Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» OpenPKG » OpenSSH privilege escalation

OpenSSH privilege escalation

A security bug introduced in OpenSSH version 4.0 caused gateway ports (SSH client command line option "-o 'GatewayPorts yes'") to be accidentally activated for dynamic port forwardings (SSH client command line option "-D [address:]port") when the listen address was not explicitly specified. As a result, the SSH client performed a wildcard bind for the listening socket on the SSH client machine instead of a bind to just "localhost". This way the dynamic port forwardings can be accessed also from outside the SSH client machine.

  • Vendor: OpenPKG
  • Vendor ID: SA-2005.019
  • Date: September 06, 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[email protected] [email protected]
OpenPKG-SA-2005.019 06-Sep-2005
________________________________________________________________________

Package: openssh
Vulnerability: privilege escalation
OpenPKG Specific: no

Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= openssh-4.1p1-20050812 >= openssh-4.2p1-20050901
OpenPKG 2.4 <= openssh-4.1p1-2.4.0 >= openssh-4.1p1-2.4.1
OpenPKG 2.3 none N.A.

Dependent Packages: none

Description:
A security bug introduced in OpenSSH [1] version 4.0 caused gateway
ports (SSH client command line option "-o 'GatewayPorts yes'") to
be accidentally activated for dynamic port forwardings (SSH client
command line option "-D [address:]port") when the listen address
was not explicitly specified. As a result, the SSH client performed
a wildcard bind for the listening socket on the SSH client machine
instead of a bind to just "localhost". This way the dynamic port
forwardings can be accessed also from outside the SSH client machine.

Please check whether you are affected by running "/bin/rpm -q
openssh". If you have the "openssh" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
(see Solution). [2][3]

Solution:
Select the updated source RPM appropriate for your OpenPKG release
[4], fetch it from the OpenPKG FTP service [5] or a mirror location,
verify its integrity [6], build a corresponding binary RPM from it
[2] and update your OpenPKG installation by applying the binary RPM
[3]. For the most recent release OpenPKG 2.4, perform the following
operations to permanently fix the security problem (for other releases
adjust accordingly).

$ ftp ftp.openpkg.org
ftp> bin
ftp> cd current/SRC
ftp> get openssh-4.1p1-2.4.1.src.rpm
ftp> bye
$ /bin/rpm --rebuild openssh-4.1p1-2.4.1.src.rpm
$ su -
# /bin/rpm -Fvh /RPM/PKG/openssh-4.1p1-2.4.1.*.rpm
________________________________________________________________________

References:
[1] http://www.openssh.com/
[2] http://www.openpkg.org/tutorial.html#regular-source
[3] http://www.openpkg.org/tutorial.html#regular-binary
[4] ftp://ftp.openpkg.org/release/2.4/UPD/openssh-4.1p1-2.4.1.src.rpm
[5] ftp://ftp.openpkg.org/release/2.4/UPD/
[6] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG

iD8DBQFDHZi1gHWT4GPEy58RAnrTAJ0dKA35YVj6Tltklch+O0bkXgxQkACg6R4Y
IzIjDHb0pjTYiVqySMyBV2w=
=/6Zk
-----END PGP SIGNATURE-----

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »