FreeBSD : rssh -- configuration restrictions bypass (a4598875-ec91-11e1-8bd8-0022156e8794)

This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Derek Martin (rssh maintainer) reports :

John Barber reported a problem where, if the system administrator
misconfigures rssh by providing too few access bits in the
configuration file, the user will be given default permissions (scp)
to the entire system, potentially circumventing any configured chroot.
Fixing this required a behavior change: in the past, using rssh
without a config file would give all users default access to use scp
on an unchrooted system. In order to correct the reported bug, this
feature has been eliminated, and you must now have a valid
configuration file. If no config file exists, all users will be locked
out.

See also :

http://www.pizzashack.org/rssh/security.shtml
http://www.nessus.org/u?b5840bab

Solution :

Update the affected package.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 61640 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now