Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54, when command restriction and public key authentication are enabled, allows remote authenticated users to execute arbitrary code and bypass command restrictions via multiple crafted command requests, related to "channels concurrency."

The remote host is affected by the vulnerability described in GLSA-201309-20 (Dropbear: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Dropbear. Please review       the CVE identifier and Gentoo bug referenced below for details.
  Impact :

    A remote attacker could send a specially crafted request to trigger a       use-after-free condition, possibly resulting in arbitrary code execution       or a Denial of Service condition. Additionally, the bundled version of       libtommath has an error in its prime number generation, which could       result in the generation of weak keys.
  Workaround :

    There is no known workaround at this time.

Update to 0.55, fix CVE-2012-0920.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Danny Fullerton discovered a use-after-free in the Dropbear SSH daemon, resulting in potential execution of arbitrary code.
Exploitation is limited to users, who have been authenticated through public key authentication and for which command restrictions are in place.

The Dropbear project reports :

Dropbear SSH Server could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a use-after- free error. If a command restriction is enforced, an attacker could exploit this vulnerability to execute arbitrary code on the system with root privileges.

According to its self-reported banner, the remote host is running a version of Dropbear SSH before 2012.55.  As such, it reportedly contains a flaw that might allow an attacker to run arbitrary code on the remote host with root privileges if they are authenticated using a public key and command restriction is enforced. 

Note that Nessus has not tried to exploit this vulnerability but instead has relied solely on the version in the service's banner. 

Note also, in cases where the host is running ESXi 4.0 or ESXi 4.1, VMware states in their KB article id 2037316 that this is a false positive since administrative access is required to login via SSH so there are no privileges to be gained by exploiting this issue.  That is true only in a default setup, not one in which SSH access has been enabled for non-root users.

Dropbear, an SSH server, is installed on the remote host. Versions of Dropbear SSH prior to 2012.55 contain a flaw that might allow an attacker to run arbitrary code on the remote host with root privileges if they are authenticated using a public key and command restriction is enforced.

ID	Name	Product	Family	Severity
70160	GLSA-201309-20 : Dropbear: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
60148	Fedora 16 : dropbear-0.55-1.fc16 (2012-10934)	Nessus	Fedora Local Security Checks	high
58853	Debian DSA-2456-1 : dropbear - use after free	Nessus	Debian Local Security Checks	high
58202	FreeBSD : dropbear -- arbitrary code execution (eba70db4-6640-11e1-98af-00262d8b701d)	Nessus	FreeBSD Local Security Checks	high
58183	Dropbear SSH Server Channel Concurrency Use-after-free Remote Code Execution	Nessus	Misc.	high
6338	Dropbear SSH Server < 2012.55 RCE	Nessus Network Monitor	SSH	high

Detections

Analytics

CVE-2012-0920

high

Tenable Plugins

high

high

high

high

high

high