Date: 17 January 2001
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.024 -- FreeBSD-SA-01:01
Hostile server OpenSSH agent/X11 forwarding
17 January 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenSSH
Vendor: FreeBSD
Operating System: FreeBSD
BSD
Impact: Access Privileged Data
Access Required: Remote
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-01:01 Security Advisory
FreeBSD, Inc.
Topic: Hostile server OpenSSH agent/X11 forwarding
Category: core/ports
Module: openssh
Announced: 2001-01-15
Credits: Markus Friedl <markus@OpenBSD.org>
Affects: FreeBSD 4.1.1-STABLE prior to the correction date
Ports collection prior to the correction date
Corrected: 2000-11-14
Vendor status: Updated version released
FreeBSD only: NO
I. Background
OpenSSH is an implementation of the SSH1 and SSH2 secure shell
protocols for providing encrypted and authenticated network access,
which is available free for unrestricted use. Versions of OpenSSH are
included in the FreeBSD ports collection and the FreeBSD base system.
II. Problem Description
To quote the OpenSSH Advisory:
If agent or X11 forwarding is disabled in the ssh client
configuration, the client does not request these features
during session setup. This is the correct behaviour.
However, when the ssh client receives an actual request
asking for access to the ssh-agent, the client fails to
check whether this feature has been negotiated during session
setup. The client does not check whether the request is in
compliance with the client configuration and grants access
to the ssh-agent. A similar problem exists in the X11
forwarding implementation.
All versions of FreeBSD 4.x prior to the correction date including
FreeBSD 4.1 and 4.1.1 are vulnerable to this problem, but it was
corrected prior to the release of FreeBSD 4.2. For users of FreeBSD
3.x, OpenSSH is not installed by default, but is part of the FreeBSD
ports collection.
The base system and ports collections shipped with FreeBSD 4.2 do not
contain this problem since it was discovered before the release.
III. Impact
Hostile SSH servers can access your X11 display or your ssh-agent when
connected to, which may allow access to confidential data or other
network accounts, through snooping of password or keying material
through the X11 session, or reuse of the SSH credentials obtained
through the SSH agent.
IV. Workaround
Clear both the $DISPLAY and $SSH_AUTH_SOCK variables before connecting
to untrusted hosts. For example, in Bourne shell syntax:
% unset SSH_AUTH_SOCK; unset DISPLAY; ssh host
V. Solution
Upgrade the vulnerable system to 4.1.1-STABLE or 4.2-STABLE after the
correction date, or patch your current system source code and rebuild.
To patch your present system: download the patch from the below
location and execute the following commands as root:
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:01/openssh.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:01/openssh.patch.asc
Verify the detached PGP signature using your PGP utility.
# cd /usr/src/crypto/openssh
# patch < /path/to/openssh.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install
[Ports collection]
One of the following:
1) Upgrade your entire ports collection and rebuild the OpenSSH port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/openssh-2.2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-2.2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/security/openssh-2.2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-2.2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/security/openssh-2.2.0.tgz
NOTE: Due to an oversight the package version was not updated after
the security fix was applied, so be sure to install a package created
after the correction date.
3) download a new port skeleton for the OpenSSH port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBOmN6RFUuHi5z0oilAQGAUAQAllC+FmvfYpmP6gQqO+xB6UIZsK0GQsAM
WRCOiULMLBD4kHJkYVJUQmSyK5jPxEVkwILX3jE9qZhB65alW20L965mQS/DjM5p
bj0itnwTy1DL6dul15vWBfCJKxL/A0SrgVv+hnDwHx3YU4x0re/1bNU3gVa8bT1K
Nnu2/m1wmpU=
=MAzv
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOm/y1yh9+71yA2DNAQHBzQP5Af8dpzW4D6Q+wRxB76TCAZ0+HYLqkwWO
1z6TqwMWVjtPEoJ/gC1GSRmd2/lSQ4ZlzRvIsHso4L7GZzKD/WI+dxWQBOMa+TkM
TWBfvUkTECn35qTj7rm5pRK/pWFJL9uyP2FXBrxUZFPEUfiyvTqtbpFmVC0yma8T
FvspiXijdTo=
=VOiQ
-----END PGP SIGNATURE-----
|