From security-advisories@freebsd.org Thu Jul 13 01:36:23 2000 From: FreeBSD Security Advisories To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 7 Jun 2000 17:17:16 -0700 Subject: FreeBSD Security Advisory: FreeBSD-SA-00:21.ssh [REVISED] -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:21 Security Advisory FreeBSD, Inc. Topic: ssh port listens on extra network port [REVISED] Category: ports Module: ssh Announced: 2000-06-07 Credits: Jan Koum Affects: Ports collection. Corrected: 2000-04-21 FreeBSD only: Yes I. Background SSH is an implementation of the Secure Shell protocol for providing encrypted and authenticated communication between networked machines. II. Problem Description A patch added to the FreeBSD SSH port on 2000-01-14 incorrectly configured the SSH daemon to listen on an additional network port, 722, in addition to the usual port 22. This change was made as part of a patch to allow the SSH server to listen on multiple ports, but the option was incorrectly enabled by default. This may cause a violation of security policy if the additional port is not subjected to the same access-controls (e.g. firewallling) as the standard SSH port. Note this is not a vulnerability associated with the SSH software itself, and it is not likely to be a risk for the majority of installations, since a remote user must still have valid SSH credentials in order to access the SSH server on the alternate port. The risk is that users may be able to access the SSH server from IP addresses which are prohibited to connect to the standard port. The ssh port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3300 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. FreeBSD 4.0 ships with OpenSSH, a free implementation of the SSH protocol, included within the base system. OpenSSH does not suffer from this misconfiguration. III. Impact Remote users with valid SSH credentials may access the ssh server on a non-standard port, potentially bypassing IP address access controls on the standard SSH port. If you have not chosen to install the ssh port/package, or installed it prior to 2000-01-14 or after 2000-04-21, then your system is not vulnerable to this problem. IV. Workaround One of the following: 1) Comment out the line "Port 722" in /usr/local/etc/sshd_config and restart sshd 2) Add filtering rules to your perimeter firewall, or on the local machine (using ipfw or ipf) to limit connections to port 722. 3) Deinstall the ssh port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the ssh port. 2) download a new port skeleton for the ssh port from: http://www.freebsd.org/ports/ and use it to rebuild the port. Note that packages are not provided for the ssh port. 3) Use the portcheckout utility to automate option (2) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz VI. Revision History v1.0 2000-06-07 Initial release v1.1 2000-06-07 Corrected typo in name of sshd config file -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOT7lF1UuHi5z0oilAQHLaQP+LyCyEfrzDh63awRl8swXzHLpYib1upd+ nUbctw+HOc7GfWGCUFfzhTUWvuwjqx43reE1XSX5ETXm4nVKwMDCum35FomlrUB+ 3LQeXHgsogeTmGzNoWqaJBhvC7ffMBWZrW4JFokasyWbOgJhhWiklBRVojkale0Y e+CNOgK3f3U= =no4A -----END PGP SIGNATURE-----