>Number: 187307
>Category: misc
>Synopsis: Security vulnerability with FreeBSD Jail
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 05 23:10:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator: Nicola Galante
>Release: 10.0
>Organization:
Smithsonian Astrophysical Observatory
>Environment:
FreeBSD hostserver.localdomain 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789:
Thu Jan 16 22:34:59 UTC 2014
[email protected]:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
I found a potential vulnerability with FreeBSD jails. I installed a server
(hostserver) for my institute. This hostserver has a certain IP address, let's
say 10.0.0.100, and I installed and configured three service jails (elog, mail,
www), each with a different IP address (10.0.0.101, 10.0.0.102, 10.0.0.103)
root@hostserver:/jails/j # jls
JID IP Address Hostname Path
1 10.0.0.101 elogjail /jails/j/elog
2 10.0.0.102 mailjail /jails/j/mail
3 10.0.0.103 wwwjail /jails/j/www
I have an account on both the hostserver and the elogjail. Password
authentication on hostserver and ssh key authentication in the jail. The
service sshd is running on both the hostserver and elogjail. If I ssh into the
elogjail
[galante@caronte ~]$ ssh galante@elogjail
Enter passphrase for key '/home/galante/.ssh/id_dsa':
Last login: Wed Mar 5 21:37:23 2014 from caronte
galante@elogjail:~ %
as expected. But if I turn off the sshd service in elogjail (and keep the
elogjail up and running) and I try to connect to elogjail, I first get a
complaint that the fingerprint for the RSA key sent by the remote host has
changed. If I remove the corresponding line in my local .ssh/known_hosts file
and try to reconnect, this is what happens:
[galante@caronte ~]$ ssh galante@elogjail
Password for galante@hostserver:
Last login: Wed Mar 5 21:12:20 2014 from caronte
galante@hostserver:~ %
I log into the host system! Of course this is possible because I have an
account on both the host system and the jail. However, I believe that this can
cause a serious potential security threat. I can envision several scenarios
where somebody attempts to get into a jail and instead gets into the host
system. I checked also the DNS responsiveness. The problem persists even if I
use IP addresses instead of host names.
>How-To-Repeat:
Follow the steps described above.
>Fix:
I don't know how to fix the problem other than by disabling sshd in the
hostserver.
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
