Bug 755640 (CVE-2011-4327)

Summary: CVE-2011-4327 openssh: Unauthorized local access to host keys on platforms where ssh-rand-helper used
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: 592028873, hui.zhu, jchadima, mattias.ellert, mgrepl, plautrba, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-21 17:21:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2011-11-21 16:53:18 UTC 
A security flaw was found in the way ssh-keysign, a ssh helper program for host based authentication, attempted to retrieve enough entropy information on configurations that lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would be executed to retrieve the entropy from the system environment). A local attacker could use this flaw to obtain unauthorized access to host keys via ptrace(2) process trace attached to the 'ssh-rand-helper' program.

References:
[1] http://www.openssh.com/txt/release-5.8p2
[2] http://www.openssh.com/txt/portable-keysign-rand-helper.adv
[3] http://www.nessus.org/plugins/index.php?view=single&id=53841
[4] http://www.openwall.com/lists/oss-security/2011/11/21/11
    (CVE assignment)
Comment 1 Jan Lieskovsky 2011-11-21 17:06:08 UTC 
This issue did NOT affect the versions of the openssh package, as shipped with Red Hat Enterprise Linux 4, 5, and 6, since these versions use a built-in entropy pool to generate and retrieve entropy information by performing host-based authentication.

--

This issue did NOT affect the versions of the openssh package, as shipped with Fedora release of 14, 15, and 16, since these versions use a built-in entropy pool to generate and retrieve entropy information by performing host-based authentication.
Comment 2 Jan Lieskovsky 2011-11-21 17:21:49 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 4, 5, and 6, as they use a built-in entropy pool to generate and retrieve entropy information when performing host-based authentication.