Red Hat Bugzilla – Bug 162681
CVE-2005-2666 openssh vulnerable to known_hosts address harvesting
Last modified: 2010-10-21 23:07:53 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Description of problem:
Portable OpenSSH versions less than 4.0p1 have known_hosts files that would allow an attacker to find additional targets, because the host information contained within them is listed in cleartext.
The OpenSSH server included in RHEL 3 and 4 do not currently have support for the Hashed Host patches that would be needed to avoid exposing sensitive information to a successful attacker.
The specific fix that the OpenSSH folks have devised for this is described here:
A patch for OpenSSH 3.9p1 is available:
This could probably be backported to openssh-3.6.1 (used in RHEL 3).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Pretend you are a malicious coder. Find a vulnerability in SSH. Write a nasty SSH worm that can jump from host to host.
2. Have your worm check everyone's .ssh/known_hosts file for additinal targets.
3. Attempt to jump to the hosts listed in the known_hosts files, using both your original exploit, and using any carelessly unencrypted private key files you find on the machine.
Created attachment 116539 [details]
Patch for openssh-3.9p1
This patch is taken from openssh-4.0p1 and applies to openssh-3.9p1.
Created attachment 116540 [details]
Patch for openssh-3.6.1p2
This patch applies to openssh-3.6.1p2.
I'm moving this bug to affect RHEL4, and noting that this feature could be added
to RHEL3 and RHEL2.1 if we decide to support it.
Considering this a security issue is a far stretch as you first need an openssh
worm in order for it to be a problem. Additionally a worm could search the
users shell history and log files for a list of hosts which could potentially be
vulnerable, making this much less effective than it would appear from the
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
QE ack for 4.5.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.