Vulnerability Note VU#740619
SSH Secure Shell for Servers fails to remove child process from master process group
A locally exploitable privilege escalation vulnerability exists in SSH Secure Shell versions 2.0.13 - 3.2.1.
Secure Shell for Servers, developed by SSH Communications Security, does not properly remove the child process from the master process group after non-interactive command execution. Quoting from the SSH Communications Security Advisory:
When used in non-interactive connections, a defect in process grouping
A local attacker may be able to gain elevated privileges.
Upgrade your software. Note that both Secure Shell for Servers and Secure Shell for Workstations need to be updated to eliminate this vulnerability.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|SSH Communications Security||Affected||-||14 May 2003|
|Hewlett-Packard Company||Not Affected||-||29 May 2008|
CVSS Metrics (Learn More)
Thanks to Logan Gabriel for reporting this vulnerability.
This document was written by Ian A Finlay.
- CVE IDs: Unknown
- Date Public: 25 Nov 2002
- Date First Published: 25 Nov 2002
- Date Last Updated: 29 May 2008
- Severity Metric: 8.35
- Document Revision: 15
If you have feedback, comments, or additional information about this vulnerability, please send us email.