229193 – CVE-2005-2666 openssh vulnerable to known_hosts address harvesting

Bug 229193 - CVE-2005-2666 openssh vulnerable to known_hosts address harvesting

Summary: CVE-2005-2666 openssh vulnerable to known_hosts address harvesting

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	3.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Brian Brock
Docs Contact:
URL:	http://nms.csail.mit.edu/projects/ssh/
Whiteboard:	impact=low,reported=20050707,source=b...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-02-19 13:58 UTC by Mark J. Cox
Modified:	2007-11-30 22:07 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-03-23 14:23:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Mark J. Cox 2007-02-19 13:58:26 UTC

clone for rhel3/2.1

+++ This bug was initially created as a clone of Bug #162681 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8)
Gecko/20050511 Firefox/1.0.4

Description of problem:
Portable OpenSSH versions less than 4.0p1 have known_hosts files that would
allow an attacker to find additional targets, because the host information
contained within them is listed in cleartext.

http://nms.csail.mit.edu/projects/ssh/

The OpenSSH server included in RHEL 3 and 4 do not currently have support for
the Hashed Host patches that would be needed to avoid exposing sensitive
information to a successful attacker.

The specific fix that the OpenSSH folks have devised for this is described here:

http://nms.lcs.mit.edu/projects/ssh/README.hashed-hosts

A patch for OpenSSH 3.9p1 is available:

http://nms.csail.mit.edu/projects/ssh/patch-other.php

This could probably be backported to openssh-3.6.1 (used in RHEL 3).


Version-Release number of selected component (if applicable):
openssh-3.6.1p2-33.30.4

How reproducible:
Always

Steps to Reproduce:
1. Pretend you are a malicious coder. Find a vulnerability in SSH. Write a nasty
SSH worm that can jump from host to host.
2. Have your worm check everyone's .ssh/known_hosts file for additinal targets.
3. Attempt to jump to the hosts listed in the known_hosts files, using both your
original exploit, and using any carelessly unencrypted private key files you
find on the machine.
4. Profit


Additional info:

-- Additional comment from tmraz on 2005-07-08 16:55 EST --
Created an attachment (id=116539)
Patch for openssh-3.9p1

This patch is taken from openssh-4.0p1 and applies to openssh-3.9p1.


-- Additional comment from tmraz on 2005-07-08 16:58 EST --
Created an attachment (id=116540)
Patch for openssh-3.6.1p2

This patch applies to openssh-3.6.1p2.


-- Additional comment from bressers on 2005-09-01 14:07 EST --
I'm moving this bug to affect RHEL4, and noting that this feature could be added
to RHEL3 and RHEL2.1 if we decide to support it.

Considering this a security issue is a far stretch as you first need an openssh
worm in order for it to be a problem.  Additionally a worm could search the
users shell history and log files for a list of hosts which could potentially be
vulnerable, making this much less effective than it would appear from the
description.

Comment 3 Tomas Mraz 2007-03-23 14:23:55 UTC

We do not consider this problem as a real security issue.  This feature is not
going to be implemented for RHEL-3.

Note You need to log in before you can comment on or make changes to this bug.