ADSM-L

Fw: CERT Advisory CA-98.03 - ssh-agent

1998-01-23 13:44:50
Subject: Fw: CERT Advisory CA-98.03 - ssh-agent
From: Daniel Thompson <thompsod AT USAA DOT COM>
Date: Fri, 23 Jan 1998 12:44:50 -0600
Folks,

  I saw this in comp.security.announce.  Since several folks have reported
that they use SSH to get secure ADSM transactions, I thought they might
want to be aware of this vulnerability.

Dan T.

----------
> From: CERT Advisory <cert-advisory AT cert DOT org>
> From: CERT Advisory <cert-advisory AT cert DOT org>
> Newsgroups: comp.security.announce
> Subject: CERT Advisory CA-98.03 - ssh-agent
> Date: Thursday, January 22, 1998 2:43 PM
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
 ===========================================================================
=
> CERT* Advisory CA-98.03
> Original issue date: Jan. 22, 1998
> Last revised:
>
>               A complete revision history is at the end of this file.
>
> Topic:  Vulnerability in ssh-agent
>
> -
----------------------------------------------------------------------------
-
-
>
>
>    The text of this advisory was originally released on January 20, 1998,
>    as SNI-23, developed by Secure Networks, Inc. (SNI). To more widely
>    broadcast this information, we are reprinting the SNI advisory here
with
>    their permission. Some technical details in the original advisory are
>    not included in this reprint, and these are indicated thus:
>
>      { DETAILS NOT INCLUDED }
>
>    We have also removed SNI's PGP public key block and added our contact
>    information.
>
>    The original advisory is available from
>
>      ftp://ftp.secnet.com/pub/advisories/SNI-23.SSH-AGENT.advisory
>
>    We will update this advisory as we receive additional information.
>    Look for it in an "Updates" section at the end of the advisory.
>
>
 ===========================================================================
=
>
>
> This advisory details a vulnerabily in the SSH cryptographic login
> program.  The vulnerability enables users to use RSA credentials
> belonging to other users who use the ssh-agent program.  This
> vulnerability may allow an attacker on the same local host to login
> to a remote server as the user utilizing SSH.
>
>
> Problem Description:
> ~~~~~~~~~~~~~~~~~~~~
>
> In order to avoid forcing users of RSA based authentication to go
> through the trouble of retyping their pass phrase every time they wish
> to use ssh, slogin, or scp, the SSH package includes a program called
> ssh-agent, which manages RSA keys for the SSH program.  The ssh-agent
> program creates a mode 700 directory in /tmp, and then creates an
> AF_UNIX socket in that directory.  Later, the user runs the ssh-add
> program, which adds his private key to the set of keys managed by the
> ssh-agent program.  When the user wishes to access a service which
> permits him to log in using only his RSA key, the SSH client connects
> to the AF_UNIX socket, and asks the ssh-agent program for the key.
>
> Unfortunately, when connecting to the AF_UNIX socket, the SSH client is
> running as super-user, and performs insufficient permissions checking.
> This makes it possible for users to trick their SSH clients into using
> credentials belonging to other users.  The end result is that any user
> who utilizes RSA authentication AND uses ssh-agent, is vulnerable.
> Attackers can utilize this vulnerability to access remote accounts
> belonging to the ssh-agent user.
>
>   { DETAILS NOT INCLUDED }
>
>
> Vulnerable Systems:
> ~~~~~~~~~~~~~~~~~~~
>
> This vulnerability effects the Unix versions of SSH ONLY.
>
> SSH for unix versions 1.2.17 through 1.2.21 are vulnerable if installed
> with default permissions.  Versions of SSH prior to 1.2.17 are subject to
> a similar (but different) attack.
>
> F-Secure SSH for Unix systems prior to release 1.3.3 ARE vulnerable.
>
> You can determine the version of SSH you are running by issuing the case
> sensitive command:
>
> % ssh -V
>
> Version 1.1 of the windows-based SSH client sold by Data Fellows Inc.
> under the F-Secure brand name is NOT vulnerable to this attack.
>
> Versions 1.0 and 1.0a of Mac SSH are NOT vulnerable to this attack.
>
>
> Fix Resolution:
> ~~~~~~~~~~~~~~~
>
> Non-commercial users:
>
> If using the free non-commercial SSH distribution for Unix,
administrators
> are urged to upgrade to SSH 1.2.22 or later.  Updated versions of the
free
> unix SSH can be found at ftp://ftp.cs.hut.fi/pub/ssh
>
>
> Commercial users:
>
> F-Secure SSH version 1.3.3 fixes this security problem.  If you are using
> the commercial Data Fellows SSH package and you have a support contract,
> you can obtain SSH version 1.3.3 from your local retailer.
>
> Users without a support contract can obtain a diff file which fixes
> this problem.  This file can be obtained from:
>
> http://www.DataFellows.com/f-secure/support/ssh/bug/su132patch.html
>
>
> Workaround:
>
> As a temporary workaround, administrators may remove the setuid bit from
> the SSH binary.  This will prevent the attack from working, but will
> disable a form of authentication documented as rhosts-RSA.  For example,
> if your SSH binary is in the /usr/local/bin directory, the following
> command will remove the setuid bit from the SSH binary:
>
> # chmod u-s /usr/local/bin/ssh
>
>
> Additional Information
> ~~~~~~~~~~~~~~~~~~~~~~
>
> SSH is a cryptographic rsh, rlogin, and rcp replacement.  SSH was
> written by Tatu Ylonen <ylo AT cs.hut DOT fi>.  For more information about the
> noncommercial unix version of SSH, please see http://www.cs.hut.fi/ssh
>
> Commercial versions of ssh are marketed by Data Fellows Inc.  For
> information about the F-secure ssh derivatives sold by Data Fellows Inc,
> please see http://www.DataFellows.com/f-secure
>
> This vulnerability was discovered by David Sacerdote <davids AT secnet DOT 
> com>.
>
>   { DETAILS NOT INCLUDED }
>
>
> Copyright Notice
> ~~~~~~~~~~~~~~~~
> The contents of this advisory are Copyright (C) 1997 Secure Networks
> Inc, and may be distributed freely provided that no fee is charged for
> distribution, and that proper credit is given.
>
>  You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
>  and advisories at ftp://ftp.secnet.com/advisories
>
>  You can browse our web site at http://www.secnet.com
>
>  You can subscribe to our security advisory mailing list by sending mail
>  to majordomo AT secnet DOT com with the line "subscribe sni-advisories"
>
>
>
 ===========================================================================
=
>
> -
----------------------------------------------------------------------------
> The CERT Coordination Center thanks Secure Networks, Inc. for permission
> The CERT Coordination Center thanks Secure Networks, Inc. for permission
to
> reproduce technical content from their advisory SNI-23, which is
copyrighted
> 1997 Secure Networks, Inc.
> -
----------------------------------------------------------------------------
>
>
> If you believe that your system has been compromised, contact the CERT
> Coordination Center or your representative in the Forum of Incident
Response
> and Security Teams (see http://www.first.org/team-info/)
>
>
> CERT/CC Contact Information
> - ----------------------------
> Email    cert AT cert DOT org
>
> Phone    +1 412-268-7090 (24-hour hotline)
>                 CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) /
EDT(GMT-4)
>                 and are on call for emergencies during other hours.
>
> Fax      +1 412-268-6989
>
> Postal address
>          CERT Coordination Center
>          Software Engineering Institute
>          Carnegie Mellon University
>          Pittsburgh PA 15213-3890
>          USA
>
> Using encryption
>    We strongly urge you to encrypt sensitive information sent by email.
We can
>    support a shared DES key or PGP. Contact the CERT/CC for more
information.
>    Location of CERT PGP key
>          ftp://info.cert.org/pub/CERT_PGP.key
>
> Getting security information
>    CERT publications and other security information are available from
>         http://www.cert.org/
>         ftp://info.cert.org/pub/
>
>    CERT advisories and bulletins are also posted on the USENET newsgroup
>         comp.security.announce
>
>    To be added to our mailing list for advisories and bulletins, send
>    email to
>         cert-advisory-request AT cert DOT org
>    In the subject line, type
>         SUBSCRIBE  your-email-address
>
> -
---------------------------------------------------------------------------
> Copyright 1998 Carnegie Mellon University. Conditions for use,
> Copyright 1998 Carnegie Mellon University. Conditions for use,
disclaimers,
> and sponsorship information can be found in
> http://www.cert.org/legal_stuff.html and
ftp://ftp.cert.org/pub/legal_stuff .
> If you do not have FTP or web access, send mail to cert AT cert DOT org with
> "copyright" in the subject line.
>
> *CERT is registered in the U.S. Patent and Trademark Office.
> -
---------------------------------------------------------------------------
>
>
> This file: ftp://info.cert.org/pub/cert_advisories/CA-98.03.ssh-agent
>            http://www.cert.org
>                click on "CERT Advisories"
>
> ========================================================================
> UPDATES
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Revision history
>
>
<Prev in Thread] Current Thread [Next in Thread>
  • Fw: CERT Advisory CA-98.03 - ssh-agent, Daniel Thompson <=