Common Vulnerabilities and Exposures assigned an identifier CVE-2012-0814 to the following vulnerability: Name: CVE-2012-0814 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0814 Assigned: 20120119 Reference: http://openwall.com/lists/oss-security/2012/01/26/15 Reference: http://openwall.com/lists/oss-security/2012/01/27/1 Reference: http://openwall.com/lists/oss-security/2012/01/26/16 Reference: http://openwall.com/lists/oss-security/2012/01/27/4 Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445 Reference: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c Reference: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54 The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory.
We have done further investigation and determined the following: OpenSSH portable, built from source with no modifications: 5.3p1 is NOT vulnerable 5.4p1 is vulnerable 5.5p1 is vulnerable 5.6p1 is NOT vulnerable
Ok so we (myself and vdanen) have done some more research and here are the results (good news and bad news): OpenSSH portable compiled from source with no changes: 5.3p1 is NOT vulnerable 5.4p1 is vulnerable 5.5p1 is vulnerable 5.6p1 is NOT vulnerable Upon further examination of the errors we have the following for OpenSSH 5.3p1: ========= debug1: Offering RSA public key: /home/test-ssh2/.ssh/id_rsa debug1: Remote: Forced command: echo 3 debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: read PEM private key done: type RSA debug1: Remote: Forced command: echo 3 debug1: Authentication succeeded (publickey). Authenticated to localhost ([::1]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 Environment: [snip] ========= As we can see we get the debug information BEFORE authentication is finished. So this issue was then addressed in 5.4: - (dtucker) OpenBSD CVS Sync - dtucker.org 2010/03/07 11:57:13 [auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c] Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@ http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.47;r2=1.48 which contains the following line: - auth_debug_reset(); So now more information is sent in the debug message (post-authentication) which created this problem: ========= debug1: Offering RSA public key: /home/test-ssh2/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). Authenticated to localhost ([::1]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions debug1: Entering interactive session. debug1: Remote: Forced command: echo 1 debug1: Remote: Forced command: echo 2 debug1: Remote: Forced command: echo 3 debug1: Remote: Forced command: echo 1 debug1: Remote: Forced command: echo 2 debug1: Remote: Forced command: echo 3 debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 Environment: LANG=en_US.UTF-8 [stuff] ========= Then in version 5.6p1 the certificate handling code was reworked and something fixed this problem, we haven't tracked it down exactly (it may be related to cert_forced_command, auth_cert_options and parse_option_list).
Fedora 15 ships with OpenSSH 5.6p1, so is not vulnerable. We do not ship any vulnerable version of OpenSSH. Statement: This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 4 and 5. On Red Hat Enterprise Linux 6, configured forced commands are returned in the debugging output for the key that is used when logging in.