|Description||ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||high (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
The information below is based on the following data on fixed versions.
[etch] - openssh <no-dsa> (minor issue in weak security measure)
[sarge] - openssh <no-dsa> (minor issue in weak security measure)
An exploit needs limited control over the machine running a
trusted X client, so this is only a slight privilege
escalation. The X Security extension is merely an afterthought
and is unlikely to provide strong security guarantees.