From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Description of problem: Portable OpenSSH versions less than 4.0p1 have known_hosts files that would allow an attacker to find additional targets, because the host information contained within them is listed in cleartext. http://nms.csail.mit.edu/projects/ssh/ The OpenSSH server included in RHEL 3 and 4 do not currently have support for the Hashed Host patches that would be needed to avoid exposing sensitive information to a successful attacker. The specific fix that the OpenSSH folks have devised for this is described here: http://nms.lcs.mit.edu/projects/ssh/README.hashed-hosts A patch for OpenSSH 3.9p1 is available: http://nms.csail.mit.edu/projects/ssh/patch-other.php This could probably be backported to openssh-3.6.1 (used in RHEL 3). Version-Release number of selected component (if applicable): openssh-3.6.1p2-33.30.4 How reproducible: Always Steps to Reproduce: 1. Pretend you are a malicious coder. Find a vulnerability in SSH. Write a nasty SSH worm that can jump from host to host. 2. Have your worm check everyone's .ssh/known_hosts file for additinal targets. 3. Attempt to jump to the hosts listed in the known_hosts files, using both your original exploit, and using any carelessly unencrypted private key files you find on the machine. 4. Profit Additional info:
Created attachment 116539 [details] Patch for openssh-3.9p1 This patch is taken from openssh-4.0p1 and applies to openssh-3.9p1.
Created attachment 116540 [details] Patch for openssh-3.6.1p2 This patch applies to openssh-3.6.1p2.
I'm moving this bug to affect RHEL4, and noting that this feature could be added to RHEL3 and RHEL2.1 if we decide to support it. Considering this a security issue is a far stretch as you first need an openssh worm in order for it to be a problem. Additionally a worm could search the users shell history and log files for a list of hosts which could potentially be vulnerable, making this much less effective than it would appear from the description.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
QE ack for 4.5.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0257.html