Bug#296547: ssh: [CAN-2004-1653] default configuration for OpenSSH enables AllowTcpForwarding
Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: normal
Tags: security
Hello,
CAN-2004-1653 reads:
The default configuration for OpenSSH enables AllowTcpForwarding,
which could allow remote authenticated users to perform a port bounce,
when configured with an anonymous access program such as AnonCVS.
If the target system resides behind a firewall, this can allow the
remote user to bypass the firewall.
Impact: A remote authenticated user can cause the target service to
forward connections to arbitrary ports on arbitrary hosts.
The sshd_config man page reads:
AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The
default is `yes''. Note that disabling TCP forwarding
does not improve security unless users are also denied
shell access, as they can always install their own
forwarders.
This CAN can be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1653
More information is located here:
http://marc.theaimsgroup.com/?l=bugtraq&m=109413637313484&w=2
http://www.securitytracker.com/alerts/2004/Sep/1011143.html
http://xforce.iss.net/xforce/xfdb/17213
Solution: Set the default /etc/ssh/sshd_config file to have:
AllowTcpForwarding no
Micah
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (990, 'testing'), (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages ssh depends on:
ii adduser 3.59 Add and remove users and groups
ii debconf 1.4.30.11 Debian configuration management sy
ii dpkg 1.10.26 Package maintenance system for Deb
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7e-2 SSL shared libraries
ii libwrap0 7.6.dbs-6 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.2-3 compression library - runtime
-- debconf information excluded
Reply to: