SSH Vulnerabilities

Impact

This document will detail some vulnerabilities in the ssh cryptographic login program. Outdated versions of ssh may allow a malicious user to log in as another user, to insert arbitrary commands into a session, or to gain remote root access to the ssh server.

Note: While the stoplight on this page indicates the highest possible severity level (and thus the most dire consequences if this vulnerability is indeed exploited), consult the bullet next to the link to this tutorial to check your actual susceptibility to this vulnerability. If the bullet is red, then we have detected a version of ssh that is susceptible to a vulnerability which could allow unauthorized access. Please read the rest of this document to learn about possible solutions. If the bullet is brown, then we were unable to gather sufficient information to tell whether or not ssh is vulnerable. Please read this document for further details.

Background

Secure Shell, or ssh, is a program used to log into another computer over a network, execute commands on a remote machine and move files from one machine to another. It provides strong authentication and secure communications over unsecure communication channels. ssh is intended as a replacement for rlogin, rsh and rcp. Additionally, ssh provides secure X connections and secure forwarding of arbitrary TCP connections. Traditional BSD "r" commands, such as rsh, rlogin and rcp, are vulnerable to a variety of different hacker attacks. A user with "root" access to certain machines on the network, or physical access to the network itself, may be able to gain unauthorized access to systems by exploiting various vulnerabilities found in the BSD "r" commands. Also, it may be possible for a malicious user to log all traffic to and from a target system, including keystrokes and passwords. The X Window System also has a number of vulnerabilities which may be exploited by hackers. The use of ssh helps to correct these vulnerabilities. Specifically, ssh protects against these attacks: IP spoofing (where the spoofer is on either a remote or local host), IP source routing, DNS spoofing, interception of cleartext passwords/data and attacks based on listening to X authentication data and spoofed connections to an X11 server.

The Problems and Resolutions

Note: All of the problems described below can be fixed by upgrading to ssh-1.2.28 or higher. If upgrading to any version of ssh2 please see the license for that version.


Buffer overflow in ssh with RSAREF2

CVE 1999-0834

RSAREF2 is an implementation of the RSA algorithm, which is used by ssh for authentication and key exchange. A buffer overflow condition in ssh together with a buffer overflow condition in RSAREF2 could allow a remote attacker to execute arbitrary commands with the privileges of the ssh server, which is typically root. ssh versions 1.2.27 and earlier if compiled with the --with-rsaref option are vulnerable. The --with-rsaref option is not the default, so if this option was not explicitly stated when ssh was compiled, then it is not vulnerable.

This problem can be fixed by upgrading to ssh-1.2.28. If this is not possible, then install the ssh patch and the RSAREF2 patch. See CERT Advisory 99-15 for more information on patches. The UNIX patch command can be used to apply these patches. Note: Recompiling ssh without the --with-rsaref option will fix the vulnerability, but may be a violation of the copyright restriction on RSA if used in the United States. See the COPYING file in your ssh distribution for more details.


ssh insertion vulnerability

ssh uses a 32-bit cyclic redundancy check (CRC-32) algorithm to verify that a packet contains legitimate data. If certain cipher modes are used, a remote attacker could create an ssh packet that will decrypt to arbitrary plaintext, and a weakness in the CRC-32 algorithm could allow the attacker to forge a valid checksum so that the packet will appear to be legitimate. By inserting such packets into an existing session, the attacker could execute arbitrary commands on the system. ssh versions 1.2.23 and earlier have this vulnerability, as do F-Secure versions 1.3.4 and earlier. If you are not sure which version you are running, type ssh -V on the system, and it will tell you which version is installed.

The solution to this problem is to upgrade ssh to version 1.2.25 or higher, or to F-Secure version 1.3.5 or higher. F-Secure users with a support contract can obtain an upgrade from their local retailer.


ssh-agent vulnerability

CVE 1999-0013
CVE 1999-0248

The ssh package includes a program called the ssh-agent. The ssh-agent manages the RSA keys for the ssh program, and is used primarily to help users avoid having to type in their pass phrase every time they wish to use ssh, slogin or scp. When invoked, the ssh-agent program creates a mode 700 directory in the /tmp directory, and then creates an AF_UNIX socket in that directory. Later, the user will run a program named ssh-add, which adds his or her private key to the set of keys managed by the ssh-agent program. When a user wishes to utilize a program which requires RSA key authentication, the ssh client connects to the AF_UNIX socket and asks the ssh-agent program for the appropriate key.

The vulnerability lies in the fact that when the ssh client connects to the AF_UNIX socket, it is running as super-user, or root, and performs insufficient permissions checking. This makes it possible for users to trick their ssh clients into using credentials belonging to other users. In other words, any users who utilize RSA authentication and use the ssh-agent program may have their credentials improperly used by a malicious user, who then may improperly access services or programs on a host machine.

This vulnerability affects the UNIX versions of ssh only. Specifically, ssh for UNIX versions 1.2.17 through 1.2.21 are vulnerable if installed with default permissions. Versions of ssh prior to 1.2.17 are subject to a different (but very similar) attack. Additionally, the F-Secure ssh programs, prior to version 1.3.3, are vulnerable to this attack. Version 1.1 of the Windows-based ssh client, sold by F-Secure Corporation, and versions 1.0/1.0a of the Macintosh ssh client are not vulnerable to this attack. If you are unsure of which version or brand of ssh you are running, type "ssh -V" at the command prompt and that information will be given to you by the system. If you are not sure if your version or brand of ssh is vulnerable to this type of attack, please contact the appropriate vendor.

For those using the non-commercial versions of ssh for UNIX, this vulnerability may be easily fixed. Simply upgrade to SSH version 1.2.26 or later. For those using the F-Secure ssh program, version 1.3.3 fixes this security problem. For those using the F-Secure ssh package, and who have a support contract, the fix for this vulnerability is to upgrade to version 1.3.3, which may be obtained from a local retailer.

If the above fixes are not practical, or if administrators wish to use a temporary fix until the above resolutions may be implemented, a workaround to this problem is available. The temporary workaround is for administrators to remove the setuid bit from the ssh binary. This will prevent the attack from working, but will also disable a form of authentication documented as rhosts-RSA. For example, if the ssh binary is in the /usr/local/bin directory, the following command will remove the setuid bit from the ssh binary: "chmod u-s /usr/local/bin/ssh".

Where can I read more about this?

Information about the buffer overflows in ssh and RSAREF2 can be found in CERT Advisory 99-15. More detailed information about the buffer overflow in RSAREF2 in particular can be found in the CORE SDI Advisory. The ssh insertion attack was reported in an X-Force alert. It is described in greater detail in a CORE SDI Advisory. The ssh-agent vulnerability is outlined in Cert Advisory 98.03.

For more information about SSH Communications Security's versions of ssh, be sure to visit their SSH Web site. If you are using F-Secure and need more information, please visit F-Secure Corporation.