Dropbear SSH Server Channel Concurrency Use-after-free Remote Code Execution

This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote host is affected by a remote code execution
vulnerability.

Description :

According to its self-reported banner, the remote host is running a
version of Dropbear SSH before 2012.55. As such, it reportedly
contains a flaw that might allow an attacker to run arbitrary code on
the remote host with root privileges if they are authenticated using a
public key and command restriction is enforced.

Note that Nessus has not tried to exploit this vulnerability but
instead has relied solely on the version in the service's banner.

Note also, in cases where the host is running ESXi 4.0 or ESXi 4.1,
VMware states in their KB article id 2037316 that this is a false
positive since administrative access is required to login via SSH so
there are no privileges to be gained by exploiting this issue. That
is true only in a default setup, not one in which SSH access has been
enabled for non-root users.

See also :

https://matt.ucc.asn.au/dropbear/CHANGES
https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
https://www.mantor.org/~northox/misc/CVE-2012-0920.html
http://kb.vmware.com/kb/2037316

Solution :

Upgrade to the Dropbear SSH 2012.55 or later.

Risk factor :

High / CVSS Base Score : 7.1
(CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 6.2
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Misc.

Nessus Plugin ID: 58183 ()

Bugtraq ID: 52159

CVE ID: CVE-2012-0920