[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-announce] Globus Security Advisory 2008-01: GSI-OpenSSH vulnerability

Globus Security Advisory 2008-01: GSI-OpenSSH vulnerability

Original issue date: April 3 2008
Last revised: None

Software affected: Globus Toolkit releases 4.0.0-4.0.7 and 4.1.0-4.1.3
                   GSI-OpenSSH releases 4.2 and earlier
                   OpenSSH 4.9 and earlier

Specific packages: gsi_openssh

Note: Globus Toolkit 3.2 and earlier did not include GSI-OpenSSH, but
GSI-OpenSSH may have been installed as an add-on package.

Overview:

OpenSSH versions prior to 5.0 contain a locally exploitable security
issue that allows hijacking of X11-forwarded connections:

   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1483

OpenSSH 5.0 was released to address this issue:

   http://www.openssh.org/txt/release-5.0

I. Description

OpenSSH versions prior to 5.0 allow local users to hijack forwarded X
connections by causing ssh to set DISPLAY even when another process is
listening on the associated port.  GSI-OpenSSH enables X forwarding by
default.

II. Impact

Allows unauthorized disclosure of information, unauthorized
modification, and disruption of service by a local attacker.

III. Solution

GSI-OpenSSH 4.3, based on OpenSSH 5.0p1, is available for download from:

   http://grid.ncsa.uiuc.edu/ssh/download.html

A GSI patch for OpenSSH 5.0p1 is also available from:

   ftp://ftp.globus.org/pub/gsissh/patch/openssh-5.0p1.patch

We recommend upgrading to GSI-OpenSSH 4.3 / OpenSSH 5.0p1.

Upgrade instructions are available at:

   http://grid.ncsa.uiuc.edu/ssh/install.html

Use 'gsissh -V' or 'gpt-query gsi_openssh' to determine your installed
GSI-OpenSSH version:

   $ gsissh -V
   OpenSSH_4.2p1-hpn NCSA_GSSAPI_GPT_3.7 GSI, OpenSSL 0.9.7d 17 Mar 2004
   $ gpt-query gsi_openssh
   1 package was found in /usr/local/gt-4.0.3 that matched your query:

   packages found that matched your query
         gsi_openssh-gcc64dbg-pgm pkg version: 3.7.0 software version:
         GSI-OpenSSH 3.7 / OpenSSH 4.2p1

To determine the version of a GSI-OpenSSH server, run:
   for Bourne shells:
     gsissh -v hostname exit 2>&1 | grep "remote software version"
   for C shells:
     gsissh -v hostname exit |& grep "remote software version"
   (replacing hostname with the hostname of the remote server.)

To mitigate this issue before upgrading, remove "ForwardX11 yes" from
the following files to disable X11 forwarding:

   $GLOBUS_LOCATION/etc/ssh/ssh_config
   $GLOBUS_LOCATION/etc/ssh/sshd_config

SHA1 checksums:
6a43e4a1f7594ee684ba88c408c5d337b338ed86  gsi_openssh-4.3-src.tar.gz
7e750984699c289b0964128153cdc634f0fd1204  gsi_openssh_bundle-4.3-src.tar.gz
e782f0b44c7101069ad470d9a4273d9332bac9f4  gsi_openssh_compat-4.3-src.tar.gz
5baa6c2fcca85bbbe8d4bd601d6855f01dbeff4b  gsi_openssh_setup-4.3-src.tar.gz

MD5 checksums:
24686ed1d46ce2e52e4c018556b4b164  gsi_openssh-4.3-src.tar.gz
4755f11dbb95804efd01c7f12eebdc5b  gsi_openssh_bundle-4.3-src.tar.gz
ddc5caca804c5583f1a7ef12350ee2dd  gsi_openssh_compat-4.3-src.tar.gz
1c5140f63f86e8fd38e7c2e2da55bb11  gsi_openssh_setup-4.3-src.tar.gz

Attachment: signature.asc
Description: OpenPGP digital signature