OpenSSH fails to properly apply source IP based access control restrictions

2001-12-07T00:00:00

Description

### Overview [OpenSSH](<http://www.openssh.com/>) is an implementation of the Secure Shell protocol. A user may be able to bypass the IP based access control restriction feature specified in a key when two keys of varying types are specified. ### Description Versions of [OpenSSH](<http://www.openssh.com/>) between 2.5.x - 2.9.x may fail to enforce the IP based access control restriction feature. A user may specify from which IP's a key may be used. They may have several entries for several keys. Expected behavior of this feature can be demonstrated as follows. If the authorized_keys2 file contained an entry for a key A that was an RSA key and restricted to 10.0.0.1 via the "from=" line option and key B was a DSA key and restricted to 10.0.0.2, then key B would not be of any use if compromised unless it was used from the machine with an IP address of 10.0.0.2. Due to the flaw in this feature, when a user specifies two keys of differing types in their ~/.ssh/authorized_keys2, OpenSSH may fail to apply the proper source IP based access control restrictions specified by the "from=" line. For example, assume key A was an **RSA** key and restricted to **10.0.0.1** via the "from=" line and key B was a **DSA** key and restricted to **10.0.0.2**. Now assume that key B is compromised. One would expect that key B could only be used from 10.0.0.1. However, since key A is specified on the line immediately before the line containing the entry for the compromised key and is of a different type and "from=", then the intruder can access the network from the IP address of key A (10.0.0.1) using the compromised key B. Likewise a systems administrator could set up a single authorized_keys2 file and direct the individual users ssh clients to this file via a symbolic link. If the systems administrator kept the file world readable, but not writable, then he could control the contents of the file. In this case, a malicious user could use their key in the same method as described above to bypass any IP restrictions that the systems administrator may have placed on them. --- ### Impact An attacker with a compromised key, or authorized users can circumvent the security policies and login from IP addresses that are not permitted to access the system. --- ### Solution This vulnerability is fixed in OpenSSH 2.9.9. [Upgrade](<http://www.openssh.com/>) to a version 2.9.9 or later. --- ### Vendor Information 905795 Filter by status: All Affected Not Affected Unknown Filter by content: __ Additional information available __ Sort by: Status Alphabetical Expand all **Javascript is disabled. Click here to view vendors.** ### Conectiva __ Affected Updated: December 05, 2001 ### Status Affected ### Vendor Statement [http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000431](<http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000431>) ### Vendor Information The vendor has not provided us with any further information regarding this vulnerability. ### Addendum The CERT/CC has no additional comments at this time. If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>). ### Immunix __ Affected Updated: December 05, 2001 ### Status Affected ### Vendor Statement <ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/IMNX-2001-70-034-01> ### Vendor Information The vendor has not provided us with any further information regarding this vulnerability. ### Addendum The CERT/CC has no additional comments at this time. If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>). ### MandrakeSoft __ Affected Updated: December 05, 2001 ### Status Affected ### Vendor Statement <http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-081.php3?dis=8.1> ### Vendor Information The vendor has not provided us with any further information regarding this vulnerability. ### Addendum The CERT/CC has no additional comments at this time. If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>). ### OpenSSH __ Affected Updated: December 05, 2001 ### Status Affected ### Vendor Statement <http://www.openbsd.org/advisories/ssh_option.txt> ### Vendor Information The vendor has not provided us with any further information regarding this vulnerability. ### Addendum The CERT/CC has no additional comments at this time. If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>). ### Red Hat __ Affected Updated: December 05, 2001 ### Status Affected ### Vendor Statement <http://www.redhat.com/support/errata/RHSA-2001-114.html> ### Vendor Information The vendor has not provided us with any further information regarding this vulnerability. ### Addendum The CERT/CC has no additional comments at this time. If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>). ### Trustix __ Affected Updated: December 05, 2001 ### Status Affected ### Vendor Statement <http://www.trustix.net/errata/misc/2001/TSL-2001-0023-openssh.asc.txt> ### Vendor Information The vendor has not provided us with any further information regarding this vulnerability. ### Addendum The CERT/CC has no additional comments at this time. If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>). ### CVSS Metrics Group | Score | Vector ---|---|--- Base | | Temporal | | Environmental | | ### References <http://www.securityfocus.com/bid/3369> ### Acknowledgements This vulnerability was discovered by the OpenSSH team. This document was written by Jason Rafail. ### Other Information **CVE IDs:** | [None](<http://web.nvd.nist.gov/vuln/detail/None>) ---|--- **Severity Metric:** | 0.30 **Date Public:** | 2001-09-27 **Date First Published:** | 2001-12-07 **Date Last Updated: ** | 2001-12-10 16:51 UTC **Document Revision: ** | 13

{"id": "VU:905795", "type": "cert", "bulletinFamily": "info", "title": "OpenSSH fails to properly apply source IP based access control restrictions", "description": "### Overview\n\n[OpenSSH](<http://www.openssh.com/>) is an implementation of the Secure Shell protocol. A user may be able to bypass the IP based access control restriction feature specified in a key when two keys of varying types are specified.\n\n### Description\n\nVersions of [OpenSSH](<http://www.openssh.com/>) between 2.5.x - 2.9.x may fail to enforce the IP based access control restriction feature. A user may specify from which IP's a key may be used. They may have several entries for several keys. Expected behavior of this feature can be demonstrated as follows. If the authorized_keys2 file contained an entry for a key A that was an RSA key and restricted to 10.0.0.1 via the \"from=\" line option and key B was a DSA key and restricted to 10.0.0.2, then key B would not be of any use if compromised unless it was used from the machine with an IP address of 10.0.0.2. \n\nDue to the flaw in this feature, when a user specifies two keys of differing types in their ~/.ssh/authorized_keys2, OpenSSH may fail to apply the proper source IP based access control restrictions specified by the \"from=\" line. For example, assume key A was an **RSA** key and restricted to **10.0.0.1** via the \"from=\" line and key B was a **DSA** key and restricted to **10.0.0.2**. Now assume that key B is compromised. One would expect that key B could only be used from 10.0.0.1. However, since key A is specified on the line immediately before the line containing the entry for the compromised key and is of a different type and \"from=\", then the intruder can access the network from the IP address of key A (10.0.0.1) using the compromised key B. \n \nLikewise a systems administrator could set up a single authorized_keys2 file and direct the individual users ssh clients to this file via a symbolic link. If the systems administrator kept the file world readable, but not writable, then he could control the contents of the file. In this case, a malicious user could use their key in the same method as described above to bypass any IP restrictions that the systems administrator may have placed on them. \n \n--- \n \n### Impact\n\nAn attacker with a compromised key, or authorized users can circumvent the security policies and login from IP addresses that are not permitted to access the system. \n \n--- \n \n### Solution\n\nThis vulnerability is fixed in OpenSSH 2.9.9. [Upgrade](<http://www.openssh.com/>) to a version 2.9.9 or later. \n \n--- \n \n### Vendor Information\n\n905795\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Conectiva __ Affected\n\nUpdated: December 05, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n[http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000431](<http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000431>)\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>).\n\n### Immunix __ Affected\n\nUpdated: December 05, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n<ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/IMNX-2001-70-034-01>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>).\n\n### MandrakeSoft __ Affected\n\nUpdated: December 05, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n<http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-081.php3?dis=8.1>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>).\n\n### OpenSSH __ Affected\n\nUpdated: December 05, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n<http://www.openbsd.org/advisories/ssh_option.txt>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>).\n\n### Red Hat __ Affected\n\nUpdated: December 05, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n<http://www.redhat.com/support/errata/RHSA-2001-114.html>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>).\n\n### Trustix __ Affected\n\nUpdated: December 05, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n<http://www.trustix.net/errata/misc/2001/TSL-2001-0023-openssh.asc.txt>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>).\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References\n\n<http://www.securityfocus.com/bid/3369>\n\n### Acknowledgements\n\nThis vulnerability was discovered by the OpenSSH team.\n\nThis document was written by Jason Rafail.\n\n### Other Information\n\n**CVE IDs:** | [None](<http://web.nvd.nist.gov/vuln/detail/None>) \n---|--- \n**Severity Metric:** | 0.30 \n**Date Public:** | 2001-09-27 \n**Date First Published:** | 2001-12-07 \n**Date Last Updated: ** | 2001-12-10 16:51 UTC \n**Document Revision: ** | 13 \n", "published": "2001-12-07T00:00:00", "modified": "2001-12-10T16:51:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.kb.cert.org/vuls/id/905795", "reporter": "CERT", "references": ["http://www.securityfocus.com/bid/3369"], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-28T17:54:16", "viewCount": 4, "enchantments": {"score": {"value": -0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.3}, "_state": {"dependencies": 1647583665}}