Local attackers may be able to access sensitive information.

Description :

According to its banner, the version of OpenSSH running on the remote
host is earlier than 5.8p2. Such versions may be affected by a local
information disclosure vulnerability that could allow the contents of
the host's private key to be accessible by locally tracing the
execution of the ssh-keysign utility. Having the host's private key
may allow the impersonation of the host.

Note that installations are only vulnerable if ssh-rand-helper was
enabled during the build process, which is not the case for *BSD, OS
X, Cygwin and Linux.

See also :

http://www.openssh.com/txt/portable-keysign-rand-helper.adv
http://www.openssh.com/txt/release-5.8p2

Solution :

Upgrade to Portable OpenSSH 5.8p2 or later.

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 1.6
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Misc.

Nessus Plugin ID: 53841 ()

Bugtraq ID: 47691

CVE ID: CVE-2011-4327