SSH Vulnerabilities
SSH Agent Vulnerabilities
Impact
This document will detail a vulnerability in the ssh cryptographic
login program. The vulnerability enables users to use RSA
credentials belonging to other users who use the SSH-agent program. This
vulnerability may allow a malicious user/hacker on the same local host
to login to a remote server as the user utilizing ssh.
Background
Secure Shell, or ssh,
is a program used to log into another computer over a network, execute
commands on a remote machine and move files from one machine to another.
It provides strong authentication and secure communications over unsecure
communication channels. ssh is intended as a replacement
for rlogin,
rsh
and rcp.
Additionally, ssh provides secure X
connections and secure forwarding of arbitrary TCP
connections. Traditional BSD "r" commands,
such as rsh, rlogin and rcp,
are vulnerable to a variety of different hacker attacks. A user with "root"
access to certain machines on the network, or physical access to the network
itself, may be able to gain unauthorized access to systems by exploiting
various vulnerabilities found in the BSD "r" commands. Also, it may be
possible for a malicious user to log all traffic to and from a target system,
including keystrokes and passwords. The X Window System
also has a number of vulnerabilities which may be exploited by hackers.
The use of ssh helps to correct these vulnerabilities.
Specifically, ssh protects against these attacks: IP
spoofing (where the spoofer is on either a remote or local host),
IP
source routing, DNS
spoofing, interception of cleartext passwords/data and attacks
based on listening to X authentication data and spoofed
connections to an X11 server.
The Problem
The ssh package includes a program called the ssh-agent.
The ssh-agent manages the RSA keys for the ssh
program, and is used primarily to help users avoid having to type in their
pass phrase every time they wish to use ssh, slogin
or scp. When invoked, the ssh-agent program
creates a mode 700 directory in the /tmp directory, and then creates
an AF_UNIX socket in that directory. Later, the user will run a
program named ssh-add, which adds his or her provate key
to the set of keys managed by the ssh-agent program. When
a user wishes to utilize a program which requires RSA key authentication,
the ssh client connects to the AF_UNIX socket and
asks the ssh-agent program for the appropriate key.
The vulnerability lies in the fact that when the ssh
client connects to the AF_UNIX socket, it is running as super-user,
or root, and performs insufficient permissions checking. This makes it
possible for users to trick their tt>ssh clients into using credentials
belonging to other users. In other words, any users who utilize RSA authentication
and use the ssh-agent program may have their credentials
improperly used by a malicious user, who then may improperly access services
or programs on a host machine.
This vulnerability effects the UNIX versions of ssh
only. Specifically, ssh for UNIX versions 1.2.17 through
1.2.21 are vulnerable if installed with default permissions. Versions of
ssh prior to 1.7.17 are subject to a different (but very
similar) attack. Additionally, the F-Secure ssh programs,
prior to version 1.3.3, are vulnerable to this attack. Version 1.1 of the
Windows-based ssh client, sold by Data Fellows, Inc. under
the F-Secure brand name, and versions 1.0/1.0a of the Macintosh ssh
client are not vulnerable to this attack. If you are unsure of which version
or brand of ssh you are running, type "ssh -v" at
the command prompt and that information will be given to you by the system.
If you are not sure if your version or brand of ssh is
vulnerable to this type of attack, please contact the appropriate vendor.
Resolutions
For those using the non-commercial versions of ssh for
UNIX, this vulnerability may be easily fixed. Simply upgrade to SSH
version 1.2.22 or later. For those using the F-Secure ssh
program, version 1.3.3 fixes this security problem. For those using the
Data Fellows ssh package, and who have a support contract,
the fix for this vulnerability is to upgrade to version 1.3.3, which may
be obtained from a local retailer. If you are using the Data Fellows ssh
package, but do not have a support contract, there is a diff file
which should fix this vulnerability. This diff file may be obtained
from the Data Fellows SSH
Web site.
If the above fixes are not practical, or if administrators wish to use
a temporary fix until the above resolutions may be implemented, a workaround
to this problem is available. The temporary workaround is for administrators
to remove the setuid bit from the ssh binary. This will
prevent the attack from working, but will also disable a form of authentication
documented as rhosts-RSA. For example, if the ssh binary
is in the /usr/local/bin directory, the following command will remove
the setuid bit from the ssh binary: "chmod u-s /usr/local/bin/ssh".
Where can I read more about this?
This vulnerability is outlined in Cert
Advisory 93.08. For more information about the noncommercial UNIX versions
of ssh, be sure to visit SSH Communications Security's
SSH Web site. If you are using a
commercial version of ssh and need more information, please
visit Data Fellows, Inc.
CVE References(s):
CVE-1999-0834 CVE-1999-0013