SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   OpenSSH Vendors:   OpenSSH.org
(Caldera Issues Fix) OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access
SecurityTracker Alert ID:  1002965
SecurityTracker URL:  http://securitytracker.com/id/1002965
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 13 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): All packages prior to openssh-2.9p2-4 on: OpenLinux eServer and eBuilder 2.3.1, OpenLinux eDesktop 2.4, OpenLinux Server 3.1, and OpenLinux Workstation 3.1
Description:   A vulnerability was reported in OpenSSH that may allow a local user to cause arbitrary commands to be executed with root level privileges, giving the user root level access on the system.

The vulnerability reportedly resides in the UseLogin option of OpenSSH. This option is apparently not part of the default configuration. A local user can pass environment variables (e.g. LD_PRELOAD) to the login process, which is run with the same privilege as sshd (typically this is a root level process). This could allow a local user to cause arbitrary commands to be executed with root level privileges, giving the local user root access on the system.

Impact:   A local user could cause arbitrary commands to be executed with root level privileges, giving the local user root access on the system.
Solution:   The vendor has released a fix and has described a workaround.

For a workaround, make sure that you do not have the UseLogin option enabled. In /etc/ssh/sshd_config, the UseLogin option should either be commended out, or should be set to "no".

The vendor reports that OpenLinux 2.3 is not vulnerable.


For OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0:

ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS

The verification checksums are:

4750b4dc110bcdb9a06f275422486d22 RPMS/openssh-2.9p2-4.i386.rpm
2ccef9bbd5c51ac9ee3ea7bdb0cad5e8 RPMS/openssh-askpass-2.9p2-4.i386.rpm
db4931cfa21ef0312ca9f7baaea9d19d RPMS/openssh-server-2.9p2-4.i386.rpm
50511f127c8215bce46d6082aa924aa9 SRPMS/openssh-2.9p2-4.src.rpm

Upgrade the affected packages with the following commands:

rpm -Fvh openssh-2.9p2-4.i386.rpm \
openssh-askpass-2.9p2-4.i386.rpm \
openssh-server-2.9p2-4.i386.rpm

For OpenLinux eDesktop 2.4:

ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS

The verification checksums are:

67227fa9552a81465786e23b82347b7b RPMS/openssh-2.9p2-4.i386.rpm
80693bc40f533ed757a2cc3aa7ad2dbc RPMS/openssh-askpass-2.9p2-4.i386.rpm
3cbd5f69eb010de1dad17c25b85bcc6f RPMS/openssh-server-2.9p2-4.i386.rpm
50511f127c8215bce46d6082aa924aa9 SRPMS/openssh-2.9p2-4.src.rpm

Upgrade the affected packages with the following commands:

rpm -Fvh openssh-2.9p2-4.i386.rpm \
openssh-askpass-2.9p2-4.i386.rpm \
openssh-server-2.9p2-4.i386.rpm

For OpenLinux 3.1 Server:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

The verification checksums are:

2b214778e58a252b5fa6efda93564ec9 RPMS/openssh-2.9p2-4.i386.rpm
a7cbe46794f3e2ccd9db54844d6500a2 RPMS/openssh-askpass-2.9p2-4.i386.rpm
eb5f164e76adf62b19d8d7ce8bd4e121 RPMS/openssh-server-2.9p2-4.i386.rpm
50511f127c8215bce46d6082aa924aa9 SRPMS/openssh-2.9p2-4.src.rpm

Upgrade the affected packages with the following commands:

rpm -Fvh openssh-2.9p2-4.i386.rpm \
openssh-askpass-2.9p2-4.i386.rpm \
openssh-server-2.9p2-4.i386.rpm

For OpenLinux 3.1 Workstation:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

The verification checksums are:

2b214778e58a252b5fa6efda93564ec9 RPMS/openssh-2.9p2-4.i386.rpm
a7cbe46794f3e2ccd9db54844d6500a2 RPMS/openssh-askpass-2.9p2-4.i386.rpm
eb5f164e76adf62b19d8d7ce8bd4e121 RPMS/openssh-server-2.9p2-4.i386.rpm
50511f127c8215bce46d6082aa924aa9 SRPMS/openssh-2.9p2-4.src.rpm

Upgrade the affected packages with the following commands:

rpm -Fvh openssh-2.9p2-4.i386.rpm \
openssh-askpass-2.9p2-4.i386.rpm \
openssh-server-2.9p2-4.i386.rpm

Vendor URL:  www.openssh.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Caldera/SCO)

Message History:   This archive entry is a follow-up to the message listed below.
Dec 4 2001 OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access



 Source Message Contents

Subject:  Security Update [CSSA-2001-042.0] Linux - Remote vulnerability in OpenSSH


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera International, Inc.  Security Advisory

Subject:		Linux - Remote vulnerability in OpenSSH
Advisory number: 	CSSA-2001-042.0
Issue date: 		2001, December 11
Cross reference:
______________________________________________________________________________


1. Problem Description

   The OpenSSH team has reported a vulnerability in the OpenSSH server
   that allows remote attackers to obtain root privilege if the server
   has the UseLogin option enabled. This option is off by default on
   OpenLinux, so a default installation is not vulnerable.

   We nevertheless recommend to our customers to upgrade to the fixed
   package.

   Exploits of this vulnerability have apparently been circulated for
   some time.


2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux 2.3                 not vulnerable                
   
   OpenLinux eServer 2.3.1       All packages previous to      
   and OpenLinux eBuilder        openssh-2.9p2-4               
   
   OpenLinux eDesktop 2.4        All packages previous to      
                                 openssh-2.9p2-4               
   
   OpenLinux Server 3.1          All packages previous to      
                                 openssh-2.9p2-4               
   
   OpenLinux Workstation 3.1     All packages previous to      
                                 openssh-2.9p2-4               
   


3. Solution

   Workaround

     Make sure that you do not have the UseLogin option enabled.
     In /etc/ssh/sshd_config, the UseLogin option should either
     be commended out, or should be set to "no".

   The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

    not vulnerable

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

    5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

       4750b4dc110bcdb9a06f275422486d22  RPMS/openssh-2.9p2-4.i386.rpm
       2ccef9bbd5c51ac9ee3ea7bdb0cad5e8  RPMS/openssh-askpass-2.9p2-4.i386.rpm
       db4931cfa21ef0312ca9f7baaea9d19d  RPMS/openssh-server-2.9p2-4.i386.rpm
       50511f127c8215bce46d6082aa924aa9  SRPMS/openssh-2.9p2-4.src.rpm
       

   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openssh-2.9p2-4.i386.rpm \
              openssh-askpass-2.9p2-4.i386.rpm \
              openssh-server-2.9p2-4.i386.rpm
         

6. OpenLinux eDesktop 2.4

    6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS

   6.2 Verification

       67227fa9552a81465786e23b82347b7b  RPMS/openssh-2.9p2-4.i386.rpm
       80693bc40f533ed757a2cc3aa7ad2dbc  RPMS/openssh-askpass-2.9p2-4.i386.rpm
       3cbd5f69eb010de1dad17c25b85bcc6f  RPMS/openssh-server-2.9p2-4.i386.rpm
       50511f127c8215bce46d6082aa924aa9  SRPMS/openssh-2.9p2-4.src.rpm
       

   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openssh-2.9p2-4.i386.rpm \
              openssh-askpass-2.9p2-4.i386.rpm \
              openssh-server-2.9p2-4.i386.rpm
         

7. OpenLinux 3.1 Server

    7.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

   7.2 Verification

       2b214778e58a252b5fa6efda93564ec9  RPMS/openssh-2.9p2-4.i386.rpm
       a7cbe46794f3e2ccd9db54844d6500a2  RPMS/openssh-askpass-2.9p2-4.i386.rpm
       eb5f164e76adf62b19d8d7ce8bd4e121  RPMS/openssh-server-2.9p2-4.i386.rpm
       50511f127c8215bce46d6082aa924aa9  SRPMS/openssh-2.9p2-4.src.rpm
       

   7.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openssh-2.9p2-4.i386.rpm \
              openssh-askpass-2.9p2-4.i386.rpm \
              openssh-server-2.9p2-4.i386.rpm
         

8. OpenLinux 3.1 Workstation

    8.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

   8.2 Verification

       2b214778e58a252b5fa6efda93564ec9  RPMS/openssh-2.9p2-4.i386.rpm
       a7cbe46794f3e2ccd9db54844d6500a2  RPMS/openssh-askpass-2.9p2-4.i386.rpm
       eb5f164e76adf62b19d8d7ce8bd4e121  RPMS/openssh-server-2.9p2-4.i386.rpm
       50511f127c8215bce46d6082aa924aa9  SRPMS/openssh-2.9p2-4.src.rpm
       

   8.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openssh-2.9p2-4.i386.rpm \
              openssh-askpass-2.9p2-4.i386.rpm \
              openssh-server-2.9p2-4.i386.rpm
         


9. References

   This and other Caldera security resources are located at:

   http://www.caldera.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 11153.


10. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through our
   security advisories. Our advisories are a service to our customers
   intended to promote secure installation and use of Caldera OpenLinux.

11. Acknowledgements

   Caldera wishes to thank Markus Friedl of the OpenSSH team for notifying
   vendor-sec.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org

iD8DBQE8FewT18sy83A/qfwRAkprAKCUuQ2aRIFumjIbmPnz8XHkPyfWlwCfR7eL
q5MEexeQXE2DDAlofnVtlpg=
=Uwbo
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@lists.caldera.com
For additional commands, e-mail: announce-help@lists.caldera.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC