Date: Fri, 9 Feb 2001 23:38:59 -0500 (EST) From: Jeffrey L. Vagle <jvagle@linuxppc.org> To: linuxppc-security-announce@lists.linuxppc.org Subject: LPPCSA-2001:004:1 - OpenSSH remote forwarding vulnerability ========================================================================= LinuxPPC Security Advisory LPPCSA-2001:004:1 20010209 http://linuxppc.org/security security@linuxppc.org ========================================================================= Summary: OpenSSH unauthorized remote forwarding vulnerability Date: 20010209 Affects: OpenSSH versions prior to 2.3.0 Updated Package: openssh-2.3.0p1-1 I. Background OpenSSH is a FREE version of the SSH suite of network connectivity tools that increasing numbers of people on the Internet are coming to rely on. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunnelling capabilities. The OpenSSH suite includes the ssh program which replaces rlogin and telnet, and scp which replaces rcp and ftp. Also included is sshd which is the server side of the package, and the other basic utilities like ssh-add, ssh-agent, and ssh-keygen. OpenSSH supports protocol versions 1.3, 1.5, and 2.0. II. Problem Description The problem occurs in the OpenSSH Client. The client does not sufficiently check for the ssh-agent and X11 forwarding options after an SSH session has been negotiated. This allows the server end of the SSH session to gain access to either of these two resources on the client side. This could result in a malicious server gaining access to the X11 display and remotely watching the desktop and keystokes. This problem can also allow a malicious server access to the local ssh-agent. III. Solution A. URL: http://linuxppc.org/security/advisories/LPPCSA-2001-004-1.php3 B. Instructions To update your packages, use rpm -Uvh filename for each RPM. To verify each RPM, use rpm --checksig filename LinuxPPC.org's GPG key may be found at http://linuxppc.org/security/advisories/linuxppc_pub_key.php3 ** Sent via the linuxppc-security-announce mail list.