CVE-2003-0386
CVSS7.5
发布时间 :2003-07-02 00:00:00
修订时间 :2010-08-21 00:15:57
NMCOS    

[原文]OpenSSH 3.6.1 and earlier, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass "from=" and "user@host" address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address.


[CNNVD]OpenSSH远程客户端地址限制可绕过漏洞(CNNVD-200307-007)

        
        OpenSSH提供多项机制可限制客户端访问服务器,单独用户可以在$HOME/.ssh/authorized_keys文件中使用"From="选项,sshd_config文件可以使用'@'来限制部分用户从部分主机上登录。Hostpatterns类似Unix glob文件匹配,可使用?和*作为通用字符,IP地址和主机名都可以定义在pattern中。
        OpenSSH在对客户端主机进行反向解析实现上存在问题,远程攻击者可以利用这个漏洞通过反向查找数字IP地址的域名欺骗绕过SSH的"from="和"user@hosts"形式的限制。
        当主机名被指定时,会对客户端主机的IP地址上进行反向查询,不过当攻击者可以控制DNS服务器时可对IP地址进行伪造。当提供纯IP地址时,攻击者如果可以控制解析其主机的DNS服务器,通过返回包含任意数字IP地址的DNS应答就可以绕过OPENSSH的"from="和"user@hosts"形式的限制。
        这个漏洞可以使一些不能直接访问服务器的攻击者提供方法,如以前拥有密码或私钥的员工在受到网络限制时,绕过限制访问系统。
        commercial F-Secure SSH-1和SSH2 版本不受此漏洞影响。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9894OpenSSH 3.6.1 and earlier, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attack...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0386
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0386
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200307-007
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/978316
(VENDOR_ADVISORY)  CERT-VN  VU#978316
http://www.securityfocus.com/archive/1/324016/2003-06-03/2003-06-09/0
(VENDOR_ADVISORY)  BUGTRAQ  20030605 OpenSSH remote clent address restriction circumvention
http://lists.apple.com/mhonarc/security-announce/msg00038.html
(UNKNOWN)  CONFIRM  http://lists.apple.com/mhonarc/security-announce/msg00038.html
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
(UNKNOWN)  CONFIRM  http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
(UNKNOWN)  CONFIRM  http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
http://www.securityfocus.com/bid/7831
(UNKNOWN)  BID  7831
http://www.redhat.com/support/errata/RHSA-2006-0698.html
(UNKNOWN)  REDHAT  RHSA-2006:0698
http://www.redhat.com/support/errata/RHSA-2006-0298.html
(UNKNOWN)  REDHAT  RHSA-2006:0298
http://support.avaya.com/elmodocs2/security/ASA-2006-174.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-174.htm
http://secunia.com/advisories/23680
(UNKNOWN)  SECUNIA  23680
http://secunia.com/advisories/22196
(UNKNOWN)  SECUNIA  22196
http://secunia.com/advisories/21724
(UNKNOWN)  SECUNIA  21724
http://secunia.com/advisories/21262
(UNKNOWN)  SECUNIA  21262
http://secunia.com/advisories/21129
(UNKNOWN)  SECUNIA  21129
ftp://patches.sgi.com/support/free/security/advisories/20060703-01-U.asc
(UNKNOWN)  SGI  20060703-01-P

- 漏洞信息

OpenSSH远程客户端地址限制可绕过漏洞
高危 设计错误
2003-07-02 00:00:00 2006-03-28 00:00:00
远程  
        
        OpenSSH提供多项机制可限制客户端访问服务器,单独用户可以在$HOME/.ssh/authorized_keys文件中使用"From="选项,sshd_config文件可以使用'@'来限制部分用户从部分主机上登录。Hostpatterns类似Unix glob文件匹配,可使用?和*作为通用字符,IP地址和主机名都可以定义在pattern中。
        OpenSSH在对客户端主机进行反向解析实现上存在问题,远程攻击者可以利用这个漏洞通过反向查找数字IP地址的域名欺骗绕过SSH的"from="和"user@hosts"形式的限制。
        当主机名被指定时,会对客户端主机的IP地址上进行反向查询,不过当攻击者可以控制DNS服务器时可对IP地址进行伪造。当提供纯IP地址时,攻击者如果可以控制解析其主机的DNS服务器,通过返回包含任意数字IP地址的DNS应答就可以绕过OPENSSH的"from="和"user@hosts"形式的限制。
        这个漏洞可以使一些不能直接访问服务器的攻击者提供方法,如以前拥有密码或私钥的员工在受到网络限制时,绕过限制访问系统。
        commercial F-Secure SSH-1和SSH2 版本不受此漏洞影响。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在sshd服务器上使用'VerifyReverseMapping',这当客户段没有反向DNS服务器时会导致登录缓慢。但是由于sshd_config文件中提供了VeriftyReverseMapping标记(默认是'no'),会进行正反向DNS查询来使IP地址和主机名匹配,可防止欺骗。
        * 考虑使用tcp-wrappers限制地址访问。
        * 考虑使用包过滤或防火墙限制地址访问。
        厂商补丁:
        OpenSSH
        -------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.openssh.com/

- 漏洞信息

2112
OpenSSH Reverse DNS Lookup Bypass
Local Access Required, Remote / Network Access Authentication Management, Input Manipulation
Loss of Confidentiality, Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

OpenSSH could allow a remote attacker to gain unauthorized access to the network. If the 'VeriftyReverseMapping' flag is disabled, which is the default setting, a remote attacker using their own DNS (Domain Name System) server to control reverse lookup responses can employ DNS spoofing techniques to bypass login restrictions and gain unauthorized access to the network.

- 时间线

2003-06-05 2003-06-05
2003-06-05 Unknow

- 解决方案

Upgrade to version 3.6.2 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: enable the 'VerifyReverseMapping' flag in the sshd_config file.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

OpenSSH Reverse DNS Lookup Access Control Bypass Vulnerability
Design Error 7831
Yes No
2003-06-05 12:00:00 2006-10-02 08:10:00
Discovery of this vulnerability credited to Mike Harding <mvh@welkyn.com>.

- 受影响的程序版本

SGI ProPack 3.0 SP6
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1
OpenSSH OpenSSH 3.6.1 p2
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Trustix Secure Linux 2.0
OpenSSH OpenSSH 3.6.1 p1
+ OpenPKG OpenPKG Current
+ Slackware Linux 9.0
+ Slackware Linux -current
OpenSSH OpenSSH 3.6.1
+ Novell Netware 6.5
OpenSSH OpenSSH 3.5
OpenSSH OpenSSH 3.4 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux Enterprise Edition 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ FreeBSD FreeBSD 5.0
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ IBM AIX 5.1 L
+ IBM AIX 4.3.3
+ Immunix Immunix OS 7+
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ Slackware Linux 8.1
OpenSSH OpenSSH 3.4
OpenSSH OpenSSH 3.3 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
OpenSSH OpenSSH 3.3
+ Openwall Openwall GNU/*/Linux (Owl)-current
OpenSSH OpenSSH 3.2.3 p1
OpenSSH OpenSSH 3.2.2 p1
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.0.4
+ Apple Mac OS X 10.0.3
+ Apple Mac OS X 10.0.2
+ Apple Mac OS X 10.0.1
+ Apple Mac OS X 10.0
OpenSSH OpenSSH 3.2
+ OpenBSD OpenBSD 3.1
OpenSSH OpenSSH 3.1 p1
+ Juniper Networks NetScreen-IDP 10 3.0 r2
+ Juniper Networks NetScreen-IDP 10 3.0 r1
+ Juniper Networks NetScreen-IDP 10 3.0
+ Juniper Networks NetScreen-IDP 100 3.0 r2
+ Juniper Networks NetScreen-IDP 100 3.0 r1
+ Juniper Networks NetScreen-IDP 100 3.0
+ Juniper Networks NetScreen-IDP 1000 3.0 r2
+ Juniper Networks NetScreen-IDP 1000 3.0 r1
+ Juniper Networks NetScreen-IDP 1000 3.0
+ Juniper Networks NetScreen-IDP 500 3.0 r2
+ Juniper Networks NetScreen-IDP 500 3.0 r1
+ Juniper Networks NetScreen-IDP 500 3.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.3
+ RedHat Linux 7.2
+ RedHat Linux 7.1
+ RedHat Linux for iSeries 7.1
+ RedHat Linux for pSeries 7.1
+ Slackware Linux 8.1
+ Sun Linux 5.0.7
+ Sun Solaris 9
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
OpenSSH OpenSSH 3.1
OpenSSH OpenSSH 3.0.2 p1
+ Guardian Digital Engarde Secure Linux 1.0.1
+ HP VirtualVault 4.6
OpenSSH OpenSSH 3.0.2
- Debian Linux 3.0
+ FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
+ FreeBSD FreeBSD 4.5 -RELEASE
+ OpenPKG OpenPKG 1.0
+ Openwall Openwall GNU/*/Linux 0.1 -stable
+ S.u.S.E. Linux 8.0
OpenSSH OpenSSH 3.0.1 p1
OpenSSH OpenSSH 3.0.1
OpenSSH OpenSSH 3.0 p1
OpenSSH OpenSSH 3.0
Avaya Integrated Management 2.1
Avaya Integrated Management
Avaya CVLAN

- 漏洞讨论

A vulnerability has been reported for OpenSSH that may allow unauthorized access to an OpenSSH server's login mechanism.

The vulnerability occurs because of the way OpenSSH restricts access. It's possible to configure OpenSSH to restrict access based on certain patterns. When a numeric IP address is provided as the host that is attempting a connection, an attacker can trick the OpenSSH server to allow access.

- 漏洞利用

No exploit is required.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.commailto:vuldb@securityfocus.com.

Please see the referenced advisories for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站