Red Hat Bugzilla – Bug 229193
CVE-2005-2666 openssh vulnerable to known_hosts address harvesting
Last modified: 2007-11-30 17:07:10 EST
clone for rhel3/2.1
+++ This bug was initially created as a clone of Bug #162681 +++
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8)
Description of problem:
Portable OpenSSH versions less than 4.0p1 have known_hosts files that would
allow an attacker to find additional targets, because the host information
contained within them is listed in cleartext.
The OpenSSH server included in RHEL 3 and 4 do not currently have support for
the Hashed Host patches that would be needed to avoid exposing sensitive
information to a successful attacker.
The specific fix that the OpenSSH folks have devised for this is described here:
A patch for OpenSSH 3.9p1 is available:
This could probably be backported to openssh-3.6.1 (used in RHEL 3).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Pretend you are a malicious coder. Find a vulnerability in SSH. Write a nasty
SSH worm that can jump from host to host.
2. Have your worm check everyone's .ssh/known_hosts file for additinal targets.
3. Attempt to jump to the hosts listed in the known_hosts files, using both your
original exploit, and using any carelessly unencrypted private key files you
find on the machine.
-- Additional comment from firstname.lastname@example.org on 2005-07-08 16:55 EST --
Created an attachment (id=116539)
Patch for openssh-3.9p1
This patch is taken from openssh-4.0p1 and applies to openssh-3.9p1.
-- Additional comment from email@example.com on 2005-07-08 16:58 EST --
Created an attachment (id=116540)
Patch for openssh-3.6.1p2
This patch applies to openssh-3.6.1p2.
-- Additional comment from firstname.lastname@example.org on 2005-09-01 14:07 EST --
I'm moving this bug to affect RHEL4, and noting that this feature could be added
to RHEL3 and RHEL2.1 if we decide to support it.
Considering this a security issue is a far stretch as you first need an openssh
worm in order for it to be a problem. Additionally a worm could search the
users shell history and log files for a list of hosts which could potentially be
vulnerable, making this much less effective than it would appear from the
We do not consider this problem as a real security issue. This feature is not
going to be implemented for RHEL-3.