cbcvebase.
CVE-2007-4752
published 2007-09-12

CVE-2007-4752: ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to…

PriorityP273high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.37%
81.7th percentile
ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.

Affected

18 ranges
VendorProductVersion rangeFixed in
debianopenssh< openssh 1:4.7p1-1 (bookworm)openssh 1:4.7p1-1 (bookworm)
openbsdopenssh<= 4.6
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh>= 0 < 1:4.7p1-11:4.7p1-1
openbsdopenssh>= 0 < 1:4.7p1-11:4.7p1-1
openbsdopenssh>= 0 < 1:4.7p1-11:4.7p1-1
openbsdopenssh>= 0 < 1:4.7p1-11:4.7p1-1

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable condition: ssh falls back to using a trusted X11 cookie when generation of an untrusted X11 cookie fails, causing an X client to be treated as trusted — monitor X11 forwarding sessions on OpenSSH versions prior to 4.7 for unexpected trusted-cookie usage
  • The vulnerable code path is in clientloop.c — the fix was applied between revisions 1.180 and 1.181; audit or diff that file on deployed OpenSSH binaries to confirm patch status
  • On RHEL 4 and 5, Trusted X11 forwarding is enabled in the default ssh client configuration as of RHEL 4 Update 1 and is used whenever X11 forwarding is used — any X11-forwarded session on unpatched systems is potentially exploitable
  • ·RHEL 2.1 and RHEL 3 are NOT affected because their OpenSSH packages do not support Trusted X11 forwarding at all
  • ·The vulnerability only manifests when X11 forwarding is in use and the untrusted cookie creation fails — deployments with X11 forwarding disabled are not exposed
  • ·Fixed in OpenSSH 4.7 (Debian package 1:4.7p1-1); systems running OpenSSH >= 4.7 are not vulnerable

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.