Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 229193 - CVE-2005-2666 openssh vulnerable to known_hosts address harvesting
Summary: CVE-2005-2666 openssh vulnerable to known_hosts address harvesting
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openssh
Version: 3.0
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL: http://nms.csail.mit.edu/projects/ssh/
Whiteboard: impact=low,reported=20050707,source=b...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-02-19 13:58 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-03-23 14:23:55 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Mark J. Cox 2007-02-19 13:58:26 UTC
clone for rhel3/2.1

+++ This bug was initially created as a clone of Bug #162681 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8)
Gecko/20050511 Firefox/1.0.4

Description of problem:
Portable OpenSSH versions less than 4.0p1 have known_hosts files that would
allow an attacker to find additional targets, because the host information
contained within them is listed in cleartext.

http://nms.csail.mit.edu/projects/ssh/

The OpenSSH server included in RHEL 3 and 4 do not currently have support for
the Hashed Host patches that would be needed to avoid exposing sensitive
information to a successful attacker.

The specific fix that the OpenSSH folks have devised for this is described here:

http://nms.lcs.mit.edu/projects/ssh/README.hashed-hosts

A patch for OpenSSH 3.9p1 is available:

http://nms.csail.mit.edu/projects/ssh/patch-other.php

This could probably be backported to openssh-3.6.1 (used in RHEL 3).


Version-Release number of selected component (if applicable):
openssh-3.6.1p2-33.30.4

How reproducible:
Always

Steps to Reproduce:
1. Pretend you are a malicious coder. Find a vulnerability in SSH. Write a nasty
SSH worm that can jump from host to host.
2. Have your worm check everyone's .ssh/known_hosts file for additinal targets.
3. Attempt to jump to the hosts listed in the known_hosts files, using both your
original exploit, and using any carelessly unencrypted private key files you
find on the machine.
4. Profit


Additional info:

-- Additional comment from tmraz@redhat.com on 2005-07-08 16:55 EST --
Created an attachment (id=116539)
Patch for openssh-3.9p1

This patch is taken from openssh-4.0p1 and applies to openssh-3.9p1.


-- Additional comment from tmraz@redhat.com on 2005-07-08 16:58 EST --
Created an attachment (id=116540)
Patch for openssh-3.6.1p2

This patch applies to openssh-3.6.1p2.


-- Additional comment from bressers@redhat.com on 2005-09-01 14:07 EST --
I'm moving this bug to affect RHEL4, and noting that this feature could be added
to RHEL3 and RHEL2.1 if we decide to support it.

Considering this a security issue is a far stretch as you first need an openssh
worm in order for it to be a problem.  Additionally a worm could search the
users shell history and log files for a list of hosts which could potentially be
vulnerable, making this much less effective than it would appear from the
description.

Comment 3 Tomas Mraz 2007-03-23 14:23:55 UTC
We do not consider this problem as a real security issue.  This feature is not
going to be implemented for RHEL-3.



Note You need to log in before you can comment on or make changes to this bug.