************************************************************************** Security Bulletin 9802 DISA Defense Communications System January 23, 1998 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT* Advisory CA-98.03 Original issue date: Jan. 22, 1998 Last revised: A complete revision history is at the end of this file. Topic: Vulnerability in ssh-agent - ----------------------------------------------------------------------------- The text of this advisory was originally released on January 20, 1998, as SNI-23, developed by Secure Networks, Inc. (SNI). To more widely broadcast this information, we are reprinting the SNI advisory here with their permission. Some technical details in the original advisory are not included in this reprint, and these are indicated thus: { DETAILS NOT INCLUDED } We have also removed SNI's PGP public key block and added our contact information. The original advisory is available from ftp://ftp.secnet.com/pub/advisories/SNI-23.SSH-AGENT.advisory We will update this advisory as we receive additional information. Look for it in an "Updates" section at the end of the advisory. ============================================================================= This advisory details a vulnerabily in the SSH cryptographic login program. The vulnerability enables users to use RSA credentials belonging to other users who use the ssh-agent program. This vulnerability may allow an attacker on the same local host to login to a remote server as the user utilizing SSH. Problem Description: ~~~~~~~~~~~~~~~~~~~~ In order to avoid forcing users of RSA based authentication to go through the trouble of retyping their pass phrase every time they wish to use ssh, slogin, or scp, the SSH package includes a program called ssh-agent, which manages RSA keys for the SSH program. The ssh-agent program creates a mode 700 directory in /tmp, and then creates an AF_UNIX socket in that directory. Later, the user runs the ssh-add program, which adds his private key to the set of keys managed by the ssh-agent program. When the user wishes to access a service which permits him to log in using only his RSA key, the SSH client connects to the AF_UNIX socket, and asks the ssh-agent program for the key. Unfortunately, when connecting to the AF_UNIX socket, the SSH client is running as super-user, and performs insufficient permissions checking. This makes it possible for users to trick their SSH clients into using credentials belonging to other users. The end result is that any user who utilizes RSA authentication AND uses ssh-agent, is vulnerable. Attackers can utilize this vulnerability to access remote accounts belonging to the ssh-agent user. { DETAILS NOT INCLUDED } Vulnerable Systems: ~~~~~~~~~~~~~~~~~~~ This vulnerability effects the Unix versions of SSH ONLY. SSH for unix versions 1.2.17 through 1.2.21 are vulnerable if installed with default permissions. Versions of SSH prior to 1.2.17 are subject to a similar (but different) attack. F-Secure SSH for Unix systems prior to release 1.3.3 ARE vulnerable. You can determine the version of SSH you are running by issuing the case sensitive command: % ssh -V Version 1.1 of the windows-based SSH client sold by Data Fellows Inc. under the F-Secure brand name is NOT vulnerable to this attack. Versions 1.0 and 1.0a of Mac SSH are NOT vulnerable to this attack. Fix Resolution: ~~~~~~~~~~~~~~~ Non-commercial users: If using the free non-commercial SSH distribution for Unix, administrators are urged to upgrade to SSH 1.2.22 or later. Updated versions of the free unix SSH can be found at ftp://ftp.cs.hut.fi/pub/ssh Commercial users: F-Secure SSH version 1.3.3 fixes this security problem. If you are using the commercial Data Fellows SSH package and you have a support contract, you can obtain SSH version 1.3.3 from your local retailer. Users without a support contract can obtain a diff file which fixes this problem. This file can be obtained from: http://www.DataFellows.com/f-secure/support/ssh/bug/su132patch.html Workaround: As a temporary workaround, administrators may remove the setuid bit from the SSH binary. This will prevent the attack from working, but will disable a form of authentication documented as rhosts-RSA. For example, if your SSH binary is in the /usr/local/bin directory, the following command will remove the setuid bit from the SSH binary: # chmod u-s /usr/local/bin/ssh Additional Information ~~~~~~~~~~~~~~~~~~~~~~ SSH is a cryptographic rsh, rlogin, and rcp replacement. SSH was written by Tatu Ylonen . For more information about the noncommercial unix version of SSH, please see http://www.cs.hut.fi/ssh Commercial versions of ssh are marketed by Data Fellows Inc. For information about the F-secure ssh derivatives sold by Data Fellows Inc, please see http://www.DataFellows.com/f-secure This vulnerability was discovered by David Sacerdote . { DETAILS NOT INCLUDED } Copyright Notice ~~~~~~~~~~~~~~~~ The contents of this advisory are Copyright (C) 1997 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given. You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers and advisories at ftp://ftp.secnet.com/advisories You can browse our web site at http://www.secnet.com You can subscribe to our security advisory mailing list by sending mail to majordomo@secnet.com with the line "subscribe sni-advisories" ============================================================================= - ---------------------------------------------------------------------------- The CERT Coordination Center thanks Secure Networks, Inc. for permission to reproduce technical content from their advisory SNI-23, which is copyrighted 1997 Secure Networks, Inc. - ---------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/) CERT/CC Contact Information - ---------------------------- Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA Using encryption We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key Getting security information CERT publications and other security information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address - --------------------------------------------------------------------------- Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. *CERT is registered in the U.S. Patent and Trademark Office. - --------------------------------------------------------------------------- This file: ftp://info.cert.org/pub/cert_advisories/CA-98.03.ssh-agent http://www.cert.org click on "CERT Advisories" ======================================================================== UPDATES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNMedoHVP+x0t4w7BAQH0kgP8CBrdnP41QyWIZBhpM/jXytLCaaiNp6gZ 9gZ2Nn7otBYzXjSrLDxpKbkQ3hal6yohWq46Q0IqTCl+MvG88gDwJkUdMCjI5uXf jJfV47Xmow6Fjoe7nu6hH6TnOSxp2Cmk/rsBzE3fxq5vXLt36+LD4oBrMhSGHYNQ W30+BhN19jg= =es1I -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.