安全公告：FreeBSD-SA-08:05.openssh

发表: delphijBSD爱好者乐园 t4]Et+Dy
时间: 2008/04/17 08:20:39BSD爱好者乐园'\&GW/ra({E

s8j;uo wv'i9?H6rNBSD爱好者乐园*T
pEC2@qu
-----BEGIN PGP SIGNED MESSAGE-----BSD爱好者乐园
\4g9T vc/_
Hash: SHA1
/UH3Y%`9Lm;jHBSD爱好者乐园2D.~V[
Dn:d
=============================================================================BSD爱好者乐园z$RZMkYk
qM]
FreeBSD-SA-08:05.openssh Security Advisory
q1C X5s(Na
SZVThe FreeBSD Project
|yg6F3[3R%q+X@B/h
Q2WrTe$STopic: OpenSSH X11-forwarding privilege escalationBSD爱好者乐园AC2a!z,g1A;e-J

k'b4_o/`#\e`Category: contrib
b Sk1d-q*AModule: openssh
5QgnZ
}9m*?Announced: 2008-04-17
G BJ-jx.s$a9~,~&UCredits: Timo Juhani Lindfors
1hp B+yQ5uuAffects: All supported versions of FreeBSDBSD爱好者乐园bs\iL"o
Corrected: 2008-04-16 23:58:33 UTC (RELENG_7, 7.0-STABLE)BSD爱好者乐园PG7I"D-})v
2008-04-16 23:58:52 UTC (RELENG_7_0, 7.1-RELEASE-p1)
;N ?-{ _`5s2008-04-16 23:59:35 UTC (RELENG_6, 6.3-STABLE)
i$e^$Vl9M)QEg2008-04-16 23:59:48 UTC (RELENG_6_3, 6.3-RELEASE-p2)BSD爱好者乐园;Ekx%CD)A7P
2008-04-17 00:00:04 UTC (RELENG_6_2, 6.2-RELEASE-p12)
6s.E3F3}6ulM h2008-04-17 00:00:28 UTC (RELENG_6_1, 6.1-RELEASE-p24)
(Jq$U3l-]OB(]5vNE2008-04-17 00:00:41 UTC (RELENG_5, 5.5-STABLE)BSD爱好者乐园 d4EJD;v$Ix)`
2008-04-17 00:00:54 UTC (RELENG_5_5, 5.5-RELEASE-p20)BSD爱好者乐园*}(Y'm @!] B
CVE Name: CVE-2008-1483BSD爱好者乐园8OeL2B8_Tqp6@(wjn

|I8uj'V"Z8hFor general information regarding FreeBSD Security Advisories,BSD爱好者乐园'h:Lcfj3VT+Vs
including descriptions of the fields above, security branches, and the
zgb.H&sG*YrkJpfollowing sections, please visit <URL:http://security.FreeBSD.org/>.
Y"r Jcm7Hn({mZ*?9YBSD爱好者乐园 F-~8{k Q*?
I. BackgroundBSD爱好者乐园r0t%NV9|0@|#I

hRBj$O-l oOpenSSH is an implementation of the SSH protocol suite, providing anBSD爱好者乐园\Ti9?,B_e2j
encrypted and authenticated transport for a variety of services,
r8|*A w_1K Pincluding remote shell access. The OpenSSH server daemon (sshd)BSD爱好者乐园OF!~ct`.b
provides support for the X11 protocol by binding to a port on theBSD爱好者乐园Y5jzU:B {d1a
server and forwarding any connections which are made to that port.
#R~-`0O(o1g6[ wEBSD爱好者乐园^ w;K8G(I!P
II. Problem Description
%u"bG_z*nH
9P bR}rWhen logging in via SSH with X11-forwarding enabled, sshd(8) fails toBSD爱好者乐园/XM.G Q N$]%X
correctly handle the case where it fails to bind to an IPv4 port but
.al.pM] u3u6z\ Gsuccessfully binds to an IPv6 port. In this case, applications whichBSD爱好者乐园6j6r5DWz?Q
P
use X11 will connect to the IPv4 port, even though it had not beenBSD爱好者乐园L I9qwHBR N
bound by sshd(8) and is therefore not being securely forwarded.BSD爱好者乐园*bG?Q'~#\
BSD爱好者乐园-N;goh ~
III. Impact
E%PlE.IBSD爱好者乐园#V{.JA$bg
A malicious user could listen for X11 connections on a unused IPv4BSD爱好者乐园iI6AVf}K ]
port, e.g tcp port 6010. When an unaware user logs in and sets up X11BSD爱好者乐园Up&C'|#?#JFkr;|i
fowarding the malicious user can capture all X11 data send over the
%~.i^fPii(Tport, potentially disclosing sensitive information or allowing theBSD爱好者乐园&aO3C,a
y)t1~t
execution of commands with the privileges of the user using theBSD爱好者乐园n/`0z y1]^
X11 forwarding.BSD爱好者乐园Z9r0\s0x;[
BSD爱好者乐园J
G,o r#[1cm `$wztr/U
NOTE WELL: FreeBSD ships with IPv6 enabled by default in the GENERICBSD爱好者乐园7A9k|.lz'TT"v
and SMP kernels, so users are vulnerable even they have not explicitlyBSD爱好者乐园j)i.~,Lx9U
enabled IPv6 networking.BSD爱好者乐园5f7^/Ax"}|w
v
BSD爱好者乐园vG&b ~)R/@ ?7FPZ
IV. Workaround
4n[2u OaJ!Q2Fz
"Xk1u Y~(XDisable support for IPv6 in the sshd(8) daemon by setting the optionBSD爱好者乐园Kc5z P(V&KxI
"AddressFamily inet" in /etc/ssh/sshd_config.BSD爱好者乐园2]~+Z(D.A+K*?8nY
BSD爱好者乐园K F/r6W8CJ9u
Disable support for X11 forwarding in the sshd(8) daemon by settingBSD爱好者乐园[p wr!W
the option "X11Forwarding no" in /etc/ssh/sshd_config.BSD爱好者乐园"d
veH,r,K

5pF H"v[
jEz
uV. Solution
`"~ zv8oQlD4F9RBSD爱好者乐园 XF&E+_KiJ
Perform one of the following:BSD爱好者乐园(F1dx2N(w


j@!r&{p]0rBur(n1) Upgrade your vulnerable system to 5-STABLE, 6-STABLE, or 7-STABLE,BSD爱好者乐园BGt^UH/\
or to the RELENG_7_0, RELENG_6_3, RELENG_6_2, RELENG_6_1, RELENG_5_5
W;i z2O _5Axsecurity branch dated after the correction date.
7M;?b!Z)n_u0|
q!AIc:sd.XG2) To patch your present system:
9f5_ F3xXs4dw0v
9^uO~X3_]IQP2xThe following patch has been verified to apply to FreeBSD 5.5, 6.1,
)i)z,l;qcj`6.2, 6.3, and 7.0 systems.
Y%F8jZ)^
S KZ%H(D7{:O_Sa) Download the relevant patch from the location below, and verify the
}rnoAdetached PGP signature using your PGP utility.BSD爱好者乐园$Z'Jo"]'I(Ss

0C9tz9E"\*N;K:BW |# fetchhttp://security.FreeBSD.org/patches/SA-08:05/openssh.patch# fetchhttp://security.FreeBSD.org/patches/SA-08:05/openssh.patch.ascBSD爱好者乐园R8x0K C'm
L$v ]
b) Execute the following commands as root:
w%Af(V}BSD爱好者乐园#TN;P4Ev
# cd /usr/src
]/m!r1G
Eg3\b# patch < /path/to/patch
ns} ^0Qg# cd /usr/src/secure/lib/libsshBSD爱好者乐园}GBXRk
# make obj && make depend && make && make install
1at-K {1y{a&[k# cd /usr/src/secure/usr.sbin/sshd
$X#p%E/E#PZM$v}# make obj && make depend && make && make install
H iv1G"I2FHC:?# /etc/rc.d/sshd restartBSD爱好者乐园efBN{+mO

1{NB&JY&@1z5L'CYVI. Correction details
lf;p1l/|D!S+}}BSD爱好者乐园:x0V?EP5m
The following list contains the revision numbers of each file that wasBSD爱好者乐园:l1Q!Q?!T6X
corrected in FreeBSD.BSD爱好者乐园b#Z.\!KZP3\+P
BSD爱好者乐园?#gHN)b"m!`1~6w
Branch Revision
7[j:?4T{s&j `PathBSD爱好者乐园Ar"|;Uo;`!m
- -------------------------------------------------------------------------
}t#?1~~RELENG_5
M6M+ihy9usrc/crypto/openssh/channels.c 1.18.2.1
:\M8u*]agn4W,WLjRELENG_5_5BSD爱好者乐园9^&GL!?xCI.{
src/UPDATING 1.342.2.35.2.21BSD爱好者乐园p+QoQ2ks#_8Y@;o
src/sys/conf/newvers.sh 1.62.2.21.2.22BSD爱好者乐园'`#Yxc/Qx%P/Mg-M
src/crypto/openssh/channels.c 1.18.8.1BSD爱好者乐园6L6dN hE:jat/F
RELENG_6
G [,k6GM-C+NQVsrc/crypto/openssh/channels.c 1.20.2.3
-i S-D:q/V6v9cvRELENG_6_3BSD爱好者乐园ot5Nq9|-A_
src/UPDATING 1.416.2.37.2.6
7c_sl+t$dSsrc/sys/conf/newvers.sh 1.69.2.15.2.5
ij$i4_'e2V._ | Z0Rsrc/crypto/openssh/channels.c 1.20.2.2.4.1BSD爱好者乐园:K@ C rx)M @2RY
zaN
RELENG_6_2
^Ts3uM6pWQsrc/UPDATING 1.416.2.29.2.16BSD爱好者乐园"x;N;p%`VI cW
src/sys/conf/newvers.sh 1.69.2.13.2.15
SgX&[O.p y O.zsrc/crypto/openssh/channels.c 1.20.2.2.2.1BSD爱好者乐园QC"G.Fd3z
RELENG_6_1
'k$UpQKTsrc/UPDATING 1.416.2.22.2.27
aL bO{src/sys/conf/newvers.sh 1.69.2.11.2.26
| Z.rH:\3WV;`^src/crypto/openssh/channels.c 1.20.2.1.4.1BSD爱好者乐园]'e3a8Q`7Tl6r/c
RELENG_7BSD爱好者乐园y'p-x/^8bVQ eT
src/crypto/openssh/channels.c 1.23.2.1BSD爱好者乐园|5Nf TRD3K:u*q
RELENG_7_0
!v%Fa(T)j_src/UPDATING 1.507.2.3.2.5
9z6F1h}-oO
hsrc/sys/conf/newvers.sh 1.72.2.5.2.5BSD爱好者乐园.r/sdjy t)Q3F
src/crypto/openssh/channels.c 1.23.4.1
V+USbb gSv- -------------------------------------------------------------------------
&kW Y@aH
9P6dnkW&k6v8ZVII. References
%f p&qe/A2c%p
Xf&n+a~4Tr%_http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483http://www.openssh.com/txt/release-5.0BSD爱好者乐园\9tBG X w@
The latest revision of this advisory is available at
]ri{;H7g^c yhttp://security.FreeBSD.org/advi ... A-08:05.openssh.asc-----BEGIN PGP SIGNATURE-----BSD爱好者乐园;^*j ^5WIl:tS
Version: GnuPG v1.4.7 (FreeBSD)
$Ur1j1M+FD5T,M5J_
kxK&BI%oiD8DBQFIBpWTFdaIBMps37IRAomdAJ9hKgp/MG2PbVVojAMjCTtcY6T5HgCeNDxa
-z:f%B.rJiA55tmcA3GXbsXAd/flJZO4=
]n/i R xX5Gk~4sf=joYI
}8v n7x X,B\hy-----END PGP SIGNATURE-----
[重要提醒]对本篇资料有疑问，请到论坛讨论，尽量使文章准确无误>>>
[版权声明]BSD爱好者乐园站内文章，如来源不是互联网，则均系原创或翻译之作，可随意转载，或以此为基础进行演译，但务必以链接形式注明原始出处和作者信息，否则属于侵权行为。另对本站转载他处文章，俱有说明，如有侵权请联系本人，本人将会在第一时间删除侵权文章。
TAG: openssh 安全