Bug 162681 - (CVE-2005-2666) CVE-2005-2666 openssh vulnerable to known_hosts address harvesting
CVE-2005-2666 openssh vulnerable to known_hosts address harvesting
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssh (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-07-07 12:31 EDT by Richard Bullington-McGuire
Modified: 2010-10-21 23:07 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2007-0257
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-01 13:28:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch for openssh-3.9p1 (22.29 KB, patch)
2005-07-08 16:55 EDT, Tomas Mraz
no flags Details | Diff
Patch for openssh-3.6.1p2 (21.60 KB, patch)
2005-07-08 16:58 EDT, Tomas Mraz
no flags Details | Diff

  None (edit)
Description Richard Bullington-McGuire 2005-07-07 12:31:31 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Description of problem:
Portable OpenSSH versions less than 4.0p1 have known_hosts files that would allow an attacker to find additional targets, because the host information contained within them is listed in cleartext.


The OpenSSH server included in RHEL 3 and 4 do not currently have support for the Hashed Host patches that would be needed to avoid exposing sensitive information to a successful attacker.

The specific fix that the OpenSSH folks have devised for this is described here:


A patch for OpenSSH 3.9p1 is available:


This could probably be backported to openssh-3.6.1 (used in RHEL 3).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Pretend you are a malicious coder. Find a vulnerability in SSH. Write a nasty SSH worm that can jump from host to host.
2. Have your worm check everyone's .ssh/known_hosts file for additinal targets.
3. Attempt to jump to the hosts listed in the known_hosts files, using both your original exploit, and using any carelessly unencrypted private key files you find on the machine.
4. Profit

Additional info:
Comment 1 Tomas Mraz 2005-07-08 16:55:41 EDT
Created attachment 116539 [details]
Patch for openssh-3.9p1

This patch is taken from openssh-4.0p1 and applies to openssh-3.9p1.
Comment 2 Tomas Mraz 2005-07-08 16:58:56 EDT
Created attachment 116540 [details]
Patch for openssh-3.6.1p2

This patch applies to openssh-3.6.1p2.
Comment 3 Josh Bressers 2005-09-01 14:07:40 EDT
I'm moving this bug to affect RHEL4, and noting that this feature could be added
to RHEL3 and RHEL2.1 if we decide to support it.

Considering this a security issue is a far stretch as you first need an openssh
worm in order for it to be a problem.  Additionally a worm could search the
users shell history and log files for a list of hosts which could potentially be
vulnerable, making this much less effective than it would appear from the
Comment 8 RHEL Product and Program Management 2006-09-20 12:52:14 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 10 Jay Turner 2006-10-10 09:49:00 EDT
QE ack for 4.5.
Comment 14 Red Hat Bugzilla 2007-05-01 13:28:52 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.