|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Vulnerability Note VU#978316
Vulnerability in OpenSSH daemon (sshd)
OverviewA vulnerability in the OpenSSH daemon (sshd) may give remote attackers a better chance of gaining access to restricted resources.
I. DescriptionOpenSSH is an implementation of the Secure Shell protocol. It is used to provide strong authentication and cryptographically secure communications between hosts. A vulnerability in versions up to and including 3.6.1 of OpenSSH may allow a remote attacker to circumvent security policies and attempt to or actually login from IP addresses that are not permitted to access resources.
There are two methods a client can use to authenticate to an SSH server. The first method is password authentication. This method is generally the easiest to set up, but the least secure. As long as the client has a valid username and password, they can gain access to the system running the SSH server. The second method is public key authentication. Public key authentication is one of the most secure methods available to authenticate a user. For a client to gain access to a system using public key authentication, a copy of the client's public key must exist on the SSH server. The client must also have the private key in their possession as well as the passphrase associated with the private key.
In addition to the methods available to authenticate a user, there also exists ways in which one can restrict access to the SSH server, such that connections are permitted only from trusted hosts. One of the most common methods is by utilizing a firewall to do host-based access restriction. Additionally, sshd has the ability to restrict access by IP address or hostname. While this is not cryptographically strong security, it provides an additional layer of protection which some sites rely upon to limit their exposure.
A flaw exists in the way OpenSSH evaluates IP addresses and hostnames. We have included an excerpt of the report sent to BugTraq regarding this vulnerability:
Interestingly, when a purely numeric IP address is provided, an attacker who controls reverse DNS for his host can circumvent this controls by returning text containing a numeric IP address in the reverse DNS response. This would allow stolen keys containing numeric IP address restrictions to be used from other IP address, or external access to a system which had
AllowUsers *@192.168.*.*
set in an attempt to limit access to users in the internal 192.168/16 network.
The exploit works because the code treats both the IP address and hostname as strings, and there is no logic to indicate when a pure IP address match should be attempted.
II. ImpactAn attacker can attempt to login to your system from a location that is not allowed. If the attacker has a private key in their possession that is allowed to access the system, they will be able to gain entry to the network. If the attacker does not have a legitimate private key, they may be able to guess a correct username/password pair if you allow password authentication.
III. SolutionThe OpenSSH maintainers recommend enabling VerifyReverseMapping in sshd_config. You may also wish to restrict access to the secure shell service by applying packet filters for port 22/tcp at your network perimeter. While this measure will limit your exposure to attacks, blocking port 22/tcp at a network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. In cases where applying packet filters is not feasible, software such as Wietse Venema's TCP Wrappers can be used to restrict access to the secure shell daemon. Finally, it is highly advisable to use public key authentication as opposed to password authentication. In our estimation, this vulnerability does not pose an imminent threat; however, it permits a greater-than-expected level of access to a security control in your infrastructure. The next release of OpenSSH will drop the VerifyReverseMapping option and, subsequently, sshd will by default perform reverse-mapping. At this point in time, we do not know if the OpenSSH maintainers plan to make a patch available before the next release.
Systems Affected
| Vendor | Status | Date Updated |
|---|
| 3Com | Unknown | 6-Jun-2003 |
| Alcatel | Not Vulnerable | 1-Aug-2003 |
| Apple Computer, Inc. | Unknown | 6-Jun-2003 |
| AT&T | Unknown | 6-Jun-2003 |
| Avaya | Unknown | 6-Jun-2003 |
| Berkeley Software Design, Inc. | Unknown | 6-Jun-2003 |
| Bitvise | Unknown | 6-Jun-2003 |
| Borderware | Unknown | 6-Jun-2003 |
| Cisco Systems, Inc. | Unknown | 6-Jun-2003 |
| Clavister | Not Vulnerable | 9-Jun-2003 |
| Computer Associates | Unknown | 6-Jun-2003 |
| Cray Inc. | Vulnerable | 9-Jun-2003 |
| D-Link Systems | Unknown | 6-Jun-2003 |
| Data General | Unknown | 6-Jun-2003 |
| Debian Linux | Unknown | 6-Jun-2003 |
| Engarde | Unknown | 6-Jun-2003 |
| eSoft | Unknown | 6-Jun-2003 |
| Extreme Networks | Not Vulnerable | 24-Jun-2003 |
| F-Secure | Unknown | 6-Jun-2003 |
| F5 Networks, Inc. | Unknown | 6-Jun-2003 |
| FiSSH | Unknown | 6-Jun-2003 |
| Foundry Networks Inc. | Not Vulnerable | 9-Jun-2003 |
| FreeBSD, Inc. | Unknown | 6-Jun-2003 |
| FreeS/WAN | Unknown | 6-Jun-2003 |
| FreSSH | Unknown | 6-Jun-2003 |
| Fujitsu | Not Vulnerable | 16-Jul-2003 |
| Global Technology Associates | Unknown | 6-Jun-2003 |
| Hewlett-Packard Company | Unknown | 6-Jun-2003 |
| Hitachi | Not Vulnerable | 18-Jun-2003 |
| IBM Corporation | Vulnerable | 19-Jun-2003 |
| IBM eServer | Unknown | 24-Jun-2003 |
| Ingrian Networks, Inc. | Unknown | 6-Jun-2003 |
| Intel | Unknown | 6-Jun-2003 |
| Internet Initiative Japan (IIJ) | Unknown | 6-Jun-2003 |
| Interpeak | Unknown | 6-Jun-2003 |
| Intersoft International Inc. | Unknown | 6-Jun-2003 |
| Intoto | Unknown | 6-Jun-2003 |
| Juniper Networks, Inc. | Unknown | 6-Jun-2003 |
| KAME Project | Unknown | 6-Jun-2003 |
| Lachman | Unknown | 6-Jun-2003 |
| Lotus Software | Not Vulnerable | 6-Jun-2003 |
| lsh | Unknown | 6-Jun-2003 |
| Lucent Technologies | Unknown | 6-Jun-2003 |
| MacSSH | Not Vulnerable | 6-Jun-2003 |
| Mandriva, Inc. | Unknown | 6-Jun-2003 |
| Mandriva, Inc. | Unknown | 6-Jun-2003 |
| Microsoft Corporation | Unknown | 6-Jun-2003 |
| Mirapoint | Unknown | 6-Jun-2003 |
| MontaVista Software, Inc. | Unknown | 6-Jun-2003 |
| Multi-Tech Systems Inc. | Unknown | 6-Jun-2003 |
| Multinet | Unknown | 6-Jun-2003 |
| NEC Corporation | Unknown | 6-Jun-2003 |
| NetBSD | Vulnerable | 9-Jun-2003 |
| Netcomposite | Unknown | 6-Jun-2003 |
| Netscreen | Unknown | 6-Jun-2003 |
| Network Appliance | Unknown | 6-Jun-2003 |
| NeXT | Unknown | 6-Jun-2003 |
| Nokia | Unknown | 6-Jun-2003 |
| Nortel Networks, Inc. | Unknown | 6-Jun-2003 |
| OpenBSD | Unknown | 6-Jun-2003 |
| OpenSSH | Vulnerable | 6-Jun-2003 |
| Openwall GNU/*/Linux | Unknown | 6-Jun-2003 |
| Oracle Corporation | Unknown | 6-Jun-2003 |
| Pragma Systems | Unknown | 6-Jun-2003 |
| Putty | Unknown | 6-Jun-2003 |
| Red Hat, Inc. | Unknown | 6-Jun-2003 |
| Riverstone Networks | Not Vulnerable | 10-Jun-2003 |
| SafeNet | Unknown | 6-Jun-2003 |
| SCO | Unknown | 6-Jun-2003 |
| Secure Computing Corporation | Not Vulnerable | 16-Jun-2003 |
| Sequent Computer Systems, Inc. | Unknown | 6-Jun-2003 |
| SGI | Unknown | 6-Jun-2003 |
| Sony Corporation | Unknown | 6-Jun-2003 |
| SSH Communications Security | Not Vulnerable | 14-Jul-2003 |
| Stonesoft | Not Vulnerable | 11-Jun-2003 |
| Sun Microsystems, Inc. | Vulnerable | 16-Jan-2007 |
| SUSE Linux | Unknown | 6-Jun-2003 |
| TTSSH/TeraTerm | Unknown | 6-Jun-2003 |
| Unisys | Unknown | 6-Jun-2003 |
| VanDyke Software Inc. | Vulnerable | 16-Jun-2003 |
| WatchGuard | Not Vulnerable | 10-Jun-2003 |
| Wind River Systems, Inc. | Unknown | 6-Jun-2003 |
| WinSCP | Unknown | 6-Jun-2003 |
| Wirex | Unknown | 6-Jun-2003 |
| Xerox Corporation | Not Vulnerable | 14-Jul-2003 |
| ZyXEL | Unknown | 6-Jun-2003 |
References
http://www.securityfocus.com/archive/1/324016/2003-06-03/2003-06-09/0
ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz
http://www.ietf.org/html.charters/secsh-charter.html
http://www.openssh.com/
http://www.iss.net/security_center/static/12196.php
Credit
This vulnerability was discovered by Mike Harding. Note that this behavior of OpenSSH was in fact noticed and published two years earlier by Richard Silverman and Dan Barrett in "SSH, The Secure Shell: The Definitive Guide" (O'Reilly 2001, ISBN 0-596-00011-1). See section 5.5.2.1, p179 in the first edition.
This document was written by Ian A Finlay.
Other Information
| Date Public | 06/04/2003 |
| Date First Published | 06/06/2003 01:44:51 PM |
| Date Last Updated | 01/16/2007 |
| CERT Advisory | |
| CVE Name | CVE-2003-0386 |
| US-CERT Technical Alerts | |
| Metric | 37.13 |
| Document Revision | 38 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader