(Immunix Issues Fix) OpenSSH May Fail to Properly Restrict IP Addresses in Certain Configurations
|
|
SecurityTracker Alert ID: 1002567 |
|
SecurityTracker URL: http://securitytracker.com/id/1002567
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 18 2001
|
Impact:
Host/resource access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): Versions of OpenSSH between 2.5 and 2.9.9
|
Description:
OpenSSH reported a weakness in OpenSSH's IP-based access control functions when configured for SSH v2 public key authentication. Remote users connecting from IP addresses that are to be restricted may be able to connect.
The vulnerability is due to a weakness in the source IP address access control features in the key file option handling. When source IP based access control is used for SSH protocol v2 public key authentication, the access controls may fail if the 'from=' key file option is enabled in combination with both RSA and DSA keys in the '~/.ssh/authorized_keys2' file.
Whether the vulnerability can be triggered or not reportedly depends on the order of the user keys in the file. If a source IP restricted key (e.g., DSA key) is immediately followed by a different type of key (e.g., RSA key), then the key options for the second key will be applied to both keys. These options include the 'from=' restriction.
OpenSSH reports that the fixed version (2.9.9) contains some changes that may affect users upgrading from previous versions. See the Source Message for details.
|
Impact:
Remote users with valid authentication credentials can circumvent the system policy and login from disallowed source IP addresses.
|
Solution:
The vendor has released a fix. Precompiled binary packages for Immunix 7.0 are reportedly available at: ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/RPMS/openssh-2.9.9p2-1.0_imnx.i386.rpm
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/RPMS/openssh-askpass-2.9.9p2-1.0_imnx.i386.rpm
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/RPMS/openssh-clients-2.9.9p2-1.0_imnx.i386.rpm
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/RPMS/openssh-server-2.9.9p2-1.0_imnx.i386.rpm
Source package for Immunix 7.0 is available at:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/SRPMS/openssh-2.9.9p2-1.0_imnx.src.rpm
Immunix OS 7.0 md5sums:
53ce20e6fea913265b81fe8ac38da5ab RPMS/openssh-2.9.9p2-1.0_imnx.i386.rpm
c1262b10f768266c3d9d61199a972974 RPMS/openssh-askpass-2.9.9p2-1.0_imnx.i386.rpm
4b9fdeee5dbd1539aff217fafd6bb14d RPMS/openssh-clients-2.9.9p2-1.0_imnx.i386.rpm
e3963cb9219dc6f8382f9bb1737a586e RPMS/openssh-server-2.9.9p2-1.0_imnx.i386.rpm
d9d77da287fb88f96164b910917650a6 SRPMS/openssh-2.9.9p2-1.0_imnx.src.rpm
See the Source Message for the vendor's advisory containing additional directions on how to obtain and apply the appropriate fix.
|
Vendor URL: www.openssh.org/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Immunix)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 17 Oct 2001 19:25:53 -0700
Subject: [Immunix-announce] Immunix OS update for OpenSSH
|
--uAKRQypu60I7Lcqm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
-----------------------------------------------------------------------
Immunix OS Security Advisory
Packages updated: openssh
Affected products: Immunix OS 7.0 and 6.2
Bugs fixed: immunix/1621, immunix/1706, immunix/1747
Date: Wed Oct 17 2001
Advisory ID: IMNX-2001-70-034-01
Author: Seth Arnold <sarnold@wirex.com>
-----------------------------------------------------------------------
Description:
This release fixes several issues; two of moderate severity, and one
of slight severity. First, Peter W found that command restrictions
placed on keys did not apply to subsystems such as sftp, essentially
allowing users to bypass the command restrictions placed upon the key.
Second, the OpenSSH team found that IP source restrictions could be
bypassed when the authorized_keys file contained both RSA and DSA
keys. Last, zen-parse found that any file named 'cookies' could be
deleted remotely.
While Solar Designer's Openwall kernel patch prevents the third
problem from being exploited, the first two problems are likely
exploitable on Immunix OS computers, depending upon the local
configuration. OpenSSH release 2.9.9p2 fixes all three problems.
We recommend all users should upgrade OpenSSH. Markus notes in the
third reference some possible incompatibilities between version
2.9.9p2 and previous versions.
References:
http://www.securityfocus.com/archive/1/188450
http://www.securityfocus.com/archive/1/214921
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100153847110859&w=2
Package names and locations:
Precompiled binary packages for Immunix 7.0 are available at:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/RPMS/openssh-2.9.9p2-1.0_imnx.i386.rpm
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/RPMS/openssh-askpass-2.9.9p2-1.0_imnx.i386.rpm
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/RPMS/openssh-clients-2.9.9p2-1.0_imnx.i386.rpm
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/RPMS/openssh-server-2.9.9p2-1.0_imnx.i386.rpm
Source package for Immunix 7.0 is available at:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/7.0/updates/SRPMS/openssh-2.9.9p2-1.0_imnx.src.rpm
Immunix OS 7.0 md5sums:
53ce20e6fea913265b81fe8ac38da5ab RPMS/openssh-2.9.9p2-1.0_imnx.i386.rpm
c1262b10f768266c3d9d61199a972974 RPMS/openssh-askpass-2.9.9p2-1.0_imnx.i386.rpm
4b9fdeee5dbd1539aff217fafd6bb14d RPMS/openssh-clients-2.9.9p2-1.0_imnx.i386.rpm
e3963cb9219dc6f8382f9bb1737a586e RPMS/openssh-server-2.9.9p2-1.0_imnx.i386.rpm
d9d77da287fb88f96164b910917650a6 SRPMS/openssh-2.9.9p2-1.0_imnx.src.rpm
GPG verification:
Our public key is available at <http://wirex.com/security/GPG_KEY>.
*** NOTE *** This key is different from the one used in advisories
IMNX-2001-70-020-01 and earlier.
Online version of all Immunix 6.2 updates and advisories:
http://immunix.org/ImmunixOS/6.2/updates/
Online version of all Immunix 7.0-beta updates and advisories:
http://immunix.org/ImmunixOS/7.0-beta/updates/
Online version of all Immunix 7.0 updates and advisories:
http://immunix.org/ImmunixOS/7.0/updates/
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
ImmunixOS 6.2 is no longer officially supported.
Contact information:
To report vulnerabilities, please contact security@wirex.com. WireX
attempts to conform to the RFP vulnerability disclosure protocol
<http://www.wiretrip.net/rfp/policy.html>.
--uAKRQypu60I7Lcqm
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjvOPbAACgkQVQcWL60UVMt30QCfQem7yXaAMWQHAQFtsI3s/lXo
x9wAoJZ5+o+bRHdKRPNGWXIMkrIeHIq2
=sDVW
-----END PGP SIGNATURE-----
--uAKRQypu60I7Lcqm--
_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce
|
|
