SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   OpenSSH Vendors:   OpenSSH.org
OpenSSH May Fail to Properly Restrict IP Addresses in Certain Configurations
SecurityTracker Alert ID:  1002455
SecurityTracker URL:  http://securitytracker.com/id/1002455
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 26 2001
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Versions of OpenSSH between 2.5 and 2.9.9
Description:   OpenSSH reported a weakness in OpenSSH's IP-based access control functions when configured for SSH v2 public key authentication. Remote users connecting from IP addresses that are to be restricted may be able to connect.

The vulnerability is due to a weakness in the source IP address access control features in the key file option handling. When source IP based access control is used for SSH protocol v2 public key authentication, the access controls may fail if the 'from=' key file option is enabled in combination with both RSA and DSA keys in the '~/.ssh/authorized_keys2' file.

Whether the vulnerability can be triggered or not reportedly depends on the order of the user keys in the file. If a source IP restricted key (e.g., DSA key) is immediately followed by a different type of key (e.g., RSA key), then the key options for the second key will be applied to both keys. These options include the 'from=' restriction.

OpenSSH reports that the fixed version (2.9.9) contains some changes that may affect users upgrading from previous versions. See the Source Message for details.

Impact:   Remote users with valid authentication credentials can circumvent the system policy and login from disallowed source IP addresses.
Solution:   Upgrade to version 2.9.9, available at the Vendor URL and mirror sites.
Vendor URL:  www.openssh.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Patch Included) Re: OpenSSH May Fail to Properly Restrict IP Addresses in Certain Configurations
This message includes a patch.
(Red Hat Issues Fix) OpenSSH May Fail to Properly Restrict IP Addresses in Certain Configurations
The vendor has released a fix.
(Mandrake Issues Fix) OpenSSH May Fail to Properly Restrict IP Addresses in Certain Configurations
The vendor has released a fix.
(Immunix Issues Fix) OpenSSH May Fail to Properly Restrict IP Addresses in Certain Configurations
The vendor has released a fix.
(Trustix Issues Fix) OpenSSH May Fail to Properly Restrict IP Addresses in Certain Configurations
The vendor has released a fix.
(Red Hat Issues Additional Fix) OpenSSH May Fail to Properly Restrict IP Addresses in Certain Configurations
The vendor has released a fix that includes Red Hat 7.0, 7.1, and 7.2.
(Conectiva Issues Fix) OpenSSH May Fail to Properly Restrict IP Addresses in Certain Configurations
The vendor has released a fix.
(SuSE Issues Fix) OpenSSH May Fail to Properly Restrict IP Addresses in Certain Configurations
The vendor has released a fix.



 Source Message Contents

Subject:  OpenSSH 2.9.9


From: Markus Friedl <markus@openbsd.org>

OpenSSH 2.9.9 has just been uploaded. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH 2.9.9 fixes a weakness in the key file option handling,
including source IP based access control.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

This release contains many portability bug-fixes (listed in the
ChangeLog) as well as several new features (listed below).

We would like to thank the OpenSSH community for their continued
support and encouragement.

Security Notes:
===============

This release fixes weakness in the source IP based access control
for SSH protocol v2 public key authentication:

        Versions of OpenSSH between 2.5 and 2.9.9 are
        affected if they use the 'from=' key file option in
        combination with both RSA and DSA keys in
        ~/.ssh/authorized_keys2.

        Depending on the order of the user keys in
        ~/.ssh/authorized_keys2 sshd might fail to apply the
        source IP based access control restriction (e.g.
        from="10.0.0.1") to the correct key:

        If a source IP restricted key (e.g. DSA key) is
        immediately followed by a key of a different type
        (e.g. RSA key), then key options for the second key
        are applied to both keys, which includes 'from='.

        This means that users can circumvent the system policy
        and login from disallowed source IP addresses.
        

Important Changes:
==================

OpenSSH 2.9.9 might have upgrade issues introduced by the long time
between releases, which may affect people in unforseen ways:

1) The files
        /etc/ssh_known_hosts2
        ~/.ssh/known_hosts2
        ~/.ssh/authorized_keys2
   are now obsolete, you can use
        /etc/ssh_known_hosts
        ~/.ssh/known_hosts
        ~/.ssh/authorized_keys
   For backward compatibility ~/.ssh/authorized_keys2 is still used for
   authentication and hostkeys are still read from the known_hosts2.
   However, old files are considered 'readonly'.  Future releases are
   likely to not read these files.

2) The CheckMail option in sshd_config is deprecated, sshd no longer
   checks for new mail.

3) X11 cookies are stored in $HOME

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller and Ben Lindstrom.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC