Bug 785292 (CVE-2012-0814) - CVE-2012-0814 openssh: forced command option information disclosure
Summary: CVE-2012-0814 openssh: forced command option information disclosure
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2012-0814
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 785299
TreeView+ depends on / blocked
 
Reported: 2012-01-27 21:36 UTC by Vincent Danen
Modified: 2019-09-29 12:50 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-27 23:25:37 UTC


Attachments (Terms of Use)

Description Vincent Danen 2012-01-27 21:36:06 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-0814 to
the following vulnerability:

Name: CVE-2012-0814
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0814
Assigned: 20120119
Reference: http://openwall.com/lists/oss-security/2012/01/26/15
Reference: http://openwall.com/lists/oss-security/2012/01/27/1
Reference: http://openwall.com/lists/oss-security/2012/01/26/16
Reference: http://openwall.com/lists/oss-security/2012/01/27/4
Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445
Reference: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c
Reference: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54

The auth_parse_options function in auth-options.c in sshd in OpenSSH
before 5.7 provides debug messages containing authorized_keys command
options, which allows remote authenticated users to obtain potentially
sensitive information by reading these messages, as demonstrated by
the shared user account required by Gitolite.  NOTE: this can cross
privilege boundaries because a user account may intentionally have no
shell or filesystem access, and therefore may have no supported way to
read an authorized_keys file in its own home directory.

Comment 1 Kurt Seifried 2012-01-27 22:52:43 UTC
We have done further investigation and determined the following:

OpenSSH portable, built from source with no modifications:

5.3p1 is NOT vulnerable
5.4p1 is vulnerable
5.5p1 is vulnerable
5.6p1 is NOT vulnerable

Comment 2 Kurt Seifried 2012-01-27 23:22:02 UTC
Ok so we (myself and vdanen@redhat.com) have done some more research and
here are the results (good news and bad news):

OpenSSH portable compiled from source with no changes:

5.3p1 is NOT vulnerable
5.4p1 is vulnerable
5.5p1 is vulnerable
5.6p1 is NOT vulnerable

Upon further examination of the errors we have the following for OpenSSH 5.3p1:
=========
debug1: Offering RSA public key: /home/test-ssh2/.ssh/id_rsa
debug1: Remote: Forced command: echo 3
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
debug1: Remote: Forced command: echo 3
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([::1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Environment:
[snip]
=========

As we can see we get the debug information BEFORE authentication is finished.

So this issue was then addressed in 5.4:

 - (dtucker) OpenBSD CVS Sync
   - dtucker@cvs.openbsd.org 2010/03/07 11:57:13
     [auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c]
     Hold authentication debug messages until after successful authentication.
     Fixes an info leak of environment variables specified in authorized_keys,
     reported by Jacob Appelbaum.  ok djm@

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.47;r2=1.48

which contains the following line:

-	auth_debug_reset();

So now more information is sent in the debug message (post-authentication) which created this problem:

=========
debug1: Offering RSA public key: /home/test-ssh2/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([::1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Remote: Forced command: echo 1
debug1: Remote: Forced command: echo 2
debug1: Remote: Forced command: echo 3
debug1: Remote: Forced command: echo 1
debug1: Remote: Forced command: echo 2
debug1: Remote: Forced command: echo 3
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Environment:
  LANG=en_US.UTF-8
[stuff]
=========

Then in version 5.6p1 the certificate handling code was reworked and 
something fixed this problem, we haven't tracked it down exactly (it 
may be related to cert_forced_command, auth_cert_options and 
parse_option_list).

Comment 3 Vincent Danen 2012-01-27 23:25:37 UTC
Fedora 15 ships with OpenSSH 5.6p1, so is not vulnerable.  We do not ship any vulnerable version of OpenSSH.

Statement:

This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 4 and 5.

On Red Hat Enterprise Linux 6, configured forced commands are returned in the debugging output for the key that is used when logging in.


Note You need to log in before you can comment on or make changes to this bug.