Bug 162681 - (CVE-2005-2666) CVE-2005-2666 openssh vulnerable to known_hosts address harvesting
CVE-2005-2666 openssh vulnerable to known_hosts address harvesting
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssh (Show other bugs)
4.0
All Linux
low Severity low
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
http://nms.csail.mit.edu/projects/ssh/
impact=low,reported=20050707,source=b...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-07 12:31 EDT by Richard Bullington-McGuire
Modified: 2010-10-21 23:07 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2007-0257
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-01 13:28:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for openssh-3.9p1 (22.29 KB, patch)
2005-07-08 16:55 EDT, Tomas Mraz
no flags Details | Diff
Patch for openssh-3.6.1p2 (21.60 KB, patch)
2005-07-08 16:58 EDT, Tomas Mraz
no flags Details | Diff

  None (edit)
Description Richard Bullington-McGuire 2005-07-07 12:31:31 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Description of problem:
Portable OpenSSH versions less than 4.0p1 have known_hosts files that would allow an attacker to find additional targets, because the host information contained within them is listed in cleartext.

http://nms.csail.mit.edu/projects/ssh/

The OpenSSH server included in RHEL 3 and 4 do not currently have support for the Hashed Host patches that would be needed to avoid exposing sensitive information to a successful attacker.

The specific fix that the OpenSSH folks have devised for this is described here:

http://nms.lcs.mit.edu/projects/ssh/README.hashed-hosts

A patch for OpenSSH 3.9p1 is available:

http://nms.csail.mit.edu/projects/ssh/patch-other.php

This could probably be backported to openssh-3.6.1 (used in RHEL 3).


Version-Release number of selected component (if applicable):
openssh-3.6.1p2-33.30.4

How reproducible:
Always

Steps to Reproduce:
1. Pretend you are a malicious coder. Find a vulnerability in SSH. Write a nasty SSH worm that can jump from host to host.
2. Have your worm check everyone's .ssh/known_hosts file for additinal targets.
3. Attempt to jump to the hosts listed in the known_hosts files, using both your original exploit, and using any carelessly unencrypted private key files you find on the machine.
4. Profit


Additional info:
Comment 1 Tomas Mraz 2005-07-08 16:55:41 EDT
Created attachment 116539 [details]
Patch for openssh-3.9p1

This patch is taken from openssh-4.0p1 and applies to openssh-3.9p1.
Comment 2 Tomas Mraz 2005-07-08 16:58:56 EDT
Created attachment 116540 [details]
Patch for openssh-3.6.1p2

This patch applies to openssh-3.6.1p2.
Comment 3 Josh Bressers 2005-09-01 14:07:40 EDT
I'm moving this bug to affect RHEL4, and noting that this feature could be added
to RHEL3 and RHEL2.1 if we decide to support it.

Considering this a security issue is a far stretch as you first need an openssh
worm in order for it to be a problem.  Additionally a worm could search the
users shell history and log files for a list of hosts which could potentially be
vulnerable, making this much less effective than it would appear from the
description.
Comment 8 RHEL Product and Program Management 2006-09-20 12:52:14 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 10 Jay Turner 2006-10-10 09:49:00 EDT
QE ack for 4.5.
Comment 14 Red Hat Bugzilla 2007-05-01 13:28:52 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0257.html

Note You need to log in before you can comment on or make changes to this bug.