OpenSSH disregards client configuration and allows server access to ssh-agent and/or X11 after session negotiation

Overview

Versions of OpenSSH client prior to 2.3.0 do not properly enforce restrictions to the ssh-agent or X11 display.

Description

An OpenSSH client can be configured to prevent servers from accessing the client’s ssh-agent or X11 display. However, versions of OpenSSH client prior to 2.3.0 fail to enforce these settings and thus allow access regardless of the client’s desired configuration.

The ssh-agent program is a tool used to store private keys for subsequent use by programs started in the same session. When an SSH connection is established, the client and server negotiate whether or not the server may have access to the client’s local ssh-agent (and consequently, the client’s stored authentication material). The **ForwardAgent** setting specifies whether access to the client’s ssh-agent is permitted. However, if a server requests access to the local ssh-agent after the connection is negotiated, versions of the OpenSSH client prior to 2.3.0 will permit it even if **ForwardAgent** is set to “no.”

A similar problem exists in the implementation of X11 forwarding in the same versions of the OpenSSH client.

---

Impact

Malicious servers can gain access to your X11 display or key material cached with ssh-agent.

---

Solution

Upgrade to OpenSSH 2.3.0 or later, or apply the patch for this issue available at <http://www.openssh.com>.

---

Clear both the $DISPLAY and the $SSH_AUTH_SOCK variable before connecting to untrusted hosts.
% unset SSH_AUTH_SOCK; unset DISPLAY; ssh host

---

Vendor Information

363181

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

OpenSSH __ Affected

Updated: June 25, 2001

Status

Affected

Vendor Statement

“All versions of OpenSSH prior to 2.3.0 are affected… If agent or X11 forwarding is disabled in the ssh client configuration, the client does not request these features during session setup. This is the correct behaviour. However, when the ssh client receives an actual request asking for access to the ssh-agent, the client fails to check whether this feature has been negotiated during session setup. The client does not check whether the request is in compliance with the client configuration and grants access to the ssh-agent. A similar problem exists in the X11 forwarding implementation… Hostile servers can access your X11 display or your ssh-agent.”

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23363181 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/bid/1949&gt;
• <http://xforce.iss.net/static/5517.php&gt;
• <http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&gt;

Acknowledgements

Thanks to Jacob Langseth for pointing out the X11 forwarding issue and to Markus Friedl who published an advisory on this topic.

This document was written by Shawn Hernan and Shawn Van Ittersum.

Other Information

CVE IDs:	CVE-2000-1169
Severity Metric:	0.98 Date Public: