OpenSSH fails to properly apply source IP based access control restrictions
2001-12-07T00:00:00Type cert
Reporter CERT
Modified 2001-12-10T16:51:00
Description
Overview
OpenSSH is an implementation of the Secure Shell protocol. A user may be able to bypass the IP based access control restriction feature specified in a key when two keys of varying types are specified.
Description
Versions of OpenSSH between 2.5.x - 2.9.x may fail to enforce the IP based access control restriction feature. A user may specify from which IP's a key may be used. They may have several entries for several keys. Expected behavior of this feature can be demonstrated as follows. If the authorized_keys2 file contained an entry for a key A that was an RSA key and restricted to 10.0.0.1 via the "from=" line option and key B was a DSA key and restricted to 10.0.0.2, then key B would not be of any use if compromised unless it was used from the machine with an IP address of 10.0.0.2.
Due to the flaw in this feature, when a user specifies two keys of differing types in their ~/.ssh/authorized_keys2, OpenSSH may fail to apply the proper source IP based access control restrictions specified by the "from=" line. For example, assume key A was an RSA key and restricted to 10.0.0.1 via the "from=" line and key B was a DSA key and restricted to 10.0.0.2. Now assume that key B is compromised. One would expect that key B could only be used from 10.0.0.1. However, since key A is specified on the line immediately before the line containing the entry for the compromised key and is of a different type and "from=", then the intruder can access the network from the IP address of key A (10.0.0.1) using the compromised key B.
Likewise a systems administrator could set up a single authorized_keys2 file and direct the individual users ssh clients to this file via a symbolic link. If the systems administrator kept the file world readable, but not writable, then he could control the contents of the file. In this case, a malicious user could use their key in the same method as described above to bypass any IP restrictions that the systems administrator may have placed on them.
Impact
An attacker with a compromised key, or authorized users can circumvent the security policies and login from IP addresses that are not permitted to access the system.
Solution
This vulnerability is fixed in OpenSSH 2.9.9. Upgrade to a version 2.9.9 or later.
Vendor Information
905795
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Conectiva __ Affected
Updated: December 05, 2001
Status
Affected
Vendor Statement
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000431
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Immunix __ Affected
Updated: December 05, 2001
Status
Affected
Vendor Statement
<ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/IMNX-2001-70-034-01>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MandrakeSoft __ Affected
Updated: December 05, 2001
Status
Affected
Vendor Statement
<http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-081.php3?dis=8.1>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenSSH __ Affected
Updated: December 05, 2001
Status
Affected
Vendor Statement
<http://www.openbsd.org/advisories/ssh_option.txt>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat __ Affected
Updated: December 05, 2001
Status
Affected
Vendor Statement
<http://www.redhat.com/support/errata/RHSA-2001-114.html>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Trustix __ Affected
Updated: December 05, 2001
Status
Affected
Vendor Statement
<http://www.trustix.net/errata/misc/2001/TSL-2001-0023-openssh.asc.txt>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |
References
<http://www.securityfocus.com/bid/3369>
Acknowledgements
This vulnerability was discovered by the OpenSSH team.
This document was written by Jason Rafail.
Other Information
CVE IDs: | None
---|---
Severity Metric: | 0.30
Date Public: | 2001-09-27
Date First Published: | 2001-12-07
Date Last Updated: | 2001-12-10 16:51 UTC
Document Revision: | 13
