From owner-freebsd-security Wed Jun 7 16:18: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 303D037B8C2; Wed, 7 Jun 2000 16:17:56 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:21.ssh Reply-To: security-advisories@freebsd.org From: FreeBSD Security Advisories Message-Id: <20000607231756.303D037B8C2@hub.freebsd.org> Date: Wed, 7 Jun 2000 16:17:56 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:21 Security Advisory FreeBSD, Inc. Topic: ssh port listens on extra network port Category: ports Module: ssh Announced: 2000-06-07 Credits: Jan Koum Affects: Ports collection. Corrected: 2000-04-21 FreeBSD only: Yes I. Background SSH is an implementation of the Secure Shell protocol for providing encrypted and authenticated communication between networked machines. II. Problem Description A patch added to the FreeBSD SSH port on 2000-01-14 incorrectly configured the SSH daemon to listen on an additional network port, 722, in addition to the usual port 22. This change was made as part of a patch to allow the SSH server to listen on multiple ports, but the option was incorrectly enabled by default. This may cause a violation of security policy if the additional port is not subjected to the same access-controls (e.g. firewallling) as the standard SSH port. Note this is not a vulnerability associated with the SSH software itself, and it is not likely to be a risk for the majority of installations, since a remote user must still have valid SSH credentials in order to access the SSH server on the alternate port. The risk is that users may be able to access the SSH server from IP addresses which are prohibited to connect to the standard port. The ssh port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 3300 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. FreeBSD 4.0 ships with OpenSSH, a free implementation of the SSH protocol, included within the base system. OpenSSH does not suffer from this misconfiguration. III. Impact Remote users with valid SSH credentials may access the ssh server on a non-standard port, potentially bypassing IP address access controls on the standard SSH port. If you have not chosen to install the ssh port/package, or installed it prior to 2000-01-14 or after 2000-04-21, then your system is not vulnerable to this problem. IV. Workaround One of the following: 1) Comment out the line "Port 722" in /usr/local/etc/ssh_config and restart sshd 2) Add filtering rules to your perimeter firewall, or on the local machine (using ipfw or ipf) to limit connections to port 722. 3) Deinstall the ssh port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the ssh port. 2) download a new port skeleton for the ssh port from: http://www.freebsd.org/ports/ and use it to rebuild the port. Note that packages are not provided for the ssh port. 3) Use the portcheckout utility to automate option (2) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOT7XFlUuHi5z0oilAQGr3wP7BQ30DoHXJiazMr41C77p+hSJIOnVAIKG wGhJVf1mjVh3ZNaxurZYJX9NvJASsKsG1GG8yFu3Y8fOVQ96UJ50eaeGc+5kS6S7 1PjN3P3almsEynBZSwX9VyUPWMvevFPgUfZIOLVnF6V/qiJKqROq04OQ5M2wqpj3 ab8z1IzJbGE= =bpMe -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message