From owner-freebsd-security Wed Dec 5 11:41:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from leviathan.inethouston.net (leviathan.inethouston.net [66.64.12.249]) by hub.freebsd.org (Postfix) with ESMTP id D144937B419; Wed, 5 Dec 2001 11:40:55 -0800 (PST) Received: by leviathan.inethouston.net (Postfix, from userid 1001) id DAE88407621; Wed, 5 Dec 2001 13:40:53 -0600 (CST) Date: Wed, 5 Dec 2001 13:40:53 -0600 From: "David W. Chapman Jr." To: FreeBSD Security Advisories Cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:63.openssh Message-ID: <20011205194053.GB78905@leviathan.inethouston.net> Reply-To: "David W. Chapman Jr." Mail-Followup-To: FreeBSD Security Advisories , security@freebsd.org References: <200112041726.fB4HQbA05231@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200112041726.fB4HQbA05231@freefall.freebsd.org> User-Agent: Mutt/1.3.24i X-Operating-System: FreeBSD 4.4-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Does this also apply to the openssh-portable port? On Tue, Dec 04, 2001 at 09:26:37AM -0800, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-01:63 Security Advisory > FreeBSD, Inc. > > Topic: OpenSSH UseLogin directive permits privilege escalation > > Category: core/ports > Module: openssh > Announced: 2001-12-02 > Credits: Markus Friedl > Affects: FreeBSD 4.3-RELEASE, 4.4-RELEASE > FreeBSD 4.4-STABLE prior to the correction date > Ports collection prior to the correction date > Corrected: 2001-12-03 00:53:28 UTC (RELENG_4) > 2001-12-03 00:54:18 UTC (RELENG_4_4) > 2001-12-03 00:54:54 UTC (RELENG_4_3) > 2001-12-02 06:52:40 UTC (openssh port) > FreeBSD only: NO > > I. Background > > OpenSSH is an implementation of the SSH1 and SSH2 secure shell > protocols for providing encrypted and authenticated network access, > which is available free for unrestricted use. Versions of OpenSSH are > included in the FreeBSD ports collection and the FreeBSD base system. > > II. Problem Description > > OpenSSH includes a feature by which a user can arrange for > environmental variables to be set depending upon the key used for > authentication. These environmental variables are specified in the > `authorized_keys' (SSHv1) or `authorized_keys2' (SSHv2) files in the > user's home directory on the server. This is normally safe, as this > environment is passed only to the user's shell, which is invoked with > user privileges. > > However, when the OpenSSH server `sshd' is configured to use > the system's login program (via the directive `UseLogin yes' in > sshd_config), this environment is passed to login, which is invoked > with superuser privileges. Because certain environmental variables > such as LD_LIBRARY_PATH and LD_PRELOAD can be set using the previously > described feature, the user may arrange for login to execute arbitrary > code with superuser privileges. > > All versions of FreeBSD 4.x prior to the correction date including > FreeBSD 4.3 and 4.4 are potentially vulnerable to this problem. > However, the OpenSSH server is configured to not use the system login > program (`UseLogin no') by default, and is therefore not vulnerable > unless the system administrator has changed this setting. > > In addition, there are two versions of OpenSSH included in the > ports collection. One is ports/security/openssh, which is the > BSD-specific version of OpenSSH. Versions of this port prior to > openssh-3.0.2 exhibit the problem described above. The other is > ports/security/openssh-portable, which is not vulnerable, even if the > server is set to `UseLogin yes'. > > III. Impact > > Hostile but otherwise legitimate users that can successfully > authenticate using public key authentication may cause /usr/bin/login > to run arbitrary code as the superuser. > > If you have not enabled the 'UseLogin' directive in the sshd > configuration file, you are not vulnerable to this problem. > > IV. Workaround > > Doing one of the following will eliminate the vulnerability: > > 1) Configure sshd to not use the system login program. Edit the > server configuration file and change any `UseLogin' directives > to `UseLogin no'. This is the preferred workaround. > > 2) If for whatever reason, disabling `UseLogin' is not possible, > then one can instead disable public key authentication. Edit the > server configuration file and change any `RSAAuthentication', > `DSAAuthentication', or `PubKeyAuthentication' directives > to `RSAAuthentication no', `DSAAuthentication no', and > `PubKeyAuthentication no', respectively. > > For sshd included in the base system (/usr/bin/sshd), the > server configuration file is `/etc/ssh/sshd_config'. For sshd > from the ports collection, the server configuration file is > `/usr/local/etc/sshd_config'. > > After modifying the sshd configuration file, the sshd daemon must be > restarted by executing the following command as root: > > # kill -HUP `cat /var/run/sshd.pid` > > V. Solution > > 1) Upgrade the vulnerable system to 4.3-RELEASEp21, 4.4-RELEASEp1, or > 4.4-STABLE after the correction date, or patch your current system > source code and rebuild. > > 2) FreeBSD 4.x systems prior to the correction date: > > The following patch has been verified to apply to FreeBSD > 4.3-RELEASE, 4.4-RELEASE, and 4.4-STABLE dated prior to the > correction date. It may or may not apply to older, unsupported > versions of FreeBSD. > > Download the patch and the detached PGP signature from the following > locations, and verify the signature using your PGP utility. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:63/sshd.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:63/sshd.patch.asc > > Execute the following commands as root: > > # cd /usr/src/crypto/openssh > # patch < /path/to/sshd.patch > # cd /usr/src/secure/usr.sbin/sshd > # make depend && make all install > > 3) FreeBSD 4.4-RELEASE systems: > > An experimental upgrade package is available for users who wish to > provide testing and feedback on the binary upgrade process. This > package may be installed on FreeBSD 4.4-RELEASE systems only, and is > intended for use on systems for which source patching is not practical > or convenient. > > If you use the upgrade package, feedback (positive or negative) to > security-officer@FreeBSD.org is requested so we can improve the > process for future advisories. > > During the installation procedure, backup copies are made of the files > which are replaced by the package. These backup copies will be > reinstalled if the package is removed, reverting the system to a > pre-patched state. In addition, the package automatically restarts > the sshd daemon if it is running. > > Three versions of the upgrade package are available, depending on > whether or not the system has the kerberosIV or kerberos5 > distributions installed. > > 3a) For systems without kerberosIV or kerberos5 installed: > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-01.63.tgz > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-01.63.tgz.asc > > Verify the detached PGP signature using your PGP utility. > > # pkg_add security-patch-sshd-01.63.tgz > > 3b) For systems with kerberosIV only installed: > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-01.63.tgz > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-01.63.tgz.asc > > Verify the detached PGP signature using your PGP utility. > > # pkg_add security-patch-sshd-kerberosIV-01.63.tgz > > 3c) For systems with kerberos5 only installed: > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberos5-01.63.tgz > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberos5-01.63.tgz.asc > > Verify the detached PGP signature using your PGP utility. > > # pkg_add security-patch-sshd-kerberos5-01.63.tgz > > 3d) For systems with both kerberosIV and kerberos5 installed: > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-kerberos5-01.63.tgz > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:63/security-patch-sshd-kerberosIV-kerberos5-01.63.tgz.asc > > Verify the detached PGP signature using your PGP utility. > > # pkg_add security-patch-sshd-kerberosIV-kerberos5-01.63.tgz > > [Ports collection] > > One of the following: > > 1) Upgrade your entire ports collection and rebuild the OpenSSH port. > > 2) Deinstall the old package and install a new package dated after the > correction date, obtained from: > > [i386] > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-3.0.2.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-3.0.2.tgz > > [alpha] > Packages are not automatically generated for the alpha architecture at > this time due to lack of build resources. > > NOTE: It may be several days before updated packages are available. Be > sure to check the file creation date on the package, because the > version number of the software has not changed. > > 3) Download a new port skeleton for the openssh port from: > > http://www.freebsd.org/ports/ > > and use it to rebuild the port. > > 4) Use the portcheckout utility to automate option (3) above. The > portcheckout port is available in /usr/ports/devel/portcheckout or the > package can be obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz > > VI. Correction details > > Path Revision > Branch > - ------------------------------------------------------------------------- > src/crypto/openssh/session.c > HEAD 1.18 > RELENG_4 1.4.2.11 > RELENG_4_4 1.4.2.8.4.1 > RELENG_4_3 1.4.2.8.2.1 > src/crypto/openssh/version.h > HEAD 1.9 > RELENG_4 1.1.1.1.2.7 > RELENG_4_4 1.1.1.1.2.5.2.1 > RELENG_4_3 1.1.1.1.2.4.2.1 > ports/security/openssh/Makefile 1.79 > - ------------------------------------------------------------------------- > > For OpenSSH included in the base system, there is a version string > indicating which FreeBSD localizations are available. The following > table lists the version strings for each branch which include this > security fix: > > Branch Version string > - ------------------------------------------------------------------------- > HEAD OpenSSH_2.9 FreeBSD localisations 20011202 > RELENG_4 OpenSSH_2.9 FreeBSD localisations 20011202 > RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20011202 > RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20011202 > - ------------------------------------------------------------------------- > > To view the version string of the OpenSSH server, execute the following > command: > > % /usr/sbin/sshd -\? > > The version string is also displayed when a client connects to the > server. > > VII. References > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iQCVAwUBPAz4rlUuHi5z0oilAQGNBwQAl68aZL6hfJaeAFlNlKwrARJ2XgwjkII2 > q6Nir5KFgeYkPilDdElua81MU5FxUgSyYYBLADRrtyht6otqmK8u5GZJMrKPXadi > ys3nnqH/LYYREe2RVYmzXOSgjn2q0rqm9zNgYoddQjbTnpRxRq//SuOMVTRoYlJC > 5QznzsMiK1U= > =XSLb > -----END PGP SIGNATURE----- > > This is the moderated mailing list freebsd-announce. > The list contains announcements of new FreeBSD capabilities, > important events and project milestones. > See also the FreeBSD Web pages at http://www.freebsd.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-announce" in the body of the message -- David W. Chapman Jr. dwcjr@inethouston.net Raintree Network Services, Inc. dwcjr@freebsd.org FreeBSD Committer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message