search menu icon-carat-right cmu-wordmark

CERT Coordination Center


OpenSSH UseLogin directive permits privilege escalation

Vulnerability Note VU#157447

Original Release Date: 2001-12-04 | Last Revised: 2002-01-02

Overview

OpenSSH is an implementation of the Secure Shell protocol. When OpenSSH is configured with the UseLogin directive equal to "yes", an intruder can execute arbitrary code with the privileges of OpenSSH, usually root.

Description

OpenSSH contains a vulnerability that permits an intruder to execute arbitrary code. When the UseLogin directive is enabled, a user can set environment variables that are used by login. An intruder can use this vulnerability to execute commands with the privileges of OpenSSH, usually root. UseLogin is not enabled by default; however, it is a common configuration. The intruder must be able to authenticate to the system using public key authentication.

This vulnerability is not related to VU#40327 (https://www.kb.cert.org/vuls/id/40327).

Impact

An intruder can use this vulnerability to execute commands with the privileges of OpenSSH, usually root.

Solution

OpenSSH 3.0.2 resolves this vulnerability and is available at ftp://ftp.openbsd.com/pub/OpenBSD/OpenSSH/openssh-3.0.2.tgz.

We strongly encourage you to review your configuration to determine whether or not UseLogin is enabled. If the use of UseLogin is required at your site, you may wish to temporarily disable access to the SSH service until a patch can be applied.

Vendor Information

157447
Expand all

BSDI

Updated:  December 10, 2001

Status

  Vulnerable

Vendor Statement

The current 3.0.2p1 version of OpenSSH is available for BSD/OS version 4.2 in patch M420-018 and for BSD/OS 4.3 in patch M430-001. Patches are available via ftp from ftp://ftp.bsdi.com/bsdi/patches or via our web site at http://www.bsdi.com/support.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Caldera

Updated:  December 17, 2001

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
Caldera International, Inc. Security Advisory

Subject:Linux - Local vulnerability in OpenSSH
Advisory number: CSSA-2001-042.1
Issue date: 2001, December 14
Cross reference:CSSA-2001-042.0
______________________________________________________________________________


1. Problem Description

This is a revised advisory for the 'UseLogin' vulnerability.
The original advisory declared the vulnerability as a remote
vulnerability, which is not the case. The vulnerability requires the
attacker to have a local account, making it a local vulnerability.

The OpenSSH team has reported a vulnerability in the OpenSSH server
that allows local users to obtain root privilege if the server
has the UseLogin option enabled. This option is off by default on
OpenLinux, so a default installation is not vulnerable.

We nevertheless recommend to our customers to upgrade to the fixed
package.

2. Vulnerable Versions

System Package
-----------------------------------------------------------
OpenLinux 2.3 not vulnerable

OpenLinux eServer 2.3.1 All packages previous to
and OpenLinux eBuilder openssh-2.9p2-4

OpenLinux eDesktop 2.4 All packages previous to
openssh-2.9p2-4

OpenLinux Server 3.1 All packages previous to
openssh-2.9p2-4

OpenLinux Workstation 3.1 All packages previous to
openssh-2.9p2-4



3. Solution

Workaround

Make sure that you do not have the UseLogin option enabled.
In /etc/ssh/sshd_config, the UseLogin option should either
be commended out, or should be set to "no".

The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

not vulnerable

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

5.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS

5.2 Verification

4750b4dc110bcdb9a06f275422486d22 RPMS/openssh-2.9p2-4.i386.rpm
2ccef9bbd5c51ac9ee3ea7bdb0cad5e8 RPMS/openssh-askpass-2.9p2-4.i386.rpm
db4931cfa21ef0312ca9f7baaea9d19d RPMS/openssh-server-2.9p2-4.i386.rpm
50511f127c8215bce46d6082aa924aa9 SRPMS/openssh-2.9p2-4.src.rpm


5.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh openssh-2.9p2-4.i386.rpm \
openssh-askpass-2.9p2-4.i386.rpm \
openssh-server-2.9p2-4.i386.rpm


6. OpenLinux eDesktop 2.4

6.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS

6.2 Verification

67227fa9552a81465786e23b82347b7b RPMS/openssh-2.9p2-4.i386.rpm
80693bc40f533ed757a2cc3aa7ad2dbc RPMS/openssh-askpass-2.9p2-4.i386.rpm
3cbd5f69eb010de1dad17c25b85bcc6f RPMS/openssh-server-2.9p2-4.i386.rpm
50511f127c8215bce46d6082aa924aa9 SRPMS/openssh-2.9p2-4.src.rpm


6.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh openssh-2.9p2-4.i386.rpm \
openssh-askpass-2.9p2-4.i386.rpm \
openssh-server-2.9p2-4.i386.rpm


7. OpenLinux 3.1 Server

7.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

7.2 Verification

2b214778e58a252b5fa6efda93564ec9 RPMS/openssh-2.9p2-4.i386.rpm
a7cbe46794f3e2ccd9db54844d6500a2 RPMS/openssh-askpass-2.9p2-4.i386.rpm
eb5f164e76adf62b19d8d7ce8bd4e121 RPMS/openssh-server-2.9p2-4.i386.rpm
50511f127c8215bce46d6082aa924aa9 SRPMS/openssh-2.9p2-4.src.rpm


7.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh openssh-2.9p2-4.i386.rpm \
openssh-askpass-2.9p2-4.i386.rpm \
openssh-server-2.9p2-4.i386.rpm


8. OpenLinux 3.1 Workstation

8.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

8.2 Verification

2b214778e58a252b5fa6efda93564ec9 RPMS/openssh-2.9p2-4.i386.rpm
a7cbe46794f3e2ccd9db54844d6500a2 RPMS/openssh-askpass-2.9p2-4.i386.rpm
eb5f164e76adf62b19d8d7ce8bd4e121 RPMS/openssh-server-2.9p2-4.i386.rpm
50511f127c8215bce46d6082aa924aa9 SRPMS/openssh-2.9p2-4.src.rpm


8.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh openssh-2.9p2-4.i386.rpm \
openssh-askpass-2.9p2-4.i386.rpm \
openssh-server-2.9p2-4.i386.rpm



9. References

This and other Caldera security resources are located at:

http://www.caldera.com/support/security/index.html

This security fix closes Caldera's internal Problem Report 11153.


10. Disclaimer

Caldera International, Inc. is not responsible for the misuse of
any of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera OpenLinux.

11. Acknowledgements

Caldera wishes to thank Markus Friedl of the OpenSSH team for notifying
vendor-sec.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8Gca218sy83A/qfwRAikTAJ96ZKjZswsMyVbaftCOLPt38y4KUgCffHmD
1mVHgdJs4ke3eXT0X9nTFsE=
=JwCc
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@lists.caldera.com
For additional commands, e-mail: announce-help@lists.caldera.com

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Updated:  December 05, 2001

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Updated:  December 07, 2001

Status

  Vulnerable

Vendor Statement

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:63.openssh.asc

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Updated:  December 04, 2001

Status

  Vulnerable

Vendor Statement

IBM makes available OpenSSH for AIX customers as a software package under the AIX-Linux Affinity initiative. This package is included on the AIX Toolbox for Linux Applications CD, and can be downloaded via the IBM Linux Affinity website. The currently available version of OpenSSH is susceptible to the vulnerability described here. We will update our OpenSSH offering soon to a version that is not vulnerable; this update will be made available for downloading by accessing this URL:

http://www6.software.ibm.com/dl/aixtbx/aixtbx-p

and following the instructions presented there.

Please note that OpenSSH, and all Linux Affinity software, is offered on an "as-is" basis. IBM does not own the source code for this software, nor has it developed and fully tested this code. IBM does not support these software packages.

Customers may wish to obtain and install a non-vulnerable version of OpenSSH (ver. 3.0.2) from other sites, pending the posting of our updated version. However, other sites may not offer recompiled
packages for AIX, making necessary the customer having to build the binaries.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Updated:  December 14, 2001

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

Mandrake Linux Security Update Advisory
________________________________________________________________________

Package name: openssh
Date: December 13th, 2001
Advisory ID: MDKSA-2001:092

Affected versions: 7.1, 7.2, 8.0, 8.1, Corporate Server 1.0.1,
Single Network Firewall 7.2
________________________________________________________________________

Problem Description:

The new OpenSSH 3.0.2 fixes a vulnerability in the UseLogin option.
By default, Mandrake Linux does not enable UseLogin, but if the
administrator enables it, local users are able to pass environment
variables to the login process. This update also fixes a security
hole in the KerberosV support that is present in versions 2.9.9 and
3.0.0.
________________________________________________________________________

References:

http://www.kb.cert.org/vuls/id/157447
http://www.securityfocus.com/bid/3614
________________________________________________________________________

Please verify the update prior to upgrading to ensure the integrity of
the downloaded package. You can do this with the command:

rpm --checksig package.rpm

You can get the GPG public key of the Mandrake Linux Security Team at:

https://www.mandrakesecure.net/RPM-GPG-KEYS

If you use MandrakeUpdate, the verification of md5 checksum and GPG
signature is performed automatically for you.

Linux-Mandrake 7.1:
e0079727f3b224c0117abb67d7612ff5 7.1/RPMS/openssh-3.0.2p1-1.4mdk.i586.rpm
3ef16734c76cc748fa4c4c8bffdf590a 7.1/RPMS/openssh-askpass-3.0.2p1-1.4mdk.i586.rpm
7fe525cf07d54c08a27e68d427aed54e 7.1/RPMS/openssh-askpass-gnome-3.0.2p1-1.4mdk.i586.rpm
a9af9ccb91c68494ec5b2b77c8cf73f1 7.1/RPMS/openssh-clients-3.0.2p1-1.4mdk.i586.rpm
d0361bbc9055f065f0b3f0811f41bbbc 7.1/RPMS/openssh-server-3.0.2p1-1.4mdk.i586.rpm
414df2648031fc5d54500033788841a2 7.1/SRPMS/openssh-3.0.2p1-1.4mdk.src.rpm

Linux-Mandrake 7.2:
1b285e4e13afc20c45c3aefe21b670de 7.2/RPMS/openssh-3.0.2p1-1.3mdk.i586.rpm
30163d91b9a1cb2e5bb45eaa33a49e82 7.2/RPMS/openssh-askpass-3.0.2p1-1.3mdk.i586.rpm
5f69e40f1b55c27ae886163f11cef22e 7.2/RPMS/openssh-askpass-gnome-3.0.2p1-1.3mdk.i586.rpm
8071c22fa390f71d04a006b999bec9ea 7.2/RPMS/openssh-clients-3.0.2p1-1.3mdk.i586.rpm
dca2792c25c578c90609aa4354c93446 7.2/RPMS/openssh-server-3.0.2p1-1.3mdk.i586.rpm
f5322a10004f01ff3e980665b06b0c2c 7.2/SRPMS/openssh-3.0.2p1-1.3mdk.src.rpm

Mandrake Linux 8.0:
92583a96e61c68e584ecca0a99fea49a 8.0/RPMS/openssh-3.0.2p1-1.2mdk.i586.rpm
e5a08d157ddacb87ad5dd33a86cdfacc 8.0/RPMS/openssh-askpass-3.0.2p1-1.2mdk.i586.rpm
7c762c77e164e801f69120bdc64dd9c6 8.0/RPMS/openssh-askpass-gnome-3.0.2p1-1.2mdk.i586.rpm
94d89e26bf4c06b51a1690f84e3a22c9 8.0/RPMS/openssh-clients-3.0.2p1-1.2mdk.i586.rpm
dd003cb8c830834042639a02e873e0cd 8.0/RPMS/openssh-server-3.0.2p1-1.2mdk.i586.rpm
e7a00228e5ce33f4fa2fdb3ae81b6193 8.0/SRPMS/openssh-3.0.2p1-1.2mdk.src.rpm

Mandrake Linux 8.0 (PPC):
21cd5bdb543a85107ac8053ee61ce53d ppc/8.0/RPMS/openssh-3.0.2p1-1.2mdk.ppc.rpm
23d6f681b9d35f447dd22a7ce5d7379c ppc/8.0/RPMS/openssh-askpass-3.0.2p1-1.2mdk.ppc.rpm
9783d529166d906ec756720a93931397 ppc/8.0/RPMS/openssh-askpass-gnome-3.0.2p1-1.2mdk.ppc.rpm
6df6e5e55ae389cd67a9396fa24051bd ppc/8.0/RPMS/openssh-clients-3.0.2p1-1.2mdk.ppc.rpm
51cc4e399b4d34a4b2362567e50d3af8 ppc/8.0/RPMS/openssh-server-3.0.2p1-1.2mdk.ppc.rpm
e7a00228e5ce33f4fa2fdb3ae81b6193 ppc/8.0/SRPMS/openssh-3.0.2p1-1.2mdk.src.rpm

Mandrake Linux 8.1:
03c865f75376983ee5cf916b97f247a0 8.1/RPMS/openssh-3.0.2p1-1.1mdk.i586.rpm
7e6f0f843162b01dcdcf8fb6879d7b3a 8.1/RPMS/openssh-askpass-3.0.2p1-1.1mdk.i586.rpm
d5d324cb252c797c842120a4beaf6999 8.1/RPMS/openssh-askpass-gnome-3.0.2p1-1.1mdk.i586.rpm
82249844e9403fb9b5167ef2206f92fa 8.1/RPMS/openssh-clients-3.0.2p1-1.1mdk.i586.rpm
565c208ce7a45c95b0f5603041cf81de 8.1/RPMS/openssh-server-3.0.2p1-1.1mdk.i586.rpm
b53afe42d601722309c32b2703ce17cc 8.1/SRPMS/openssh-3.0.2p1-1.1mdk.src.rpm

Mandrake Linux 8.1 (IA64):
a8412c4261d801342c0f2f8d03ebc9f1 ia64/8.1/RPMS/openssh-3.0.2p1-1.1mdk.ia64.rpm
3d950bcee8d4feb5be3610ca69a51017 ia64/8.1/RPMS/openssh-askpass-3.0.2p1-1.1mdk.ia64.rpm
15aafe7d7b1e99733744d75c34936650 ia64/8.1/RPMS/openssh-askpass-gnome-3.0.2p1-1.1mdk.ia64.rpm
8e40f604a20f5e190b6bfdef2802f31a ia64/8.1/RPMS/openssh-clients-3.0.2p1-1.1mdk.ia64.rpm
8f7e2ae1299279f68b6e490900511dd4 ia64/8.1/RPMS/openssh-server-3.0.2p1-1.1mdk.ia64.rpm
b53afe42d601722309c32b2703ce17cc ia64/8.1/SRPMS/openssh-3.0.2p1-1.1mdk.src.rpm

Corporate Server 1.0.1:
e0079727f3b224c0117abb67d7612ff5 1.0.1/RPMS/openssh-3.0.2p1-1.4mdk.i586.rpm
3ef16734c76cc748fa4c4c8bffdf590a 1.0.1/RPMS/openssh-askpass-3.0.2p1-1.4mdk.i586.rpm
7fe525cf07d54c08a27e68d427aed54e 1.0.1/RPMS/openssh-askpass-gnome-3.0.2p1-1.4mdk.i586.rpm
a9af9ccb91c68494ec5b2b77c8cf73f1 1.0.1/RPMS/openssh-clients-3.0.2p1-1.4mdk.i586.rpm
d0361bbc9055f065f0b3f0811f41bbbc 1.0.1/RPMS/openssh-server-3.0.2p1-1.4mdk.i586.rpm
414df2648031fc5d54500033788841a2 1.0.1/SRPMS/openssh-3.0.2p1-1.4mdk.src.rpm

Single Network Firewall 7.2:
1b285e4e13afc20c45c3aefe21b670de snf7.2/RPMS/openssh-3.0.2p1-1.3mdk.i586.rpm
30163d91b9a1cb2e5bb45eaa33a49e82 snf7.2/RPMS/openssh-askpass-3.0.2p1-1.3mdk.i586.rpm
5f69e40f1b55c27ae886163f11cef22e snf7.2/RPMS/openssh-askpass-gnome-3.0.2p1-1.3mdk.i586.rpm
8071c22fa390f71d04a006b999bec9ea snf7.2/RPMS/openssh-clients-3.0.2p1-1.3mdk.i586.rpm
dca2792c25c578c90609aa4354c93446 snf7.2/RPMS/openssh-server-3.0.2p1-1.3mdk.i586.rpm
f5322a10004f01ff3e980665b06b0c2c snf7.2/SRPMS/openssh-3.0.2p1-1.3mdk.src.rpm
________________________________________________________________________

Bug IDs fixed (see https://qa.mandrakesoft.com for more information):

________________________________________________________________________

Before applying this update, make sure all previously released updates
relevant to your system have been applied. To upgrade automatically,
use MandrakeUpdate.

If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".

You can download the updates directly from one of the mirror sites
listed at:

http://www.linux-mandrake.com/en/ftp.php3.

Updated packages are available in the "updates/[ver]/RPMS/" directory.
For example, if you are looking for an updated RPM package for
Mandrake Linux 8.1, look for it in "updates/8.1/RPMS/". Updated source
RPMs are available as well, but you generally do not need to download
them.

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other security advisories for Mandrake Linux at:

http://www.linux-mandrake.com/en/security/

If you want to report vulnerabilities, please contact

security@linux-mandrake.com
________________________________________________________________________

Mandrake Linux has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting:

http://www.mandrakesecure.net/en/mlist.php
________________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security@linux-mandrake.com>


- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA
BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP
WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w
Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPa5AQ0EOWnn
7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77
9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV
Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s
+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX
Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl
3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi
RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX
lA==
=0ahQ
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8GTiSmqjQ0CJFipgRArfnAJ9iqBklxscL1MPkgSyuBYUMRXQtXgCbBVQW
hxvucBu9Yl4qCIhEnCO7YYM=
=O9oQ
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Updated:  December 04, 2001

Status

  Vulnerable

Vendor Statement

http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100747128105913&w=2

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSH

Updated:  December 04, 2001

Status

  Vulnerable

Vendor Statement

http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100747128105913&w=2

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat

Updated:  December 13, 2001

Status

  Vulnerable

Vendor Statement

Versions of Red Hat Linux prior to 7 did not ship OpenSSH. Users of Red Hat Linux 7, 7.1 and 7.2 should apply the updated OpenSSH packages or use the Red Hat Network to upgrade their systems

http://www.redhat.com/support/errata/RHSA-2001-161.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE

Updated:  December 07, 2001

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

                        SuSE Security Announcement

        Package:                openssh
       Announcement-ID:        SuSE-SA:2001:045
       Date:                   Thursday, Dec 6th 2001 21:30 MET
       Affected SuSE versions: 6.4, 7.0, 7.1, 7.2, 7.3
       Vulnerability Type:     local privilege escalation
       Severity (1-10):        5
       SuSE default package:   yes
       Other affected systems: systems running openssh

    Content of this advisory:
       1) security vulnerability resolved: openssh
          problem description, discussion, solution and upgrade information
       2) pending vulnerabilities, solutions, workarounds
       3) standard appendix (further information)

______________________________________________________________________________

1)  Re-release of SuSE Security Announcement SuSE-SA:2001:044, brief history,
   Clarification, new problem fixed, upgrade information.

    This is a re-release of the SuSE Security Announcement SuSE-SA:2001:044,
   adding another bugfix for the openssh package as well as more detailed
   information about the vulnerabilities to prevent misunderstandings.

    The currently supported SuSE distributions 6.4 and newer come with two
   implementations of the secure shell protocol: The package names are
   "ssh" and "openssh".


    Brief history:
   In 1998, a vulnerability of the secure shell protocol in version 1 has
   been discovered and named "crc32 compensation attack". The vulnerability
   allows an attacker to insert arbitrary sequences into the ssh-1 protocol
   layer. At that time, an added patch fixed the problem in the ssh
   implementation (visible in the client-side verbose output of the ssh
   command (-v): "Installing crc compensation attack detector.").
   In early 2001, Michal Zalewski discovered that the widely used patch
   was defective and opened another security hole which is being actively
   exploited today. SuSE Security announcement SuSE-SA:2001:004, published
   February 16th 2001, available at *[1], addresses this defective patch,
   among other issues.

    Clarification/Apology:
   Our last openssh security announcement SuSE-SA:2001:044 (*[3]) may falsely
   lead to assume that the openssh-2.9.9p2 update packages on our ftp
   server fix the vulnerabilities known as crc32 compensation attack.
   This is incorrect since the openssh-2.3.0 packages released with SuSE
   Security announcement SuSE-SA:2000:047 in November 2000, available at
   *[2], already fixed the mentioned (among other) problems. The release
   of the openssh-2.9.9p2 update packages obsoletes the openssh-2.3.0 update
   packages.
   We explicitly regret the used wording and apologize to the openssh
   development team, in particular Markus Friedl and Theo De Raadt, and
   thank them for their excellent work on the project.

    Scanning utilities that can be found on the internet connect to port 22
   of a server and read the version string. It should be noted that the bare
   knowlege of the secure shell protocol version string does not allow to
   determine whether a running secure shell daemon is actually vulnerable
   to the defective fix for the crc32 compensation attack.
   SuSE security receive dozens of requests about statements if the daemons
   in use are vulnerable or not. Please see reference *[1].


    New problem fixed:
   This re-release of SuSE Security Announcement SuSE-SA:2001:044 (please
   see reference *[3] below) adds another patch to the openssh-2.9.9p2
   packages: A bug allows a local attacker on the server to specify
   environment variables that can influence the login process if the
   "UseLogin" configuration option on the server side is set to "yes".
   If exploited, the local attacker on the secure shell server can execute
   arbitrary commands as root.
   In the default configuration of the package, the UseLogin option is set
   to "no", which means that the administrator of the server must have set
   the option to "yes" manually before the bug can be exploited.

    Users who upgraded their SuSE openssh package before December 6th 2001
   should upgrade their package again. Use the command "rpm -q openssh"
   to see which version/release of the package you have installed, and
   compare this version with the one as listed below.


    Upgrade information:
   You can find out which implementation of the ssh protocol you are using
   with the command "rpm -qf /usr/bin/ssh".
   If you use the ssh-1.2.* package, please read Reference *[1].
   If you use the openssh-* package, please download the rpm package for
   your distribution from the URL list below, verify its integrity using
   the methods as described in section 3) of this security announcement
   and install the package using the command

        rpm -Uhv file.rpm

    where file.rpm is the filename of the package that you have downloaded.

    References:
   *[1]:
http://www.suse.de/de/support/security/adv004_ssh.txt
   *[2]:
http://www.suse.de/de/support/security/2000_047_openssh_txt.txt
   *[3]:
http://www.suse.de/de/support/security/2001_044_openssh_txt.txt


    SPECIAL INSTALL INSTRUCTIONS:
   The sshd secure shell daemon on the server side has to be restarted for
   the new package to become active. If you are logged on on the console,
   the simple command "rcsshd restart" should do this for you.
   If you are logged on via secure shell, you should make sure that you
   do not terminate the connections that are established through the running
   secu
re shell daemon/its children. In this case, kill the daemon after
   package installation using the command
       kill -TERM `cat /var/run/sshd.pid`
   and then restart the daemon with the command
       /usr/sbin/sshd
   as root.

    Then, verify that the login procedure works as before. One of the main
   changes in the new openssh package is that the file
   $HOME/.ssh/authorized_keys2 is only read by the server if the file
   $HOME/.ssh/authorized_keys does not exist and if protocol version 2 is
   being used. The file $HOME/.ssh/authorized_keys2 can be removed after
   its contents have been added to $HOME/.ssh/authorized_keys.
   The two configuration files /etc/ssh/sshd_config (server side) and
   /etc/ssh/ssh_config (client side) contained in the openssh package
   do not get overwritten upon installation or upgrade, if you have changed
   them manually. Instead, the new configuration files are written with a
   .rpmnew suffix. The defaults as provided in the SuSE package make an
   effort to establish both convenience as well as security.



    NOTE: Packages for SuSE Linux distributions 7.0 and older containing
   cryptographic software are located on our German ftp server ftp.suse.de
   for legal reasons. Packages for all other distributions (7.1 and newer)
   can be found at their regular path at ftp.suse.com.



    i386 Intel Platform:
   SuSE-7.3
   
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec1/openssh-2.9.9p2-74.i386.rpm
     f3d60cce6d62dbf79c36a849811c19d7
   source rpm:
   
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/openssh-2.9.9p2-74.src.rpm
     4246e40b1e5a7b4456f2bb4c05177126

    SuSE-7.2
   
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/openssh-2.9.9p2-74.i386.rpm
     3764a15b17b0823c6fa2e8e4aee5af69
   source rpm:
   
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssh-2.9.9p2-74.src.rpm
     e9cccadf767cb80e3c588266d6886153

    SuSE-7.1
   
ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec1/openssh-2.9.9p2-73.i386.rpm
     4dbcdb2a544cadd36749baea890bc38e
   source rpm:
   
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/openssh-2.9.9p2-73.src.rpm
     04400597a1b9526bc78344e8e523fa40

    SuSE-7.0
   
ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-2.9.9p2-73.i386.rpm
     29dcc882bf30cbe88c94b07bb84e7216
   source rpm:
   
ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/openssh-2.9.9p2-73.src.rpm
     b852431e4711d7f45a8bd180532325b0

    SuSE-6.4
   
ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/openssh-2.9.9p2-73.i386.rpm
     8cfe1e9d2dd964851acb42e1e13311b9
   source rpm:
   
ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/openssh-2.9.9p2-73.src.rpm
     a3686e39258d03c99fc2ba3573325c2a



    Sparc Platform:
   SuSE-7.3
   
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec1/openssh-2.9.9p2-24.sparc.rpm
     32d3a1c735d2c27cb580fedeeed3a135
   source rpm:
   
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/openssh-2.9.9p2-24.src.rpm
     82540b2297b2d03d45118b3c23a72bf8

    SuSE-7.1
   The update packages for the SuSE Linux 7.1 Sparc distributions are not
   available yet. The package can soon be found at
   
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/sec1/openssh.rpm

    SuSE-7.0
   
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/openssh-2.9.9p2-24.sparc.rpm
     638891762f09e01b83e9c39c184ce9ea
   source rpm:
   
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/openssh-2.9.9p2-24.src.rpm
     ad3520ad8907c585f84facb742fc03bf




    AXP Alpha Platform:
   SuSE-7.1
   
ftp://ftp.suse.com/pub/suse/axp/update/7.1/sec1/openssh-2.9.9p2-26.alpha.rpm
     04e815054c9bc3a1b0a1ddda8c6e2d10
   source rpm:
   
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/openssh-2.9.9p2-26.src.rpm
     32c39e29517fc8269f252f7cc6f18bce

    The update packages for the SuSE Linux AXP/Alpha distributions before
   SuSE-7.1 are not available on our ftp server yet. These packages can be
   found at the usual location in the update paths on ftp.suse.de.




    PPC Power PC Platform:
   SuSE-7.3
   
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/openssh-2.9.9p2-49.ppc.rpm
     4b056c828675898bf482e9ecb4f91a0b
   source rpm:
   
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/openssh-2.9.9p2-49.src.rpm
     e10ed49e7319c244caf324a64f16c738

    SuSE-7.1
   
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec1/openssh-2.9.9p2-49.ppc.rpm
     163126a80ff0167b34c041348ef5c3c4
   source rpm:
   
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/openssh-2.9.9p2-49.src.rpm
     948862c53dc62e921b03766c986a4de2

    SuSE-7.0
   
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/openssh-2.9.9p2-48.ppc.rpm
     aff3785ac9670daa0e06445ad9b5a2b9
   source rpm:
   
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/openssh-2.9.9p2-48.src.rpm
     ccfb132470cb61b52688fc12f1352b12

    SuSE-6.4
   
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/openssh-2.9.9p2-48.ppc.rpm
     ae20b7379474735126636aed05f6eeee
   source rpm:
   
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/openssh-2.9.9p2-48.src.rpm
     2351d7667c02a1ad33e21bd39196cf0a

______________________________________________________________________________

2)  Pending vulnerabilities in SuSE Distributions and Workarounds:

  - We are currently testing kernel update packages for the recently
   found local security flaw in the ELF binary loader in the Linux
   kernel of all v2.4 versions and expect to be able to announce these
   update rpm packages soon with a re-release of our kernel security
   announcement.

______________________________________________________________________________

3)  standard appendix: authenticity verification, additional information

  - Package authenticity verification:

    SuSE update packages are available on many mirror ftp servers all over
   the world. While this service is being considered valuable and important
   to the free and open source software community, many users wish to be
   sure about the origin of the package and its content before installing
   the package. There are two verification methods that can be used
   independently from each other to prove the authenticity of a downloaded
   file or rpm package:
   1) md5sums as provided in the (cryptographically signed) announcement.
   2) using the internal gpg signatures of the rpm package.

    1) execute the command
       md5sum <name-of-the-file.rpm>
      after you downloaded the file from a SuSE ftp server or its mirrors.
      Then, compare the resulting md5sum with the one that is listed in the
      announcement. Since the announcement containing the checksums is
      cryptographically signed (usually using the key security@suse.de),
      the checksums show proof of the authenticity of the package.
      We disrecommend to subscribe to security lists which cause the
      email message containing the announcement to be modified so that
      the signature does not match after transport through the mailing
      list software.
      Downsides: You must be able to verify the authenticity of the
      announcement in the first place. If RPM packages are being rebuilt
      and a new version of a package is published on the ftp server, all
      md5 sums for the files are useless.

    2) rpm package signatures provide an easy way to verify the authenticity
      of an rpm package. Use the command
       rpm -v --checksig <file.rpm>
      to verify the signature of the package, where <file.rpm> is the
      filename of the rpm package that you have downloaded. Of course,
      package authenticity verification can only target an uninstalled rpm
      package file.
      Prerequisites:
       a) gpg is installed
       b) The package is signed using a certain key. The public part of this
          key must be installed by the gpg program in the directory
          ~/.gnupg/ under the user's home directory who performs the
          signature verification (usually root). You can import the key
          that is used by SuSE in rpm packages for SuSE Linux by saving
          this announcement to a file ("announcement.txt") and
          running the command (do "su -" to be root):
           gpg --batch; gpg < announcement.txt | gpg --import
          SuSE Linux distributions version 7.1 and thereafter install the
          key "build@suse.de" upon installation or upgrade, provided that
          the package gpg is installed. The file containing the public key
          is placed at the toplevel directory of the first CD (pubring.gpg)
          and at
ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .


  - SuSE runs two security mailing lists to which any interested party may
   subscribe:

    suse-security@suse.com
       -   general/linux/SuSE security discussion.
           All SuSE security announcements are sent to this list.
           To subscribe, send an email to
               <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com
       -   SuSE's announce-only mailing list.
           Only SuSE's security annoucements are sent to this list.
           To subscribe, send an email to
               <suse-security-announce-subscribe@suse.com>.

    For general information or the frequently asked questions (faq)
   send mail to:

        <suse-security-info@suse.com> or
       <suse-security-faq@suse.com> respectively.

    =====================================================================
   SuSE's security contact is <security@suse.com> or <security@suse.de>.
   The <security@suse.de> public key is listed below.
   =====================================================================
______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
   provided that the advisory is not modified in any way. In particular,
   it is desired that the cleartext signature shows proof of the
   authenticity of the text.
   SuSE GmbH makes no warranties of any kind whatsoever with respect
   to the information contained in this security advisory.

Type Bits/KeyID    Date       User ID
pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see
http://www.gnupg.org

mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CpkBogQ57vSBEQQAk/GN+ftr7+DBlSoixDDpfRnUk+jApGEt8hCnrnjV
nPs/9Cr33+CXLQbILOO7Y5oiPbJdHh45t4E0fKyLVzDerCRFB1swz/mNDxT26DLy
sdBV5fwNHTPhxa67goAZVrehQPqJEckkIpYriOaYcKpF3n5fQIZMEfMaHEElQhcX
ML8AoJVXDkJYh7vI8EUB8ZURNLZMEECNA/sH0MCnb4Q6ZcRyeZ3+1PHP8hP73b6T
epRdLZhaylwVF/iu7uIn62ZUL4//NTOCDY7V63qg4iba/fUbOsWtEnGaiE7mQuAl
sSWvRspwRA9/g9rdVf3/JdLJrLmKBTheyG+PSJE3W7cAE4ZWafGxIRCwXhmj3TQn
Jn2euqylHRubEQP/aL53NZK0kBdvrKgff6O8Of6tqoss8Dkk55I7QVFSp+My1Dn+
mngQKFejTAgtyo/WmR3wPjQ9HoT2lRiYI2lTRYT4uMdHuwVC3b4DqAKmoy375FER
wHkrMVyKBJslv8QtbAWw5A1CAUseaHo+91wmYJ4/4p6YUahqbG/tZyhbxfq0KFN1
U0UgUGFja2FnZSBTaWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6IXAQTEQIAHAUC
Oe70gQUJA8JnAAQLCgMEAxUDAgMWAgECF4AACgkQqE7a6JyACspfLACffAYA+NM8
NBhyRyH+nTX58CNjwLIAoIx9fj52BJe0xY7WbKoXs1+72b2AiEYEEBECAAYFAjpw
XlIACgkQnkDjEAAKq6TczgCgi+ddhWb7+FWcfeE6WwPZccqAHowAnjjtRyGwHLQH
r5OTFAYTXi2Wv6jNiQEVAwUQOnBgb3ey5gA9JdPZAQE1pwf/QJ+b34lFBNVUJ7fk
/xGJJREt7V12iSafaRzGuH8xWvIz1bb+VARxnnt16FDQ1cDNjoEhCEmcW83Vxp6i
JXE9PE8wVA/Yue/bon5JS7J69+UiQ2eq2pudfwljp52lYVM53jgPYEz0q/v3091n
lZ8CYkAkN9JDS1lV1gEzJ7J0+POngDpU+lDQT2EC6VKaxeWK8pNt6UFDwICRDQxK
nlOoiDvTrdWT7QdJZ4sPv8Qotdw9+tKNbWQ2DqdIRxyTdw9xDfAtcj6mXeQr7852
Lwem1gSKVnEYHZ9g1FTJqVOutY8KhpUc9RfOCRv8XuIxrs4KSbfSF0s8qIRCQelx
ufg9AbkCDQQ57vSSEAgAhJHQTejMX+Vr6g1pHDEcusJ63fQ2CfFFE5iE9okH9O7U
VCiSfb9CV38dmeHdPCEEjDUWquFYEnvj3WICMtH249t1Ymuf4Du3yRKQ9oXdn/qT
Jzlrx9qzjiG3mH7ocwHOgUIwCrZoEdBEVE2n0zPVm+hddwjWWTWXw6pxQz+i9dsN
89xexRV5M9O0bNwCLaNWX2GXeLAkqTK/9EuZy6x2yLxi6du9YYUAXkZpqBhCjtiU
XpRoFCdglMznbcAyCk9C2wqb2j/D1Z2BeSBaGCSFkR6pRLebnE17LWcu72Iy+r0z
+JecbPiyDpDZj4apn7IC81aNFGi7fNITsHODbwwjiwADBgf/YPvVdzkc8OC7ztac
EWCanwylKvxCdKzTDA+DfES6WUYShyiVJvZzRy25LJ5WcK20kzOS6Qv1OrIXiz/p
dGy1aKtJZrAnFEsofpmOj8VoqyyFgp/yAGQBp12+mXek7SCZRhuqalDfEMRiWEJ6
J5dLkyShyRDWyPbFh0HXE7QTHN+IKKxxQqNQXL6Z3NSxS61p+5n6BseiDUI39xxk
KTFwFrkgUIc5Gs2Or2lhaWvGwSfoCmwbsklszZt6xbU+R0SjFqTvjPWx6eHfqbmN
C9WMDdTjGrXDDKXFp2aYlokfN6It9vsbVlGNlOwHt/JjGoPMxW6Xqj0FLA7/Vewg
CdXW64hMBBgRAgAMBQI57vSSBQkDwmcAAAoJEKhO2uicgArKSyIAmwUHf/vtKQfc
mVg4asR7U6XQl0bAAJ4pO22B5U8UH6IYl2LBCXFqw5+5fA==
=rVRn
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBPA/bG3ey5gA9JdPZAQHnwAf/UHDibA3CmfvsAtnzeQ3YaEf7tgOMtvz0
wr9gMZlU+L96Trhv9iAeUEenYc2KTe8ye4SvLHxKlQ3IotmFjhoehLzYM/tynhM8
0nCsnK7vuQNmJnbyE8shWvmAcAv4klJW1g/hV73EhjO/YJe4nx7H+cF3M1hzhGwv
d4t9Y8SjHBrvSt9nuq/yFsta4dKy5il30jPtd379O3TcjJP4cBC30o3wKt11f9ld
GYSURp31kQT13VJxw75GxCkv3b0PpxepT1HUQmqGCGx1xxGV/XYKCbwCnwjHi4zC
n52B6gHc0wilYdLrQdHb0uZwVn4fcxHirbdpwVyWTrBgPkLE3aHVhg==
=tcBY
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix

Updated:  December 21, 2001

Status

  Vulnerable

Vendor Statement

http://www.trustix.net/errata/misc/2001/TSL-2001-0035-openssh.asc.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F-Secure

Updated:  December 11, 2001

Status

  Not Vulnerable

Vendor Statement

The F-Secure SSH versions 2.x - 3.x doesn't have UseLogin option, nor any means to use 'login' to perform user session setup. Since environmental variables are set only after we're running on user uid, we don't see other exploits of this sort either. Furthermore, administrator is able to control which environmental variables the client is able to set in ssh daemon config file.

The F-Secure SSH 1.x versions don't provide means for the client to set environmental variables on the server. Also, while a valid user is able to set environmental variables on the server via pubkey authentication options, these are actually not set in case of 'UseLogin' and use of 'login' to handle user logon.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Updated:  December 11, 2001

Status

  Not Vulnerable

Vendor Statement

Fujitsu's UXP/V operating system is not affected by the SSH security vulnerabilities because it does not support the SSH package.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard

Updated:  December 13, 2001

Status

  Not Vulnerable

Vendor Statement

HP Support Information Digests

===============================================================================
o IT Resource Center World Wide Web Service
---------------------------------------------------

If you subscribed through the IT Resource Center and would
like to be REMOVED from this mailing list, access the
IT Resource Center on the World Wide Web at:

http://www.itresourcecenter.hp.com/

Login using your IT Resource Center User ID and Password.
Then select Support Information Digests (located under
Maintenance and Support). You may then unsubscribe from the
appropriate digest.
===============================================================================


Digest Name: daily security bulletins digest
Created: Wed Dec 12 3:00:03 PST 2001

Table of Contents:

Document ID Title
--------------- -----------
HPSBUX0112-177 Sec. Vulnerability in OV NNM
HPSBTL0112-004 Sec. Vulnerability in Tomcat 3.2.1
HPSBTL0112-006 Security vulnerability in Red Hat Korean Installation
HPSBTL0112-005 Security vulnerability in OpenSSH

The documents are listed below.
-------------------------------------------------------------------------------


Document ID: HPSBUX0112-177
Date Loaded: 20011211
Title: Sec. Vulnerability in OV NNM

--------------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0177,
Originally issued: 11 December 2001
--------------------------------------------------------------------

The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from customer's
failure to fully implement instructions in this Security Bulletin as
soon as possible.

--------------------------------------------------------------------
PROBLEM: It is possible to gain unauthorized privileges using an
application in OpenView Network Node Manager

PLATFORM: HP9000 Servers running HP-UX releases 10.20, 11.00 and
11.11; Sun Microsystems SOLARIS releases 2.X.

DAMAGE: A malicious user may obtain unauthorized privileges under
certain conditions.

SOLUTION: Apply one of these patches:
HP-UX 11.00/11.11 HP-UX 10.20 SOLARIS 2.X
NNM6.2 PHSS_24843 PHSS_24842 PSOV_02993
NNM6.1 PHSS_24798 PHSS_24797 PSOV_02988
NNM5.01 PHSS_24946 PSOV_02997

MANUAL ACTIONS: None.

AVAILABILITY: These patches are Special Release patches and are
available only from:
http://support.openview.hp.com/cpe/patches/
They are not available from the ITRC.

------------------------------------------------------------------
A. Background
Hewlett-Packard Company has been notified of a vulnerability
in its OpenView Network Node Manager. It is possible to gain
unauthorized privileges.

B. Fixing the problem
The problem is fixed in the following patches:
HP-UX 11.00/11.11 HP-UX 10.20 SOLARIS 2.X
NNM6.2 PHSS_24843 PHSS_24842 PSOV_02993
NNM6.1 PHSS_24798 PHSS_24797 PSOV_02988
NNM5.01 PHSS_24946 PSOV_02997
or a superseding patch.

C. Recommended solution
Apply one of the patches mentioned above. To get the
patches use the browser to visit the site
http://support.openview.hp.com/cpe/patches/
Select "Network Node Manager" product and search for one
of the patch numbers above. This will direct you to the
latest superseding patch.

D. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:

Use your browser to get to the HP IT Resource Center page
at:

http://itrc.hp.com

Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login, in order to
gain access to many areas of the ITRC. Remember to save the
User ID assigned to you, and your password.

In the left most frame select "Maintenance and Support".

Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".

To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.

or

To -review- bulletins already released, select the link
(in the middle column) for the appropriate digest.

To -gain access- to the Security Patch Matrix, select
the link for "The Security Bulletins Archive". (near the
bottom of the page) Once in the archive the third link is
to the current Security Patch Matrix. Updated daily, this
matrix categorizes security patches by platform/OS release,
and by bulletin topic. Security Patch Check completely
automates the process of reviewing the patch matrix for
11.XX systems.

For information on the Security Patch Check tool, see:
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
displayProductInfo.pl?productNumber=B6834AA"

The security patch matrix is also available via anonymous
ftp:

ftp.itrc.hp.com:~ftp/export/patches/hp-ux_patch_matrix

On the "Support Information Digest Main" page:
click on the "HP Security Bulletin Archive".


E. To report new security vulnerabilities, send email to:

security-alert@hp.com

Please encrypt any exploit information using the
security-alert PGP key, available from your local key
server, or by sending a message with a -subject- (not body)
of 'get key' (no quotes) to security-alert@hp.com.

Permission is granted for copying and circulating this
Bulletin to Hewlett-Packard (HP) customers (or the Internet
community) for the purpose of alerting them to problems,
if and only if, the Bulletin is not edited or changed in
any way, is attributed to HP, and provided such reproduction
and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. HP is not
liable for any misuse of this information by any third party.
________________________________________________________________
-----End of Document ID: HPSBUX0112-177--------------------------------------


Document ID: HPSBTL0112-004
Date Loaded: 20011211
Title: Sec. Vulnerability in Tomcat 3.2.1

TEXT





---------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #004
Originally issued: 12 December '01
---------------------------------------------------------------

The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from customer's
failure to fully implement instructions in this Security Bulletin as
soon as possible.

---------------------------------------------------------------
PROBLEM: Security Vulnerability in Tomcat 3.2.1.

PLATFORM: Any system running HP Secure OS software for Linux Release 1.0

DAMAGE: Potential unauthorized access to servlet resources

SOLUTION: Apply the appropriate patch (see section B below).

MANUAL ACTIONS: None

AVAILABILITY: The patch is available now.
---------------------------------------------------------------
A. Background

HP Secure OS software for Linux Release 1.0 was released
with the 3.2.1 version of Tomcat. Since then,
Tomcat 3.2.4 has been released to correct a number of
security related problems.

B. Fixing the problem

Apply patch HPTL_00010.

The patch is available as follows: -

Use your browser to access the HP IT Resource Center page
at:

http://itrc.hp.com

Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login. Remember to save the
User ID assigned to you, and your password. This login provides
access to many useful areas of the ITRC.

Under the "Maintenance and Support" section, select "Individual Patches".

In the field at the bottom of the page labeled "retrieve a specific patch
by entering the patch name", enter HPTL_00010.

For instructions on installing the patch, please see the install text file
included in the patch.

NOTE:
Please see the install text file in the patch bundle for more details.

C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:

Use your browser to access to the HP IT Resource Center page
at:

http://itrc.hp.com

Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login. Remember to
save the User ID assigned to you, and your password. This
login provides access to many useful areas of the ITRC.

In the leftmost frame select "Maintenance and Support".

Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".

To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.

or

To -review- bulletins already released, select the link
(in the middle column) for the appropriate digest.

D. To report new security vulnerabilities, send email to

security-alert@hp.com

Please encrypt any exploit information using the
security-alert PGP key, available from your local key
server. You may also get the security-alert PGP key by
sending a message with a -subject- (not body) of
'get key' (no quotes) to security-alert@hp.com.

Permission is granted for copying and circulating this
Bulletin to Hewlett-Packard (HP) customers (or the Internet
community) for the purpose of alerting them to problems,
if and only if, the Bulletin is not edited or changed in
any way, is attributed to HP, and provided such reproduction
and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. HP is not
liable for any misuse of this information by any third party.
---------------------------------------------------------------
-----End of Document ID: HPSBTL0112-004--------------------------------------


Document ID: HPSBTL0112-006
Date Loaded: 20011211
Title: Security vulnerability in Red Hat Korean Installation

TEXT






---------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY ADVISORY: #006
Originally issued: 12 December '01
---------------------------------------------------------------

The information in the following Security Advisory should be acted
upon as soon as possible. Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from the
customer's failure to fully implement instructions in this Security
Advisory as soon as possible.

---------------------------------------------------------------
PROBLEM: Security vulnerability in Red Hat Korean Installation.

PLATFORM: Any system running HP Secure OS software for Linux Release 1.0

DAMAGE: Incorrect permissions are assigned to files.

SOLUTION: None

MANUAL ACTIONS: None

AVAILABILITY: Not applicable
---------------------------------------------------------------
A. Background

The Red Hat 7.1 Korean installation creates some files with
incorrect permissions.

B. Fixing the problem

There is no applicable fix available for this problem.

Hewlett-Packard Company does not support a Korean version of
HP Secure OS Software for Linux Release 1.0


C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:

Use your browser to access the HP IT Resource Center page
at:

http://itrc.hp.com

Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login. Remember to
save the User ID assigned to you, and your password. This
login provides access to many useful areas of the ITRC.

In the leftmost frame select "Maintenance and Support".

Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".

To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.

or

To -review- bulletins already released, select the link
(in the middle column) for the appropriate digest.

D. To report new security vulnerabilities, send email to

security-alert@hp.com

Please encrypt any exploit information using the
security-alert PGP key, available from your local key
server. You may also get the security-alert PGP key by
sending a message with a -subject- (not body) of
'get key' (no quotes) to security-alert@hp.com.

Permission is granted for copying and circulating this
Advisory to Hewlett-Packard (HP) customers (or the Internet
community) for the purpose of alerting them to problems,
if and only if, the Advisory is not edited or changed in
any way, is attributed to HP, and provided such reproduction
and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. HP is not
liable for any misuse of this information by any third party.
---------------------------------------------------------------
-----End of Document ID: HPSBTL0112-006--------------------------------------


Document ID: HPSBTL0112-005
Date Loaded: 20011211
Title: Security vulnerability in OpenSSH

TEXT





---------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #005
Originally issued: 12 December '01
---------------------------------------------------------------

The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from the
customer's failure to fully implement instructions in this Security
Bulletin as soon as possible.

Because the vulnerability does not require a Hewlett-Packard Secure OS
1.0 patch or re-packaging of the RPM affected by the advisory, the
RPMs have not been produced or tested by Hewlett-Packard.

---------------------------------------------------------------
PROBLEM: Security vulnerability in OpenSSH.

PLATFORM: Any system running HP Secure OS software for Linux Release 1.0

DAMAGE: Potential execution of commands by an intruder.

SOLUTION: Apply the appropriate RPMs (see section B below).

MANUAL ACTIONS: None

AVAILABILITY: The RPMs are available now.
---------------------------------------------------------------
A. Background

OpenSSH contains a vulnerability that permits an intruder to
execute arbitrary code if the UseLogin directive is enabled.
UseLogin is not enabled by default on HP Secure OS Software
for Linux.

B. Fixing the problem

Hewlett-Packard recommends that customers download the RPMs
listed in the following Red Hat Security Advisory:
http://www.redhat.com/support/errata/RHSA-2001-161.html


To install the security advisory RPMs, use the following sequence
of commands:

1. If you use the tripwire product, we recommend that you run a
a consistency check and fix any violations before installing
the security advisory RPM.

tripwire --check --interactive

2. Install the advisory RPM from the root account.

rpm -F <advisory RPM name>

3. Update the tripwire database

tripwire --check --interactive



NOTE:
The rpm -q <package name> command can be used to determine if the
product is installed. Hewlett-Packard recommends applying the
security advisory fixes to installed packages only. The -F option
to the RPM installer will only apply the fix if the package is
currently installed on the system. Dependent RPMs can be found by
using the "Find Latest RPMs" search facility at
http://www.redhat.com/apps/download. To find the latest dependent
RPM enter the RPM's name in the "By Keyword" box.


C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:

Use your browser to access the HP IT Resource Center page
at:

http://itrc.hp.com

Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login. Remember to
save the User ID assigned to you, and your password. This
login provides access to many useful areas of the ITRC.

In the leftmost frame select "Maintenance and Support".

Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".

To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.

or

To -review- bulletins already released, select the link
(in the middle column) for the appropriate digest.

D. To report new security vulnerabilities, send email to

security-alert@hp.com

Please encrypt any exploit information using the
security-alert PGP key, available from your local key
server. You may also get the security-alert PGP key by
sending a message with a -subject- (not body) of
'get key' (no quotes) to security-alert@hp.com.

Permission is granted for copying and circulating this
Bulletin to Hewlett-Packard (HP) customers (or the Internet
community) for the purpose of alerting them to problems,
if and only if, the Bulletin is not edited or changed in
any way, is attributed to HP, and provided such reproduction
and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. HP is not
liable for any misuse of this information by any third party.
---------------------------------------------------------------
-----End of Document ID: HPSBTL0112-005--------------------------------------

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

While HP does not ship SSH, they have released the bulletin above addressing this vulnerability in OpenSSH for HP Secure OS software for Linux Release 1.0.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SSH Communications Security

Notified:  December 07, 2001 Updated:  December 12, 2001

Status

  Not Vulnerable

Vendor Statement

I can confirm that any version from SSH Communications Security are not vulnerable to UseLogin vulnerabilities. This is due to fact that we are not using UseLogin in our products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun

Updated:  December 04, 2001

Status

  Not Vulnerable

Vendor Statement

Sun does not ship OpenSSH, thus Solaris is not affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The CERT/CC thanks Marcus Friedl of OpenBSD, and Jacques A. Vidrine of FreeBSD for information related to this vulnerability.

This document was written by Jason Rafail.

Other Information

CVE IDs: None
Severity Metric: 15.75
Date Public: 2001-12-04
Date First Published: 2001-12-04
Date Last Updated: 2002-01-02 16:28 UTC
Document Revision: 15

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.