__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN OpenSSH Security and Bug Fix Update [Red Hat RHSA-2007:0540-3] November 7, 2007 22:00 GMT Number S-043 [REVISED 16 Nov 2007] ______________________________________________________________________________ PROBLEM: Several flaws were found in the way: 1) the ssh server wrote account names to the audit subsystem; and 2) the OpenSSH server processes GSSAPI authentication requests. PLATFORM: Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 4) DAMAGE: 1) An attacker could inject strings containing parts of audit messages, which could possibly mislead or confuse audit log parsing tools; and 2) When GSSAPI authentication was enabled in the OpenSSH server, a remote attacker was potentially able to determine if a username is valid. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. 1) An attacker could inject strings containing ASSESSMENT: parts of audit messages, which could possibly mislead or confuse audit log parsing tools; and 2) When GSSAPI authentication was enabled in the OpenSSH server, a remote attacker was potentially able to determine if a username is valid. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-043.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2007-0540.html ADDITIONAL LINKS: https://rhn.redhat.com/errata/RHSA-2007-0737.html https://rhn.redhat.com/errata/RHSA-2007-0703.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2006-5052 CVE-2007-3102 ______________________________________________________________________________ REVISION HISTORY: 11/16/2007 - revised S-043 to add links to Red Hat RHSA-2007:0737-6 and RHSA-2007:0703-7 for Red Hat Desktop (v. 4), Red Hat Enterprise Linux AS, ES, WS (v. 4). [***** Start Red Hat RHSA-2007:0540-3 *****] Moderate: openssh security and bug fix update Advisory: RHSA-2007:0540-3 Type: Security Advisory Severity: Moderate Issued on: 2007-11-07 Last updated on: 2007-11-07 Affected Products: Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) OVAL: com.redhat.rhsa-20070540.xml CVEs (cve.mitre.org): CVE-2006-5052 CVE-2007-3102 Details Updated openssh packages that fix a security issue and various bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. A flaw was found in the way the ssh server wrote account names to the audit subsystem. An attacker could inject strings containing parts of audit messages, which could possibly mislead or confuse audit log parsing tools. (CVE-2007-3102) A flaw was found in the way the OpenSSH server processes GSSAPI authentication requests. When GSSAPI authentication was enabled in the OpenSSH server, a remote attacker was potentially able to determine if a username is valid. (CVE-2006-5052) The following bugs in SELinux MLS (Multi-Level Security) support has also been fixed in this update: * It was sometimes not possible to select a SELinux role and level when logging in using ssh. * If the user obtained a non-default SELinux role or level, the role change was not recorded in the audit subsystem. * In some cases, on labeled networks, sshd allowed logins from level ranges it should not allow. The updated packages also contain experimental support for using private keys stored in PKCS#11 tokens for client authentication. The support is provided through the NSS (Network Security Services) library. All users of openssh should upgrade to these updated packages, which contain patches to correct these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: openssh-4.3p2-24.el5.src.rpm 153a17e8f011bde6d984ce73b92cebff IA-32: openssh-4.3p2-24.el5.i386.rpm ba4d6b70e9de7860b5ebe370ca5cdf53 openssh-askpass-4.3p2-24.el5.i386.rpm d7b28f340fe82d28660876ca6bcc0a35 openssh-clients-4.3p2-24.el5.i386.rpm c4216b9a462e5f0462096f1d9b6b8d5f openssh-server-4.3p2-24.el5.i386.rpm 9f17e3dfe06fbbed05f765abd6b2509a IA-64: openssh-4.3p2-24.el5.ia64.rpm 5a4b28d5af0be02b37e02ae0aed692aa openssh-askpass-4.3p2-24.el5.ia64.rpm b2672d6bc6fbbd29414d23523631ac03 openssh-clients-4.3p2-24.el5.ia64.rpm 2e7e42fd888d7fb1a87531e3f7a58889 openssh-server-4.3p2-24.el5.ia64.rpm e909c8bac59183dfe6f47f1e71c5306e PPC: openssh-4.3p2-24.el5.ppc.rpm 7c4fbb3d8e40b083acdbd6a5186e1db3 openssh-askpass-4.3p2-24.el5.ppc.rpm 4f878a818e9fd07d16becbf66e35389f openssh-clients-4.3p2-24.el5.ppc.rpm 9c31ff09ef6ca0a20bba14fb89c3e250 openssh-server-4.3p2-24.el5.ppc.rpm 3187b878bf79dc71e226ae8096f07081 s390x: openssh-4.3p2-24.el5.s390x.rpm f4c3b2d6c3b170376f0e3fce0b1f38ec openssh-askpass-4.3p2-24.el5.s390x.rpm ab38b48be3d112c5aa333296bd9cbc3f openssh-clients-4.3p2-24.el5.s390x.rpm 03643d364acf47e086c913c95dae8cb2 openssh-server-4.3p2-24.el5.s390x.rpm 0d6286527c165d1df00ece5761fcefed x86_64: openssh-4.3p2-24.el5.x86_64.rpm 67538525ad7cf2f1d310a429b44890c7 openssh-askpass-4.3p2-24.el5.x86_64.rpm 37118e168b7a55531459b4743d3522fb openssh-clients-4.3p2-24.el5.x86_64.rpm 6ce7070b90732f3c837df5cfc9287187 openssh-server-4.3p2-24.el5.x86_64.rpm a7141781bfe5f21f2fc5b192ebf6693e Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: openssh-4.3p2-24.el5.src.rpm 153a17e8f011bde6d984ce73b92cebff IA-32: openssh-4.3p2-24.el5.i386.rpm ba4d6b70e9de7860b5ebe370ca5cdf53 openssh-askpass-4.3p2-24.el5.i386.rpm d7b28f340fe82d28660876ca6bcc0a35 openssh-clients-4.3p2-24.el5.i386.rpm c4216b9a462e5f0462096f1d9b6b8d5f openssh-server-4.3p2-24.el5.i386.rpm 9f17e3dfe06fbbed05f765abd6b2509a x86_64: openssh-4.3p2-24.el5.x86_64.rpm 67538525ad7cf2f1d310a429b44890c7 openssh-askpass-4.3p2-24.el5.x86_64.rpm 37118e168b7a55531459b4743d3522fb openssh-clients-4.3p2-24.el5.x86_64.rpm 6ce7070b90732f3c837df5cfc9287187 openssh-server-4.3p2-24.el5.x86_64.rpm a7141781bfe5f21f2fc5b192ebf6693e (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 227733 - [LSPP] unable to ssh into a system as root/auditadm_r 229278 - LSPP: ssh-mls allows a level through that it should not 231695 - LSPP: user unable to ssh to system with user/role/level context 234638 - CVE-2006-5052 GSSAPI information leak 234951 - [LSPP] openssh server fails to parse level correctly 248059 - CVE-2007-3102 audit logging of failed logins References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5052 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3102 http://www.redhat.com/security/updates/classification/#moderate Keywords audit, GSSAPI, krb5, level, MLS, NSS, role, SELinux, token -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2007:0540-3 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-033: AIX lqueryvg Buffer Overflow Vulnerability S-034: SonicWall NetExtender NELaunchCtrl ActiveX Vulnerability S-035: Perdition Format String Error S-036: Mono Vulnerability S-037: Perl-Compatible Regular Expression (PCRE) Vulnerabilities S-038: Perl Security Update S-039: httpd Security Update S-040: Vulnerability in Macrovision SECDRV.SYS Driver on Windows S-041: Wireshark Security Update S-042: CoolKey Security and Bug Fix Update