Bug 229193 - CVE-2005-2666 openssh vulnerable to known_hosts address harvesting
Summary: CVE-2005-2666 openssh vulnerable to known_hosts address harvesting
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openssh   
(Show other bugs)
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL: http://nms.csail.mit.edu/projects/ssh/
Whiteboard: impact=low,reported=20050707,source=b...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2007-02-19 13:58 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-03-23 14:23:55 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Mark J. Cox 2007-02-19 13:58:26 UTC
clone for rhel3/2.1

+++ This bug was initially created as a clone of Bug #162681 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8)
Gecko/20050511 Firefox/1.0.4

Description of problem:
Portable OpenSSH versions less than 4.0p1 have known_hosts files that would
allow an attacker to find additional targets, because the host information
contained within them is listed in cleartext.


The OpenSSH server included in RHEL 3 and 4 do not currently have support for
the Hashed Host patches that would be needed to avoid exposing sensitive
information to a successful attacker.

The specific fix that the OpenSSH folks have devised for this is described here:


A patch for OpenSSH 3.9p1 is available:


This could probably be backported to openssh-3.6.1 (used in RHEL 3).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Pretend you are a malicious coder. Find a vulnerability in SSH. Write a nasty
SSH worm that can jump from host to host.
2. Have your worm check everyone's .ssh/known_hosts file for additinal targets.
3. Attempt to jump to the hosts listed in the known_hosts files, using both your
original exploit, and using any carelessly unencrypted private key files you
find on the machine.
4. Profit

Additional info:

-- Additional comment from tmraz@redhat.com on 2005-07-08 16:55 EST --
Created an attachment (id=116539)
Patch for openssh-3.9p1

This patch is taken from openssh-4.0p1 and applies to openssh-3.9p1.

-- Additional comment from tmraz@redhat.com on 2005-07-08 16:58 EST --
Created an attachment (id=116540)
Patch for openssh-3.6.1p2

This patch applies to openssh-3.6.1p2.

-- Additional comment from bressers@redhat.com on 2005-09-01 14:07 EST --
I'm moving this bug to affect RHEL4, and noting that this feature could be added
to RHEL3 and RHEL2.1 if we decide to support it.

Considering this a security issue is a far stretch as you first need an openssh
worm in order for it to be a problem.  Additionally a worm could search the
users shell history and log files for a list of hosts which could potentially be
vulnerable, making this much less effective than it would appear from the

Comment 3 Tomas Mraz 2007-03-23 14:23:55 UTC
We do not consider this problem as a real security issue.  This feature is not
going to be implemented for RHEL-3.

Note You need to log in before you can comment on or make changes to this bug.