(Patch Included) Re: OpenSSH May Fail to Properly Restrict IP Addresses in Certain Configurations
|
|
SecurityTracker Alert ID: 1002457 |
|
SecurityTracker URL: http://securitytracker.com/id/1002457
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 27 2001
|
Impact:
Host/resource access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): Versions of OpenSSH between 2.5 and 2.9.9
|
Description:
OpenSSH reported a weakness in OpenSSH's IP-based access control functions when configured for SSH v2 public key authentication. Remote users connecting from IP addresses that are to be restricted may be able to connect.
The vulnerability is due to a weakness in the source IP address access control features in the key file option handling. When source IP based access control is used for SSH protocol v2 public key authentication, the access controls may fail if the 'from=' key file option is enabled in combination with both RSA and DSA keys in the '~/.ssh/authorized_keys2' file.
Whether the vulnerability can be triggered or not reportedly depends on the order of the user keys in the file. If a source IP restricted key (e.g., DSA key) is immediately followed by a different type of key (e.g., RSA key), then the key options for the second key will be applied to both keys. These options include the 'from=' restriction.
OpenSSH reports that the fixed version (2.9.9) contains some changes that may affect users upgrading from previous versions. See the Source Message for details.
|
Impact:
Remote users with valid authentication credentials can circumvent the system policy and login from disallowed source IP addresses.
|
Solution:
Upgrade to version 2.9.9, available at the Vendor URL and mirror sites. Or, apply the patch that is included in the Source Message.
|
Vendor URL: www.openssh.org/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 26 Sep 2001 23:18:23 +0200
Subject: OpenSSH Security Advisory (adv.option)
|
Weakness in OpenSSH's source IP based access control
for SSH protocol v2 public key authentication.
1. Systems affected:
Versions of OpenSSH between 2.5.x and 2.9.x using
the 'from=' key file option in combination with
both RSA and DSA keys in ~/.ssh/authorized_keys2.
2. Description:
Depending on the order of the user keys in
~/.ssh/authorized_keys2 sshd might fail to apply the
source IP based access control restriction (e.g.
from="10.0.0.1") to the correct key:
If a source IP restricted key (e.g. DSA key) is
immediately followed by a key of a different type
(e.g. RSA key), then key options for the second key
are applied to both keys, which includes 'from='.
3. Impact:
Users can circumvent the system policy
and login from disallowed source IP addresses.
4. Solution:
Apply the following patch.
This bug is fixed in OpenSSH 2.9.9
5. Credits:
None.
Appendix:
Index: key.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/key.c,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -p -IRCSID -r1.31 -r1.32
--- key.c 2001/09/17 20:50:22 1.31
+++ key.c 2001/09/19 13:23:29 1.32
@@ -358,7 +358,7 @@ write_bignum(FILE *f, BIGNUM *num)
return 1;
}
-/* returns 1 ok, -1 error, 0 type mismatch */
+/* returns 1 ok, -1 error */
int
key_read(Key *ret, char **cpp)
{
@@ -413,7 +413,7 @@ key_read(Key *ret, char **cpp)
} else if (ret->type != type) {
/* is a key, but different type */
debug3("key_read: type mismatch");
- return 0;
+ return -1;
}
len = 2*strlen(cp);
blob = xmalloc(len);
|
|
