__________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

               OpenSSH UseLogin Privilege Elevation Vulnerability

December 8, 2001 03:00 GMT                                        Number M-026
______________________________________________________________________________
PROBLEM:       Hostile but otherwise legitimate users can use this 
               vulnerability to execute commands or run arbitrary code with 
               the privileges of OpenSSH, usually root. 
PLATFORM:      All operating systems that run versions of OpenSSH earlier than 
               3.0.2. These include, but are not limited to: OpenBSD, FreeBSD, 
               IBM Linux, Debian Linux, Red Hat Linux. 
DAMAGE:        When the "UseLogin" option is enabled in OpenSSH, a malicious 
               user who authenticates using key-based authentication methods 
               can influence the environment variables passed to the login 
               process. This could allow the user to execute arbitrary code 
               with superuser privileges. 
SOLUTION:      Upgrade to OpenSSH 3.0.2. Refer to your operating system 
               vendor's support web page for instructions and patches. 
______________________________________________________________________________
VULNERABILITY  The risk is Medium. An authorized user account and key are 
ASSESSMENT:    required on the vulnerable system in order to exploit this 
               vulnerability. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-026.shtml 
 ORIGINAL BULLETIN:  http://www.freebsd.org/security/index.html#adv,
                      See:  Security Advisory FreeBSD-SA-01:63.openssh.asc
                     http://www.debian.org/security/2001/dsa-091
                     http://www.redhat.com/support/errata/RHSA-2001-161.html
                     http://www.kb.cert.org/vuls/id/157447
______________________________________________________________________________

OpenSSH contains a vulnerability that permits an intruder to execute arbitrary 
code. When the "UseLogin" option is enabled in OpenSSH, a malicious user who 
authenticates using key-based authentication methods can modify the 
environment variables passed to the login process.  This could allow the user to
execute arbitrary code with "root" privileges. In operating systems that use 
OpenSSH, the OpenSSH server has the "UseLogin" option disabled by default.
Therefore, it is not vulnerable unless the system administrator has changed this 
setting. It is not necessary or advisable to use the "UseLogin" option when
running OpenSSH. If the "UseLogin" option must be run, then OpenSSH must be 
upgraded to version 3.0.2 or later to eliminate the vulnerability.

CIAC has included the vendor information we know about in this bulletin.  
While CIAC will add new vendor information as we receive it, you should 
always check your vendor's web site to insure you have the latest information.

FreeBSD	Refer to web site:
http://www.freebsd.org/security/index.html#adv
Security Advisory FreeBSD-SA-01:63.openssh.asc

Debian	Refer to web site:
http://www.debian.org/security/2001/dsa-091

Red Hat	Refer to web site:
http://www.redhat.com/support/errata/RHSA-2001-161.html

In addition to the above vendor web sites, it is recommended that the CERT 
Vulnerability Note VU#157447 be reviewed. This can be accessed at: 
http://www.kb.cert.org/vuls/id/157447
______________________________________________________________________________

CIAC wishes to acknowledge the contributions of OpenSSH, OpenBSD, Red Hat,
FreeBSD, Debian, and CERT for the information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.


This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-016: Internet Explorer, Cumulative Vulnerabilities Patch 
M-017: Multiple SSH Vulnerabilities
M-018: Cisco - Multiple Vulnerabilities in ACL Implementations
M-019: Multiple Vendor CDE dtpscd Process Buffer Overflow
M-020: SGI Multiple Local SendMail Vulnerability
M-021: Hewlett-Packard Remote Logic Flaw Vulnerability in rlpdaemon
M-022: SGI IRIX shells create temporary files insecurely
M-023: Multiple Vendor wu-ftdp File Globbing Heap Corruption Vulnerability
M-024: Microsoft Internet Explorer calls telnet.exe with unsafe command-line arguments
M-025: IRIX NEdit Vulnerability