Does anyone know about these vulnerabilities?
A vulnerability exists in the default configuration of the Open SSH client
that
could be used to compromise the security of a client machine. By
default, ssh clients will negotiate to forward X connections. This is done
using the xauth program to place cookies in the authorization cache of
the remote machine for the user logging in. If the superuser on the
remote host cannot be trusted, or the root account has been
compromised, the xauth key can be read from the user's .Xauthority file,
and used to connect to the client machine. This can result in a wide
range of compromises on the client host.
OpenSSH is a free derivative of ssh1, a secure remote login tool. An
option can be set (that is set to 'no' by default in most distributions) is
to
use the login program (the option is 'UseLogin'). When UseLogin is
turned on, sshd doesn't set the uid of the person logging in to what it
should be, it remains running as root. This can be exploited if a
command is specified (to be executed) on the target host running sshd
via the ssh client. Since instead of logging in, a command is being run,
"login" is not used and therefore cannot set the correct userid. Any
command executed remotely via ssh where "UseLogin" is on will execute
as root, leading to a trivial compromise.
What versions are they in? What can be done about them (I'm more curious about
the first one since, IMHO, UseLogin should never be turned on anyway).
Where can I find documentation on more vulnerabilities?
Thanks,
Noel
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.
