{"vuid":"VU#363181","idnumber":"363181","name":"OpenSSH disregards client configuration and allows server access to ssh-agent and/or X11 after session negotiation","keywords":["ssh","openssh","security","ssh-agent","x11","server","client","unathorized access"],"overview":"Versions of OpenSSH client prior to 2.3.0 do not properly enforce restrictions to the ssh-agent or X11 display.","clean_desc":"An OpenSSH client can be configured to prevent servers from accessing the client's ssh-agent or X11 display. However, versions of OpenSSH client prior to 2.3.0 fail to enforce these settings and thus allow access regardless of the client's desired configuration. The ssh-agent program is a tool used to store private keys for subsequent use by programs started in the same session. When an SSH connection is established, the client and server negotiate whether or not the server may have access to the client's local ssh-agent (and consequently, the client's stored authentication material). The ForwardAgent setting specifies whether access to the client's ssh-agent is permitted. However, if a server requests access to the local ssh-agent after the connection is negotiated, versions of the OpenSSH client prior to 2.3.0 will permit it even if ForwardAgent is set to \"no.\" A similar problem exists in the implementation of X11 forwarding in the same versions of the OpenSSH client.","impact":"Malicious servers can gain access to your X11 display or key material cached with ssh-agent.","resolution":"Upgrade to OpenSSH 2.3.0 or later, or apply the patch for this issue available at http://www.openssh.com.","workarounds":"Clear both the $DISPLAY and the $SSH_AUTH_SOCK variable before connecting to untrusted hosts. % unset SSH_AUTH_SOCK; unset DISPLAY; ssh host","sysaffected":"","thanks":"Thanks to Jacob Langseth <jwl@pobox.com> for pointing out the X11 forwarding issue and to Markus Friedl who published an advisory on this topic.","author":"This document was written by Shawn Hernan and Shawn Van Ittersum.","public":["http://www.securityfocus.com/bid/1949","http://xforce.iss.net/static/5517.php","http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent"],"cveids":["CVE-2000-1169"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2000-12-07T22:48:52Z","publicdate":"2000-12-07T22:57:40Z","datefirstpublished":"2001-08-13T15:40:13Z","dateupdated":"2002-05-30T20:23:07Z","revision":16,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"5","cam_impact":"12","cam_easeofexploitation":"5","cam_attackeraccessrequired":"7","cam_scorecurrent":"0.984375","cam_scorecurrentwidelyknown":"1.18125","cam_scorecurrentwidelyknownexploited":"1.96875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.984375,"vulnote":null}