OpenSSH fails to properly apply source IP based access control restrictions

Source: CERT.org

Versions of OpenSSH between 2.5.x - 2.9.x may fail to enforce the IP based access control restriction feature. A user may specify from which IP's a key may be used. They may have several entries for several keys. Expected behavior of this feature can be demonstrated as follows. If the authorized_keys2 file contained an entry for a key A that was an RSA key and restricted to 10.0.0.1 via the "from=" line option and key B was a DSA key and restricted to 10.0.0.2, then key B would not be of any use if compromised unless it was used from the machine with an IP address of 10.0.0.2.

Due to the flaw in this feature, when a user specifies two keys of differing types in their ~/.ssh/authorized_keys2, OpenSSH may fail to apply the proper source IP based access control restrictions specified by the "from=" line. For example, assume key A was an RSA key and restricted to 10.0.0.1 via the "from=" line and key B was a DSA key and restricted to 10.0.0.2. Now assume that key B is compromised. One would expect that key B could only be used from 10.0.0.1. However, since key A is specified on the line immediately before the line containing the entry for the compromised key and is of a different type and "from=", then the intruder can access the network from the IP address of key A (10.0.0.1) using the compromised key B.