search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Sun Solaris SSH Daemon fails to properly log client IP addresses

Vulnerability Note VU#737548

Original Release Date: 2004-04-14 | Last Revised: 2004-04-14

Overview

The Sun Solaris Secure Shell Daemon (sshd) may incorrectly log client IP addresses.

Description

SSH is a program used to provide secure connection and communications between client and servers. Upon connecting to the service, the client's IP address is logged. There is a vulnerability in the Sun Solaris SSH Daemon that may cause it to inaccurately log the IP addresses of clients. When the SSH Daemon initializes, it reads configuration information from the sshd_config file. If this file contains the "ListenAddress" keyword configured in a specific way, SSH will fail to properly log client IP addresses.

According to the Sun Security Advisory:
A system is only affected by this issue if the sshd configuration file (sshd_config(4)) has the "ListenAddress" keyword configured as "0.0.0.0" which means to listen on only IPv4 (see inet(3SOCKET)) configured interfaces.

To determine which interfaces on a system are configured to use IPv4 the following command can be run:

$ ifconfig -a4
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1

    inet 127.0.0.1 netmask ff000000
eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1400 index 2
    inet 192.168.254.202 netmask ffffff00 broadcast 192.168.254.255    

Impact

The IP address logged by the SSH Daemon will contain all zeroes rather than the correct IP address of the client. Therefore, when reviewing the log files, system administrators may not be able to accurately identify clients who have connected to the service.

Solution

Apply patch
Sun has released an advisory which addresses this issue. For more information on patches available for your system, please refer to Sun Security Alert: 57538.


Edit configuration file

According to the Sun Security Advisory, the following workaround could be used to mitigate against this vulnerability:

For sites which are utilizing both IPv4 and IPv6 (see inet(3SOCKET)) network interfaces, to prevent this issue from occurring the sshd_config(4) file can be edited to listen on both IPv4 and IPv6 configured interfaces by setting the "ListenAddress" keyword to contain two colons (::). For example:

    $ grep ^ListenAddress /etc/ssh/sshd_config
    ListenAddress ::                  

If the sshd_config(4) file is modified, the sshd daemon needs to be sent a SIGHUP signal to re-read the file. For example, as the root user:
    # pkill -HUP sshd

Vendor Information

737548
 
Expand all

Sun Microsystems Inc. Affected

Updated:  April 14, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please refer to Sun Security Alert: 57538.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported by Sun Microsystems Inc.

This document was written by Damon Morda.

Other Information

CVE IDs: None
Severity Metric: 5.06
Date Public: 2004-04-07
Date First Published: 2004-04-14
Date Last Updated: 2004-04-14 16:34 UTC
Document Revision: 28

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis