Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: ciacm026.txt

OpenSSH UseLogin Privilege Elevation Vulnerability




Privacy and Legal Notice

[CIAC] INFORMATION BULLETIN

M-026: OpenSSH UseLogin Privilege Elevation Vulnerability

December 8, 2001 03:00 GMT
  ------------------------------------------------------------------------
 PROBLEM:           Hostile but otherwise legitimate users can use this
                    vulnerability to execute commands or run arbitrary
                    code with the privileges of OpenSSH, usually root.
 PLATFORM:          All operating systems that run versions of OpenSSH
                    earlier than 3.0.2. These include, but are not limited
                    to: OpenBSD, FreeBSD, IBM Linux, Debian Linux, Red Hat
                    Linux.
 DAMAGE:            When the "UseLogin" option is enabled in OpenSSH, a
                    malicious user who authenticates using key-based
                    authentication methods can influence the environment
                    variables passed to the login process. This could
                    allow the user to execute arbitrary code with
                    superuser privileges.
 SOLUTION:          Upgrade to OpenSSH 3.0.2. Refer to your operating
                    system vendor's support web page for instructions and
                    patches.
  ------------------------------------------------------------------------
 VULNERABILITY      The risk is Medium. An authorized user account and key
 ASSESSMENT:        are required on the vulnerable system in order to
                    exploit this vulnerability.
  ------------------------------------------------------------------------

 LINKS:
   CIAC BULLETIN:  http://www.ciac.org/ciac/bulletins/m-026.shtml
   ORIGINAL        http://www.openbsd.org/security.html#30
 BULLETIN:         http://www.freebsd.org/security/index.html#adv
                   See: Security Advisory FreeBSD-SA-01:63.openssh.asc
                   http://www.debian.org/security/2001/dsa-091
                   http://www.redhat.com/support/errata/RHSA-2001-161.html
                   http://www.kb.cert.org/vuls/id/157447
  ------------------------------------------------------------------------

OpenSSH contains a vulnerability that permits an intruder to execute arbitrary
code. When the "UseLogin" option is enabled in OpenSSH, a malicious user who
authenticates using key-based authentication methods can modify the
environment variables passed to the login process.  This could allow the user to
execute arbitrary code with "root" privileges. In operating systems that use
OpenSSH, the OpenSSH server has the "UseLogin" option disabled by default.
Therefore, it is not vulnerable unless the system administrator has changed this
setting. It is not necessary or advisable to use the "UseLogin" option when
running OpenSSH. If the "UseLogin" option must be run, then OpenSSH must be
upgraded to version 3.0.2 or later to eliminate the vulnerability.

CIAC has included the vendor information we know about in this bulletin.
While CIAC will add new vendor information as we receive it, you should
always check your vendor's web site to insure you have the latest information.

FreeBSD Refer to web site:
http://www.freebsd.org/security/index.html#adv
Security Advisory FreeBSD-SA-01:63.openssh.asc

Debian  Refer to web site:
http://www.debian.org/security/2001/dsa-091

Red Hat Refer to web site:
http://www.redhat.com/support/errata/RHSA-2001-161.html

In addition to the above vendor web sites, it is recommended that the CERT
Vulnerability Note VU#157447 be reviewed. This can be accessed at:
http://www.kb.cert.org/vuls/id/157447

  ------------------------------------------------------------------------
CIAC wishes to acknowledge the contributions of OpenBSD, Red Hat, FreeBSD,
Debian, and CERT for the information contained in this bulletin.
  ------------------------------------------------------------------------
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can
be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

  ------------------------------------------------------------------------
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, apparatus,
product, or process disclosed, or represents that its use would not
infringe privately owned rights. Reference herein to any specific
commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation or favoring by the United States Government or
the University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
  ------------------------------------------------------------------------
UCRL-MI-119788
[Privacy and Legal Notice]


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH