Bug 237449 (CVE-2007-5715) - CVE-2007-5715 Login attempts as root may go unnoticed
Summary: CVE-2007-5715 Login attempts as root may go unnoticed
Alias: CVE-2007-5715
Product: Fedora
Classification: Fedora
Component: denyhosts
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Jason Tibbitts
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-04-23 10:07 UTC by Jonathan Underwood
Modified: 2007-11-30 22:12 UTC (History)
2 users (show)

Fixed In Version: 2.6-4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-04-24 22:21:33 UTC
Type: ---

Attachments (Terms of Use)
Fix REGEX7 (589 bytes, patch)
2007-04-23 16:25 UTC, Jonathan Underwood
no flags Details | Diff

Description Jonathan Underwood 2007-04-23 10:07:41 UTC
Description of problem:

I have "PermitRootLogin no" in sshd_config to prevent logins as username
root. I also only allow specific usernames to log in, so I have AllowUsers set
in sshd_config.

When someone does attempt to login as root, I see this in /var/log/secure:

Apr 23 07:03:53 machinename sshd[29961]: User root from
not allowed because not listed in AllowUsers

and the corresponding entry in /var/log/denyhosts

2007-04-23 07:04:07,805 - denyhosts   : ERROR    regex pattern ( User (?P<user>.
*) not allowed because not listed in AllowUsers ) is missing 'host' group

... and the attacker goes unblocked and undetected by denyhosts.

Version-Release number of selected component (if applicable):

Comment 1 Jason Tibbitts 2007-04-23 14:39:19 UTC
Do you have any configuration entries defined which match REGEX?  If not, I
believe this is a known upstream bug.  My understanding, however, is that it is
harmless; ssh doesn't provide a hostname in that message so there is no way to
extract a hostname to block from it, and the message you see in your logs is
informing you of that.  I am not sure that ssh actually provides the messages
necessary to do what you are attempting to do, although please include it if so.
 Otherwise I don't see that the underlying problem is something that can be
solved with denyhosts.


Note also that there was no upstream response to this; in fact, upstream seems
to have gone dormant.  If you have other suggestions on how we could make minor
modifications to the denyhosts packaging to accommodate this, I'm happy to hear
them.  But my feeling now is that in the absense of additional messages from
openssh which aren't being considered, this is not a denyhosts bug.

Comment 2 Jonathan Underwood 2007-04-23 15:33:32 UTC
If you look at the openssh log message provided above, you'll see the IP of the
offending host, and so there is sufficient information - denyhosts blocks by IP
rather than hostname. So, I believe denyhosts should block that host, and this
is a fairly severe bug.

Looking a bit harder into it, I think (as suggested by your mail to the
user-list) that in file  /usr/lib/python2.4/site-packages/DenyHosts/regex.py

FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not
listed in AllowUsers""")

should be replaced with

FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not
listed in AllowUsers""")

I'll test this locally, but that seems to be the crux of it - REGEX7 contains no
pattern to match the host.

Comment 3 Jonathan Underwood 2007-04-23 16:20:05 UTC
Have confirmed that fix works by placing the following line in denyhosts.conf

FAILED_ENTRY_REGEX7 = User (?P<user>.*) .*from
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not
listed in AllowUsers

[All one line, not wrapped]

And so my suggestion of the replacement line in Comment #2 for
/usr/lib/python2.4/site-packages/DenyHosts/regex.py is the correct fix.

Will attach a patch.

Comment 4 Jason Tibbitts 2007-04-23 16:22:43 UTC
Any clue as to what this looks like for an IPv6 denial?

Comment 5 Jonathan Underwood 2007-04-23 16:25:48 UTC
Created attachment 153291 [details]

Comment 6 Jonathan Underwood 2007-04-23 16:28:11 UTC
(In reply to comment #4)
> Any clue as to what this looks like for an IPv6 denial?

Um, no. Seems irrelevant though, this fix is as IPV6 safe as the rest of
DenyHosts - basically it brings REGEX7 into alignment with the other REGEXs - if
this is broken for IPV6, then all the others are too. I don't have any way to
test this I'm afraid.

Comment 7 Jason Tibbitts 2007-04-23 16:36:49 UTC
OK, let me do a build and see if I can get this past releng for F7.

Comment 8 Jonathan Underwood 2007-04-23 16:41:55 UTC
OK, thanks. An update for FC6 would also be much appreciated.

Comment 9 Jason Tibbitts 2007-04-24 22:21:33 UTC
I did some testing and let the new version stew on my servers overnight.  Since
that went OK, I pushed and built for F7, FC6, FC5, EL5 and EL4.

Comment 10 Jonathan Underwood 2007-04-25 10:15:39 UTC
Splendid, thanks.

Comment 11 Tomas Hoger 2007-10-31 13:20:30 UTC
CVE id CVE-2007-5715 was assigned to this old issue.

Note You need to log in before you can comment on or make changes to this bug.