OpenSSH allows port bouncing attacks

openssh-port-bounce (17213)

Medium Risk

Description:

OpenSSH could allow a remote authenticated attacker to perform a port bouncing attack. By default, the AllowTcpForwarding option is enabled in the sshd_config file. This could allow a remote authenticated attacker to use SSH to access an anonymous service and forward connections to arbitrary ports via this vulnerable service.

Platforms Affected:

• IBM, zOS
• OpenBSD, OpenSSH 1.2
• OpenBSD, OpenSSH 1.2.1
• OpenBSD, OpenSSH 1.2.2
• OpenBSD, OpenSSH 1.2.27
• OpenBSD, OpenSSH 1.2.3
• OpenBSD, OpenSSH 2.1
• OpenBSD, OpenSSH 2.1.1
• OpenBSD, OpenSSH 2.1.1p4
• OpenBSD, OpenSSH 2.2
• OpenBSD, OpenSSH 2.2.0p1
• OpenBSD, OpenSSH 2.3
• OpenBSD, OpenSSH 2.3.0p1
• OpenBSD, OpenSSH 2.5
• OpenBSD, OpenSSH 2.5.1
• OpenBSD, OpenSSH 2.5.1p1
• OpenBSD, OpenSSH 2.5.1p2
• OpenBSD, OpenSSH 2.5.2
• OpenBSD, OpenSSH 2.5.2p1
• OpenBSD, OpenSSH 2.5.2p2
• OpenBSD, OpenSSH 2.9
• OpenBSD, OpenSSH 2.9.9
• OpenBSD, OpenSSH 2.9.9p1
• OpenBSD, OpenSSH 2.9.9p2
• OpenBSD, OpenSSH 2.9p1
• OpenBSD, OpenSSH 2.9p2
• OpenBSD, OpenSSH 3.0
• OpenBSD, OpenSSH 3.0.1
• OpenBSD, OpenSSH 3.0.1p1
• OpenBSD, OpenSSH 3.0.2
• OpenBSD, OpenSSH 3.0.2p1
• OpenBSD, OpenSSH 3.0p1
• OpenBSD, OpenSSH 3.1
• OpenBSD, OpenSSH 3.1p1
• OpenBSD, OpenSSH 3.2
• OpenBSD, OpenSSH 3.2.2
• OpenBSD, OpenSSH 3.2.2p1
• OpenBSD, OpenSSH 3.2.3
• OpenBSD, OpenSSH 3.2.3p1
• OpenBSD, OpenSSH 3.3
• OpenBSD, OpenSSH 3.3p1
• OpenBSD, OpenSSH 3.4
• OpenBSD, OpenSSH 3.4p1
• OpenBSD, OpenSSH 3.5
• OpenBSD, OpenSSH 3.5p1
• OpenBSD, OpenSSH 3.6
• OpenBSD, OpenSSH 3.6.1
• OpenBSD, OpenSSH 3.6.1p1
• OpenBSD, OpenSSH 3.6.1p2
• OpenBSD, OpenSSH 3.7
• OpenBSD, OpenSSH 3.7.1
• OpenBSD, OpenSSH 3.7.1p1
• OpenBSD, OpenSSH 3.7.1p2
• OpenBSD, OpenSSH 3.8
• OpenBSD, OpenSSH 3.8.1
• OpenBSD, OpenSSH 3.8.1p1
• OpenBSD, OpenSSH 3.9

Remedy:

No remedy available as of September 2004.

As a workaround, disable the AllowTcpForwarding option.

Consequences:

Configuration

References:

• BugTraq Mailing List, Tue Aug 31 2004 - 17:38:38 CDT, SSHD / AnonCVS Nastyness at http://archives.neohapsis.com/archives/bugtraq/2004-09/0009.html.
• IBM APAR OA25412, OA25412: DOC UPDATE FOR "IBM PORTED TOOLS FOR Z/OS" OPENSSH 5655M2301 at http://www-1.ibm.com/support/docview.wss?rs=203&context=SW000&dc=DB550&dc=D100&q1=Security+vulnerability&uid=isg1OA25412.
• CVE-2004-1653: The default configuration for OpenSSH enables AllowTcpForwarding, which could allow remote authenticated users to perform a port bounce, when configured with an anonymous access program such as AnonCVS.
• OSVDB ID: 9562: OpenSSH Default Configuration Anon SSH Service Port Bounce Weakness
• SECTRACK ID: 1011143: OpenSSH Default Configuration May Be Unsafe When Used With Anonymous SSH Services

Reported:

Sep 01, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page