TUCoPS :: Unix :: General
:: ciacm026.txt
OpenSSH UseLogin Privilege Elevation Vulnerability
Privacy and Legal Notice
[CIAC] INFORMATION BULLETIN
M-026: OpenSSH UseLogin Privilege Elevation Vulnerability
December 8, 2001 03:00 GMT
------------------------------------------------------------------------
PROBLEM: Hostile but otherwise legitimate users can use this
vulnerability to execute commands or run arbitrary
code with the privileges of OpenSSH, usually root.
PLATFORM: All operating systems that run versions of OpenSSH
earlier than 3.0.2. These include, but are not limited
to: OpenBSD, FreeBSD, IBM Linux, Debian Linux, Red Hat
Linux.
DAMAGE: When the "UseLogin" option is enabled in OpenSSH, a
malicious user who authenticates using key-based
authentication methods can influence the environment
variables passed to the login process. This could
allow the user to execute arbitrary code with
superuser privileges.
SOLUTION: Upgrade to OpenSSH 3.0.2. Refer to your operating
system vendor's support web page for instructions and
patches.
------------------------------------------------------------------------
VULNERABILITY The risk is Medium. An authorized user account and key
ASSESSMENT: are required on the vulnerable system in order to
exploit this vulnerability.
------------------------------------------------------------------------
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-026.shtml
ORIGINAL http://www.openbsd.org/security.html#30
BULLETIN: http://www.freebsd.org/security/index.html#adv
See: Security Advisory FreeBSD-SA-01:63.openssh.asc
http://www.debian.org/security/2001/dsa-091
http://www.redhat.com/support/errata/RHSA-2001-161.html
http://www.kb.cert.org/vuls/id/157447
------------------------------------------------------------------------
OpenSSH contains a vulnerability that permits an intruder to execute arbitrary
code. When the "UseLogin" option is enabled in OpenSSH, a malicious user who
authenticates using key-based authentication methods can modify the
environment variables passed to the login process. This could allow the user to
execute arbitrary code with "root" privileges. In operating systems that use
OpenSSH, the OpenSSH server has the "UseLogin" option disabled by default.
Therefore, it is not vulnerable unless the system administrator has changed this
setting. It is not necessary or advisable to use the "UseLogin" option when
running OpenSSH. If the "UseLogin" option must be run, then OpenSSH must be
upgraded to version 3.0.2 or later to eliminate the vulnerability.
CIAC has included the vendor information we know about in this bulletin.
While CIAC will add new vendor information as we receive it, you should
always check your vendor's web site to insure you have the latest information.
FreeBSD Refer to web site:
http://www.freebsd.org/security/index.html#adv
Security Advisory FreeBSD-SA-01:63.openssh.asc
Debian Refer to web site:
http://www.debian.org/security/2001/dsa-091
Red Hat Refer to web site:
http://www.redhat.com/support/errata/RHSA-2001-161.html
In addition to the above vendor web sites, it is recommended that the CERT
Vulnerability Note VU#157447 be reviewed. This can be accessed at:
http://www.kb.cert.org/vuls/id/157447
------------------------------------------------------------------------
CIAC wishes to acknowledge the contributions of OpenBSD, Red Hat, FreeBSD,
Debian, and CERT for the information contained in this bulletin.
------------------------------------------------------------------------
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can
be contacted at:
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
World Wide Web: http://www.ciac.org/
http://ciac.llnl.gov
(same machine -- either one will work)
Anonymous FTP: ftp.ciac.org
ciac.llnl.gov
(same machine -- either one will work)
------------------------------------------------------------------------
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, apparatus,
product, or process disclosed, or represents that its use would not
infringe privately owned rights. Reference herein to any specific
commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation or favoring by the United States Government or
the University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
------------------------------------------------------------------------
UCRL-MI-119788
[Privacy and Legal Notice]
Site design & layout copyright © 1986-2025 AOH