Vulnerability Note VU#157447

OpenSSH UseLogin directive permits privilege escalation

Original Release date: 04 Dec 2001 | Last revised: 02 Jan 2002

Overview

OpenSSH is an implementation of the Secure Shell protocol. When OpenSSH is configured with the UseLogin directive equal to "yes", an intruder can execute arbitrary code with the privileges of OpenSSH, usually root.

Description

OpenSSH contains a vulnerability that permits an intruder to execute arbitrary code. When the UseLogin directive is enabled, a user can set environment variables that are used by login. An intruder can use this vulnerability to execute commands with the privileges of OpenSSH, usually root. UseLogin is not enabled by default; however, it is a common configuration. The intruder must be able to authenticate to the system using public key authentication.

This vulnerability is not related to VU#40327 (https://www.kb.cert.org/vuls/id/40327).

Impact

An intruder can use this vulnerability to execute commands with the privileges of OpenSSH, usually root.

Solution

OpenSSH 3.0.2 resolves this vulnerability and is available at ftp://ftp.openbsd.com/pub/OpenBSD/OpenSSH/openssh-3.0.2.tgz.

We strongly encourage you to review your configuration to determine whether or not UseLogin is enabled. If the use of UseLogin is required at your site, you may wish to temporarily disable access to the SSH service until a patch can be applied.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
BSDIAffected-10 Dec 2001
CalderaAffected-17 Dec 2001
DebianAffected-05 Dec 2001
FreeBSDAffected-07 Dec 2001
IBMAffected-04 Dec 2001
MandrakeSoftAffected-14 Dec 2001
OpenBSDAffected-04 Dec 2001
OpenSSHAffected-04 Dec 2001
Red HatAffected-13 Dec 2001
SuSEAffected-07 Dec 2001
TrustixAffected-21 Dec 2001
F-SecureNot Affected-11 Dec 2001
FujitsuNot Affected-11 Dec 2001
Hewlett PackardNot Affected-13 Dec 2001
SSH Communications SecurityNot Affected07 Dec 200112 Dec 2001
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks Marcus Friedl of OpenBSD, and Jacques A. Vidrine of FreeBSD for information related to this vulnerability.

This document was written by Jason Rafail.

Other Information

  • CVE IDs: Unknown
  • Date Public: 04 Dec 2001
  • Date First Published: 04 Dec 2001
  • Date Last Updated: 02 Jan 2002
  • Severity Metric: 15.75
  • Document Revision: 15

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.