Bug#296547: ssh: [CAN-2004-1653] default configuration for OpenSSH enables AllowTcpForwarding

Tue, 22 Feb 2005 22:53:05 -0800 

Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: normal
Tags: security

Hello,

CAN-2004-1653 reads:

The default configuration for OpenSSH enables AllowTcpForwarding,
which could allow remote authenticated users to perform a port bounce,
when configured with an anonymous access program such as AnonCVS.

If the target system resides behind a firewall, this can allow the
remote user to bypass the firewall.

Impact:  A remote authenticated user can cause the target service to
forward connections to arbitrary ports on arbitrary hosts.

The sshd_config man page reads:

AllowTcpForwarding 
                         Specifies whether TCP forwarding is permitted.  The
                         default is `yes''.  Note that disabling TCP forwarding
                         does not improve security unless users are also denied
                         shell access, as they can always install their own
                         forwarders.

This CAN can be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1653

More information is located here:
http://marc.theaimsgroup.com/?l=bugtraq&m=109413637313484&w=2
http://www.securitytracker.com/alerts/2004/Sep/1011143.html
http://xforce.iss.net/xforce/xfdb/17213

Solution:  Set the default /etc/ssh/sshd_config file to have:

AllowTcpForwarding no

Micah
-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (990, 'testing'), (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages ssh depends on:
ii  adduser                     3.59         Add and remove users and groups
ii  debconf                     1.4.30.11    Debian configuration management sy
ii  dpkg                        1.10.26      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-22      Pluggable Authentication Modules f
ii  libpam-runtime              0.76-22      Runtime support for the PAM librar
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l
ii  libssl0.9.7                 0.9.7e-2     SSL shared libraries
ii  libwrap0                    7.6.dbs-6    Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.2.2-3    compression library - runtime

-- debconf information excluded


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to