SSH Agent Vulnerabilities

Impact

This document will detail a vulnerability in the ssh cryptographic login program. The vulnerability enables users to use RSA credentials belonging to other users who use the SSH-agent program. This vulnerability may allow a malicious user/hacker on the same local host to login to a remote server as the user utilizing ssh.

Background

Secure Shell, or ssh, is a program used to log into another computer over a network, execute commands on a remote machine and move files from one machine to another. It provides strong authentication and secure communications over unsecure communication channels. ssh is intended as a replacement for rlogin, rsh and rcp. Additionally, ssh provides secure X connections and secure forwarding of arbitrary TCP connections. Traditional BSD "r" commands, such as rsh, rlogin and rcp, are vulnerable to a variety of different hacker attacks. A user with "root" access to certain machines on the network, or physical access to the network itself, may be able to gain unauthorized access to systems by exploiting various vulnerabilities found in the BSD "r" commands. Also, it may be possible for a malicious user to log all traffic to and from a target system, including keystrokes and passwords. The X Window System also has a number of vulnerabilities which may be exploited by hackers. The use of ssh helps to correct these vulnerabilities. Specifically, ssh protects against these attacks: IP spoofing (where the spoofer is on either a remote or local host), IP source routing, DNS spoofing, interception of cleartext passwords/data and attacks based on listening to X authentication data and spoofed connections to an X11 server.

The Problem

The ssh package includes a program called the ssh-agent. The ssh-agent manages the RSA keys for the ssh program, and is used primarily to help users avoid having to type in their pass phrase every time they wish to use ssh, slogin or scp. When invoked, the ssh-agent program creates a mode 700 directory in the /tmp directory, and then creates an AF_UNIX socket in that directory. Later, the user will run a program named ssh-add, which adds his or her provate key to the set of keys managed by the ssh-agent program. When a user wishes to utilize a program which requires RSA key authentication, the ssh client connects to the AF_UNIX socket and asks the ssh-agent program for the appropriate key.

The vulnerability lies in the fact that when the ssh client connects to the AF_UNIX socket, it is running as super-user, or root, and performs insufficient permissions checking. This makes it possible for users to trick their tt>ssh clients into using credentials belonging to other users. In other words, any users who utilize RSA authentication and use the ssh-agent program may have their credentials improperly used by a malicious user, who then may improperly access services or programs on a host machine.

This vulnerability effects the UNIX versions of ssh only. Specifically, ssh for UNIX versions 1.2.17 through 1.2.21 are vulnerable if installed with default permissions. Versions of ssh prior to 1.7.17 are subject to a different (but very similar) attack. Additionally, the F-Secure ssh programs, prior to version 1.3.3, are vulnerable to this attack. Version 1.1 of the Windows-based ssh client, sold by Data Fellows, Inc. under the F-Secure brand name, and versions 1.0/1.0a of the Macintosh ssh client are not vulnerable to this attack. If you are unsure of which version or brand of ssh you are running, type "ssh -v" at the command prompt and that information will be given to you by the system. If you are not sure if your version or brand of ssh is vulnerable to this type of attack, please contact the appropriate vendor.

Resolutions

For those using the non-commercial versions of ssh for UNIX, this vulnerability may be easily fixed. Simply upgrade to SSH version 1.2.22 or later. For those using the F-Secure ssh program, version 1.3.3 fixes this security problem. For those using the Data Fellows ssh package, and who have a support contract, the fix for this vulnerability is to upgrade to version 1.3.3, which may be obtained from a local retailer. If you are using the Data Fellows ssh package, but do not have a support contract, there is a diff file which should fix this vulnerability. This diff file may be obtained from the Data Fellows SSH Web site.

If the above fixes are not practical, or if administrators wish to use a temporary fix until the above resolutions may be implemented, a workaround to this problem is available. The temporary workaround is for administrators to remove the setuid bit from the ssh binary. This will prevent the attack from working, but will also disable a form of authentication documented as rhosts-RSA. For example, if the ssh binary is in the /usr/local/bin directory, the following command will remove the setuid bit from the ssh binary: "chmod u-s /usr/local/bin/ssh".

Where can I read more about this?

This vulnerability is outlined in Cert Advisory 93.08. For more information about the noncommercial UNIX versions of ssh, be sure to visit SSH Communications Security's SSH Web site. If you are using a commercial version of ssh and need more information, please visit Data Fellows, Inc.

CVE Reference(s):