Bug 785292 – CVE-2012-0814 openssh: forced command option information disclosure

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 785292 - (CVE-2012-0814) CVE-2012-0814 openssh: forced command option information disclosure

Summary:	CVE-2012-0814 openssh: forced command option information disclosure

Status:	CLOSED WONTFIX

Aliases:	CVE-2012-0814

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20120126,reported=2...
Keywords:	Security

Depends On:
Blocks:	785299
	Show dependency tree / graph

Reported:	2012-01-27 16:36 EST by Vincent Danen
Modified:	2017-03-01 04:19 EST (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2012-01-27 18:25:37 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Vincent Danen 2012-01-27 16:36:06 EST

Common Vulnerabilities and Exposures assigned an identifier CVE-2012-0814 to
the following vulnerability:

Name: CVE-2012-0814
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0814
Assigned: 20120119
Reference: http://openwall.com/lists/oss-security/2012/01/26/15
Reference: http://openwall.com/lists/oss-security/2012/01/27/1
Reference: http://openwall.com/lists/oss-security/2012/01/26/16
Reference: http://openwall.com/lists/oss-security/2012/01/27/4
Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445
Reference: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c
Reference: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54

The auth_parse_options function in auth-options.c in sshd in OpenSSH
before 5.7 provides debug messages containing authorized_keys command
options, which allows remote authenticated users to obtain potentially
sensitive information by reading these messages, as demonstrated by
the shared user account required by Gitolite.  NOTE: this can cross
privilege boundaries because a user account may intentionally have no
shell or filesystem access, and therefore may have no supported way to
read an authorized_keys file in its own home directory.

Comment 1 Kurt Seifried 2012-01-27 17:52:43 EST

We have done further investigation and determined the following:

OpenSSH portable, built from source with no modifications:

5.3p1 is NOT vulnerable
5.4p1 is vulnerable
5.5p1 is vulnerable
5.6p1 is NOT vulnerable

Comment 2 Kurt Seifried 2012-01-27 18:22:02 EST

Ok so we (myself and vdanen@redhat.com) have done some more research and
here are the results (good news and bad news):

OpenSSH portable compiled from source with no changes:

5.3p1 is NOT vulnerable
5.4p1 is vulnerable
5.5p1 is vulnerable
5.6p1 is NOT vulnerable

Upon further examination of the errors we have the following for OpenSSH 5.3p1:
=========
debug1: Offering RSA public key: /home/test-ssh2/.ssh/id_rsa
debug1: Remote: Forced command: echo 3
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
debug1: Remote: Forced command: echo 3
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([::1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Environment:
[snip]
=========

As we can see we get the debug information BEFORE authentication is finished.

So this issue was then addressed in 5.4:

 - (dtucker) OpenBSD CVS Sync
   - dtucker@cvs.openbsd.org 2010/03/07 11:57:13
     [auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c]
     Hold authentication debug messages until after successful authentication.
     Fixes an info leak of environment variables specified in authorized_keys,
     reported by Jacob Appelbaum.  ok djm@

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.47;r2=1.48

which contains the following line:

-	auth_debug_reset();

So now more information is sent in the debug message (post-authentication) which created this problem:

=========
debug1: Offering RSA public key: /home/test-ssh2/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([::1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Remote: Forced command: echo 1
debug1: Remote: Forced command: echo 2
debug1: Remote: Forced command: echo 3
debug1: Remote: Forced command: echo 1
debug1: Remote: Forced command: echo 2
debug1: Remote: Forced command: echo 3
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Environment:
  LANG=en_US.UTF-8
[stuff]
=========

Then in version 5.6p1 the certificate handling code was reworked and 
something fixed this problem, we haven't tracked it down exactly (it 
may be related to cert_forced_command, auth_cert_options and 
parse_option_list).

Comment 3 Vincent Danen 2012-01-27 18:25:37 EST

Fedora 15 ships with OpenSSH 5.6p1, so is not vulnerable.  We do not ship any vulnerable version of OpenSSH.

Statement:

This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 4 and 5.

On Red Hat Enterprise Linux 6, configured forced commands are returned in the debugging output for the key that is used when logging in.

Note You need to log in before you can comment on or make changes to this bug.