Bug 20805 - Hostile servers can force OpenSSH clients to do agent or X11 forwarding
Summary: Hostile servers can force OpenSSH clients to do agent or X11 forwarding
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: openssh
Version: 7.0
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-11-13 23:58 UTC by Daniel Roesen
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2000-11-14 09:34:02 UTC
Embargoed:


Attachments (Terms of Use)
fix against OpenSSH 2.2.0 (1.50 KB, patch)
2000-11-14 00:12 UTC, Daniel Roesen
no flags Details | Diff

Description Daniel Roesen 2000-11-13 23:58:17 UTC
From: Markus Friedl <markus.friedl.DE>
To: BUGTRAQ
Subject:      OpenSSH Security Advisory (adv.fwd)
Date:         Mon, 13 Nov 2000 21:13:18 +0100
Message-ID:  <20001113211318.A27132@folly>

Hostile servers can force OpenSSH clients to do agent or X11 forwarding

1. Systems affected:

        All versions of OpenSSH prior to 2.3.0 are affected.

2. Description:

        If agent or X11 forwarding is disabled in the ssh client
        configuration, the client does not request these features
        during session setup.  This is the correct behaviour.

        However, when the ssh client receives an actual request
        asking for access to the ssh-agent, the client fails to
        check whether this feature has been negotiated during session
        setup.  The client does not check whether the request is in
        compliance with the client configuration and grants access
        to the ssh-agent.  A similar problem exists in the X11
        forwarding implementation.

3. Impact:

        Hostile servers can access your X11 display or your ssh-agent.

4. Short Term Solution:

        Clear both the $DISPLAY and the $SSH_AUTH_SOCK variable
        before connecting to untrusted hosts:

                % unset SSH_AUTH_SOCK; unset DISPLAY; ssh host

5. Solution:

        Upgrade to OpenSSH-2.3.0 or apply the attached patch.
        OpenSSH-2.3.0 is available from www.openssh.com.

6. Credits:

        Thanks to Jacob Langseth <jwl> for pointing
        out the X11 forwarding issue.

Comment 1 Daniel Roesen 2000-11-14 00:12:42 UTC
Created attachment 5320 [details]
fix against OpenSSH 2.2.0

Comment 2 Pekka Savola 2000-11-14 06:58:53 UTC
I don't see this as a _too_ big security risk.. you don't often connect to
hostile servers anyway.

Good excuse to upgrade to 2.3.0p1 in the process though. ;-)



Comment 3 Daniel Roesen 2000-11-14 09:34:00 UTC
Depends on usage... I often have to connect to at least "suspicious" sites...

Comment 4 Nalin Dahyabhai 2000-11-20 19:54:04 UTC
A 2.3.0p1 errata is being prepped.


Note You need to log in before you can comment on or make changes to this bug.