OpenSSH sftp-server Restricted Keypair Restriction Bypass

2001-09-18T07:24:07
ID OSVDB:5536
Type osvdb
Reporter Peter Watkins(peterw@usa.net)
Modified 2001-09-18T07:24:07

Description

Vulnerability Description

OpenSSH contains a flaw that may allow a malicious user to bypass access restrictions imposed through the command= keyword for restricted keypairs using authorized_keys2. The issue is triggered when a user logging in via a restricted keypair uses the sftp subsystem to execute commands on the affected server, potentially including file retrieval, replacement, deletion, or permission and ownership alteration. It is possible that the flaw may allow a bypass of the original access restrictions, resulting in a loss of confidentiality, integrity, and/or availability.

Solution Description

Upgrade to version 2.9.9 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch, or by disabling the sftp subsystem.

Short Description

OpenSSH contains a flaw that may allow a malicious user to bypass access restrictions imposed through the command= keyword for restricted keypairs using authorized_keys2. The issue is triggered when a user logging in via a restricted keypair uses the sftp subsystem to execute commands on the affected server, potentially including file retrieval, replacement, deletion, or permission and ownership alteration. It is possible that the flaw may allow a bypass of the original access restrictions, resulting in a loss of confidentiality, integrity, and/or availability.

References:

Vendor Specific Advisory URL Vendor Specific Advisory URL RedHat RHSA: RHSA-2001:154 ISS X-Force ID: 7634 Generic Exploit URL: http://archives.neohapsis.com/archives/bugtraq/2001-09/0153.html CVE-2001-0816