58865 – openssh 2.9p2 has multiple vulnerablities

Bug 58865 - openssh 2.9p2 has multiple vulnerablities

Summary: openssh 2.9p2 has multiple vulnerablities

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	openssh
Sub Component:
Version:	7.3
Hardware:	alpha
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Tom Tromey
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2002-01-26 01:17 UTC by George France
Modified:	2014-08-11 05:46 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2002-02-11 18:56:43 UTC
Embargoed:

Attachments	(Terms of Use)

Description George France 2002-01-26 01:17:35 UTC

Description of Problem:

This distribution is using openssh_2.9p2

Versions prior than 3.0.2 are vulnerable to an enviroment variables export that
can allow a local user to execute commands with root privileges.  This problem
affects only versions prior than 3.0.2, and when the UseLogin feature is enabled
(usually disabled by default)

Versions older than 3.0.1 are vulnerable to a flaw which an attacker may
authenticate, provided that Kerberos V support has been enabled (which is not
the case by default).  It is also vulnerable to an excessive memory clearing
bug, believed to be unexloitable.

Since I have enabled Kerberos V, this is a serious problem.

Solution: Upgrade to OpenSSH 3.0.2

--George

Comment 1 Tom Tromey 2002-01-28 17:27:55 UTC

I've looked into this a bit.

Our current tree has openssh-2.9p2-12, which has a patch
for the UseLog exploit.  This version will ship in the final candidate.

I'm not certain that we support enabling Kerberos V here.
I've asked and I'll report back when I have more information.

Comment 2 Nalin Dahyabhai 2002-01-28 20:48:15 UTC

By enabling Kerberos V support, do you mean that you enabled Kerberos for
authentication at install-time (or later, using authconfig), or that you rebuilt
the OpenSSH package with Kerberos V support (which it does not enable by default)?

If you selected Kerberos at install-time, you are not affected by the bug in
OpenSSH, and if you rebuilt the package to enable Kerberos support, I recommend
starting with the Raw Hide version of the package (currently at
ftp://ftp.redhat.com/pub/redhat/linux/rawhide/SRPMS/SRPMS/openssh-3.0.2p1-2.src.rpm)
instead.

The UseLogin vulnerability has addressed by a security erratum
(https://www.redhat.com/support/errata/RHSA-2001-161.html), so I'm closing this
report and marking it resolved by errata.

Comment 3 Tom Tromey 2002-02-01 01:44:56 UTC

I'm changing this to "Modified" per the project policy.

Comment 4 Tom Tromey 2002-02-11 18:56:37 UTC

I've looked into this some more.
Nalin pointed me to the Security Focus article:

  http://www.securityfocus.com/archive/78/242256

This reads in part:

   The only affected OpenSSH implementations are those
   that have compiled into the program the Kerberos V compatibility code.

As we do not compile in this code, I believe we are not vulnerable
to this hole.

Comment 5 Jay Turner 2002-02-13 21:25:30 UTC

Closing out.

Comment 6 Phil Copeland 2002-04-11 21:23:05 UTC

Current version for the alpha dist is:
    [root@localhost etc]# rpm -q openssh
    openssh-3.1p1-2

Bug closed (was on compaq's punch list)

Note You need to log in before you can comment on or make changes to this bug.