From supinfo@caldera.com Sat Dec 15 01:16:39 2001 From: Support Info To: announce@lists.caldera.com, bugtraq@securityfocus.com, linux-security@redhat.com, linuxlist@securityportal.com Date: Fri, 14 Dec 2001 15:26:43 -0700 Subject: Security Update: [CSSA-2001-042.1] Linux - Local vulerability in OpenSSH -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux - Local vulnerability in OpenSSH Advisory number: CSSA-2001-042.1 Issue date: 2001, December 14 Cross reference: CSSA-2001-042.0 ______________________________________________________________________________ 1. Problem Description This is a revised advisory for the 'UseLogin' vulnerability. The original advisory declared the vulnerability as a remote vulnerability, which is not the case. The vulnerability requires the attacker to have a local account, making it a local vulnerability. The OpenSSH team has reported a vulnerability in the OpenSSH server that allows local users to obtain root privilege if the server has the UseLogin option enabled. This option is off by default on OpenLinux, so a default installation is not vulnerable. We nevertheless recommend to our customers to upgrade to the fixed package. 2. Vulnerable Versions System Package ----------------------------------------------------------- OpenLinux 2.3 not vulnerable OpenLinux eServer 2.3.1 All packages previous to and OpenLinux eBuilder openssh-2.9p2-4 OpenLinux eDesktop 2.4 All packages previous to openssh-2.9p2-4 OpenLinux Server 3.1 All packages previous to openssh-2.9p2-4 OpenLinux Workstation 3.1 All packages previous to openssh-2.9p2-4 3. Solution Workaround Make sure that you do not have the UseLogin option enabled. In /etc/ssh/sshd_config, the UseLogin option should either be commended out, or should be set to "no". The proper solution is to upgrade to the latest packages. 4. OpenLinux 2.3 not vulnerable 5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0 5.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS 5.2 Verification 4750b4dc110bcdb9a06f275422486d22 RPMS/openssh-2.9p2-4.i386.rpm 2ccef9bbd5c51ac9ee3ea7bdb0cad5e8 RPMS/openssh-askpass-2.9p2-4.i386.rpm db4931cfa21ef0312ca9f7baaea9d19d RPMS/openssh-server-2.9p2-4.i386.rpm 50511f127c8215bce46d6082aa924aa9 SRPMS/openssh-2.9p2-4.src.rpm 5.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh openssh-2.9p2-4.i386.rpm \ openssh-askpass-2.9p2-4.i386.rpm \ openssh-server-2.9p2-4.i386.rpm 6. OpenLinux eDesktop 2.4 6.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS 6.2 Verification 67227fa9552a81465786e23b82347b7b RPMS/openssh-2.9p2-4.i386.rpm 80693bc40f533ed757a2cc3aa7ad2dbc RPMS/openssh-askpass-2.9p2-4.i386.rpm 3cbd5f69eb010de1dad17c25b85bcc6f RPMS/openssh-server-2.9p2-4.i386.rpm 50511f127c8215bce46d6082aa924aa9 SRPMS/openssh-2.9p2-4.src.rpm 6.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh openssh-2.9p2-4.i386.rpm \ openssh-askpass-2.9p2-4.i386.rpm \ openssh-server-2.9p2-4.i386.rpm 7. OpenLinux 3.1 Server 7.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS 7.2 Verification 2b214778e58a252b5fa6efda93564ec9 RPMS/openssh-2.9p2-4.i386.rpm a7cbe46794f3e2ccd9db54844d6500a2 RPMS/openssh-askpass-2.9p2-4.i386.rpm eb5f164e76adf62b19d8d7ce8bd4e121 RPMS/openssh-server-2.9p2-4.i386.rpm 50511f127c8215bce46d6082aa924aa9 SRPMS/openssh-2.9p2-4.src.rpm 7.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh openssh-2.9p2-4.i386.rpm \ openssh-askpass-2.9p2-4.i386.rpm \ openssh-server-2.9p2-4.i386.rpm 8. OpenLinux 3.1 Workstation 8.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS 8.2 Verification 2b214778e58a252b5fa6efda93564ec9 RPMS/openssh-2.9p2-4.i386.rpm a7cbe46794f3e2ccd9db54844d6500a2 RPMS/openssh-askpass-2.9p2-4.i386.rpm eb5f164e76adf62b19d8d7ce8bd4e121 RPMS/openssh-server-2.9p2-4.i386.rpm 50511f127c8215bce46d6082aa924aa9 SRPMS/openssh-2.9p2-4.src.rpm 8.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh openssh-2.9p2-4.i386.rpm \ openssh-askpass-2.9p2-4.i386.rpm \ openssh-server-2.9p2-4.i386.rpm 9. References This and other Caldera security resources are located at: http://www.caldera.com/support/security/index.html This security fix closes Caldera's internal Problem Report 11153. 10. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. 11. Acknowledgements Caldera wishes to thank Markus Friedl of the OpenSSH team for notifying vendor-sec. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8Gca218sy83A/qfwRAikTAJ96ZKjZswsMyVbaftCOLPt38y4KUgCffHmD 1mVHgdJs4ke3eXT0X9nTFsE= =JwCc -----END PGP SIGNATURE-----