[ SOURCE: http://www.secureroot.com/security/advisories/9796622398.html ] -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:01 Security Advisory FreeBSD, Inc. Topic: Hostile server OpenSSH agent/X11 forwarding Category: core/ports Module: openssh Announced: 2001-01-15 Credits: Markus Friedl Affects: FreeBSD 4.1.1-STABLE prior to the correction date Ports collection prior to the correction date Corrected: 2000-11-14 Vendor status: Updated version released FreeBSD only: NO I. Background OpenSSH is an implementation of the SSH1 and SSH2 secure shell protocols for providing encrypted and authenticated network access, which is available free for unrestricted use. Versions of OpenSSH are included in the FreeBSD ports collection and the FreeBSD base system. II. Problem Description To quote the OpenSSH Advisory: If agent or X11 forwarding is disabled in the ssh client configuration, the client does not request these features during session setup. This is the correct behaviour. However, when the ssh client receives an actual request asking for access to the ssh-agent, the client fails to check whether this feature has been negotiated during session setup. The client does not check whether the request is in compliance with the client configuration and grants access to the ssh-agent. A similar problem exists in the X11 forwarding implementation. All versions of FreeBSD 4.x prior to the correction date including FreeBSD 4.1 and 4.1.1 are vulnerable to this problem, but it was corrected prior to the release of FreeBSD 4.2. For users of FreeBSD 3.x, OpenSSH is not installed by default, but is part of the FreeBSD ports collection. The base system and ports collections shipped with FreeBSD 4.2 do not contain this problem since it was discovered before the release. III. Impact Hostile SSH servers can access your X11 display or your ssh-agent when connected to, which may allow access to confidential data or other network accounts, through snooping of password or keying material through the X11 session, or reuse of the SSH credentials obtained through the SSH agent. IV. Workaround Clear both the $DISPLAY and $SSH_AUTH_SOCK variables before connecting to untrusted hosts. For example, in Bourne shell syntax: % unset SSH_AUTH_SOCK; unset DISPLAY; ssh host V. Solution Upgrade the vulnerable system to 4.1.1-STABLE or 4.2-STABLE after the correction date, or patch your current system source code and rebuild. To patch your present system: download the patch from the below location and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:01/openssh.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:01/openssh.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/crypto/openssh # patch < /path/to/openssh.patch # cd /usr/src/secure/lib/libssh # make depend && make all # cd /usr/src/secure/usr.bin/ssh # make depend && make all install [Ports collection] One of the following: 1) Upgrade your entire ports collection and rebuild the OpenSSH port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/openssh-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/security/openssh-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/security/openssh-2.2.0.tgz NOTE: Due to an oversight the package version was not updated after the security fix was applied, so be sure to install a package created after the correction date. 3) download a new port skeleton for the OpenSSH port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOmN6RFUuHi5z0oilAQGAUAQAllC+FmvfYpmP6gQqO+xB6UIZsK0GQsAM WRCOiULMLBD4kHJkYVJUQmSyK5jPxEVkwILX3jE9qZhB65alW20L965mQS/DjM5p bj0itnwTy1DL6dul15vWBfCJKxL/A0SrgVv+hnDwHx3YU4x0re/1bNU3gVa8bT1K Nnu2/m1wmpU= =MAzv -----END PGP SIGNATURE-----