{"vuid":"VU#905795","idnumber":"905795","name":"OpenSSH fails to properly apply source IP based access control restrictions","keywords":["OpenSSH","source IP","access control restrictions","authorized_keys2"],"overview":"OpenSSH is an implementation of the Secure Shell protocol. A user may be able to bypass the IP based access control restriction feature specified in a key when two keys of varying types are specified.","clean_desc":"Versions of OpenSSH between 2.5.x - 2.9.x  may fail to enforce the IP based access control restriction feature. A user may specify from which IP's a key may be used. They may have several entries for several keys. Expected behavior of this feature can be demonstrated as follows. If the authorized_keys2 file contained an entry for a key A that was an RSA key and restricted to 10.0.0.1 via the \"from=\" line option and key B was a DSA key and restricted to 10.0.0.2, then key B would not be of any use if compromised unless it was used from the machine with an IP address of 10.0.0.2. Due to the flaw in this feature, when a user specifies two keys of differing types in their ~/.ssh/authorized_keys2, OpenSSH may fail to apply the proper source IP based access control restrictions specified by the \"from=\" line. For example, assume key A was an RSA key and restricted to 10.0.0.1 via the \"from=\" line and key B was a DSA key and restricted to 10.0.0.2. Now assume that key B is compromised. One would expect that key B could only be used from 10.0.0.1. However, since key A is specified on the line immediately before the line containing the entry for the compromised key and is of a different type and \"from=\", then the intruder can access the network from the IP address of key A (10.0.0.1) using the compromised key B. Likewise a systems administrator could set up a single authorized_keys2 file and direct the individual users ssh clients to this file via a symbolic link. If the systems administrator kept the file world readable, but not writable, then he could control the contents of the file. In this case, a malicious user could use their key in the same method as described above to bypass any IP restrictions that the systems administrator may have placed on them.","impact":"An attacker with a compromised key, or authorized users can circumvent the security policies and login from IP addresses that are not permitted to access the system.","resolution":"This vulnerability is fixed in OpenSSH 2.9.9. Upgrade to a version 2.9.9 or later.","workarounds":"","sysaffected":"","thanks":"This vulnerability was discovered by the OpenSSH team.","author":"This document was written by Jason Rafail.","public":["h","t","t","p",":","/","/","w","w","w",".","s","e","c","u","r","i","t","y","f","o","c","u","s",".","c","o","m","/","b","i","d","/","3","3","6","9"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2001-09-27T16:24:00Z","publicdate":"2001-09-27T00:00:00Z","datefirstpublished":"2001-12-07T19:34:19Z","dateupdated":"2001-12-10T16:51:38Z","revision":13,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"17","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"12","cam_impact":"2","cam_easeofexploitation":"3","cam_attackeraccessrequired":"10","cam_scorecurrent":"0.297","cam_scorecurrentwidelyknown":"0.3375","cam_scorecurrentwidelyknownexploited":"0.6075","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.297,"vulnote":null}