logo
DATABASE RESOURCES PRICING ABOUT US

OpenSSH fails to properly apply source IP based access control restrictions

Description

### Overview [OpenSSH](<http://www.openssh.com/>) is an implementation of the Secure Shell protocol. A user may be able to bypass the IP based access control restriction feature specified in a key when two keys of varying types are specified. ### Description Versions of [OpenSSH](<http://www.openssh.com/>) between 2.5.x - 2.9.x may fail to enforce the IP based access control restriction feature. A user may specify from which IP's a key may be used. They may have several entries for several keys. Expected behavior of this feature can be demonstrated as follows. If the authorized_keys2 file contained an entry for a key A that was an RSA key and restricted to 10.0.0.1 via the "from=" line option and key B was a DSA key and restricted to 10.0.0.2, then key B would not be of any use if compromised unless it was used from the machine with an IP address of 10.0.0.2. Due to the flaw in this feature, when a user specifies two keys of differing types in their ~/.ssh/authorized_keys2, OpenSSH may fail to apply the proper source IP based access control restrictions specified by the "from=" line. For example, assume key A was an **RSA** key and restricted to **10.0.0.1** via the "from=" line and key B was a **DSA** key and restricted to **10.0.0.2**. Now assume that key B is compromised. One would expect that key B could only be used from 10.0.0.1. However, since key A is specified on the line immediately before the line containing the entry for the compromised key and is of a different type and "from=", then the intruder can access the network from the IP address of key A (10.0.0.1) using the compromised key B. Likewise a systems administrator could set up a single authorized_keys2 file and direct the individual users ssh clients to this file via a symbolic link. If the systems administrator kept the file world readable, but not writable, then he could control the contents of the file. In this case, a malicious user could use their key in the same method as described above to bypass any IP restrictions that the systems administrator may have placed on them. --- ### Impact An attacker with a compromised key, or authorized users can circumvent the security policies and login from IP addresses that are not permitted to access the system. --- ### Solution This vulnerability is fixed in OpenSSH 2.9.9. [Upgrade](<http://www.openssh.com/>) to a version 2.9.9 or later. --- ### Vendor Information 905795 Filter by status: All Affected Not Affected Unknown Filter by content: __ Additional information available __ Sort by: Status Alphabetical Expand all **Javascript is disabled. Click here to view vendors.** ### Conectiva __ Affected Updated: December 05, 2001 ### Status Affected ### Vendor Statement [http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000431](<http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000431>) ### Vendor Information The vendor has not provided us with any further information regarding this vulnerability. ### Addendum The CERT/CC has no additional comments at this time. If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>). ### Immunix __ Affected Updated: December 05, 2001 ### Status Affected ### Vendor Statement <ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/IMNX-2001-70-034-01> ### Vendor Information The vendor has not provided us with any further information regarding this vulnerability. ### Addendum The CERT/CC has no additional comments at this time. If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>). ### MandrakeSoft __ Affected Updated: December 05, 2001 ### Status Affected ### Vendor Statement <http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-081.php3?dis=8.1> ### Vendor Information The vendor has not provided us with any further information regarding this vulnerability. ### Addendum The CERT/CC has no additional comments at this time. If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>). ### OpenSSH __ Affected Updated: December 05, 2001 ### Status Affected ### Vendor Statement <http://www.openbsd.org/advisories/ssh_option.txt> ### Vendor Information The vendor has not provided us with any further information regarding this vulnerability. ### Addendum The CERT/CC has no additional comments at this time. If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>). ### Red Hat __ Affected Updated: December 05, 2001 ### Status Affected ### Vendor Statement <http://www.redhat.com/support/errata/RHSA-2001-114.html> ### Vendor Information The vendor has not provided us with any further information regarding this vulnerability. ### Addendum The CERT/CC has no additional comments at this time. If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>). ### Trustix __ Affected Updated: December 05, 2001 ### Status Affected ### Vendor Statement <http://www.trustix.net/errata/misc/2001/TSL-2001-0023-openssh.asc.txt> ### Vendor Information The vendor has not provided us with any further information regarding this vulnerability. ### Addendum The CERT/CC has no additional comments at this time. If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23905795 Feedback>). ### CVSS Metrics Group | Score | Vector ---|---|--- Base | | Temporal | | Environmental | | ### References <http://www.securityfocus.com/bid/3369> ### Acknowledgements This vulnerability was discovered by the OpenSSH team. This document was written by Jason Rafail. ### Other Information **CVE IDs:** | [None](<http://web.nvd.nist.gov/vuln/detail/None>) ---|--- **Severity Metric:** | 0.30 **Date Public:** | 2001-09-27 **Date First Published:** | 2001-12-07 **Date Last Updated: ** | 2001-12-10 16:51 UTC **Document Revision: ** | 13