OpenSSH vulnerability
26 June 2002, 10:47 PM
#1
Scooby Regular
Thread Starter
Join Date: Sep 2001
Location: Kingston ( Surrey, not Jamaica )
Posts: 4,670
Likes: 0
Received 0 Likes
on
0 Posts
Assuming no-one uses telnet anymore - most *nix will be on some version of SSH.
Time to get patching chaps ( oh joy - cancel *everything* I had planned for tomorrow )
Steve
Internet Security Systems Security Advisory
June 26, 2002
OpenSSH Remote Challenge Vulnerability
Synopsis:
ISS X-Force has discovered a serious vulnerability in the default
installation of OpenSSH on the OpenBSD operating system. OpenSSH is a
free version of the SSH (Secure Shell) communications suite and is used
as a secure replacement for protocols such as Telnet, Rlogin, Rsh, and
Ftp. OpenSSH employs end-to-end encryption (including all passwords) and
is resistant to network monitoring, eavesdropping, and connection
hijacking attacks. X-Force is aware of active exploit development for
this vulnerability.
Impact:
OpenBSD, FreeBSD-Current, and other OpenSSH implementations may be
vulnerable to a remote, superuser compromise.
Affected Versions:
OpenBSD 3.0
OpenBSD 3.1
FreeBSD-Current
OpenSSH 3.0-3.2.3
OpenSSH version 3.3 implements "privilege separation" which mitigates
the risk of a superuser compromise. Prior to the release of this
advisory, ISS and OpenBSD encouraged all OpenSSH users to upgrade to
version 3.3. Versions of FreeBSD-Current built between March 18, 2002
and June 23, 2002 are vulnerable to remote superuser compromise.
Privilege separation was implemented in FreeBSD-Current on June 23,
2002.
Note: OpenSSH is included in many operating system distributions,
networking equipment, and security appliances. Refer to the following
address for information about vendors that implement OpenSSH:
http://www.openssh.com/users.html
Description:
A vulnerability exists within the "challenge-response" authentication
mechanism in the OpenSSH daemon (sshd). This mechanism, part of the SSH2
protocol, verifies a user's identity by generating a challenge and
forcing the user to supply a number of responses. It is possible for a
remote attacker to send a specially-crafted reply that triggers an
overflow. This can result in a remote denial of service attack on the
OpenSSH daemon or a complete remote compromise. The OpenSSH daemon runs
with superuser privilege, so remote attackers can gain superuser access
by exploiting this vulnerability.
OpenSSH supports the SKEY and BSD_AUTH authentication options. These are
compile-time options. At least one of these options must be enabled
before the OpenSSH binaries are compiled for the vulnerable condition to
be present. OpenBSD 3.0 and later is distributed with BSD_AUTH enabled.
The SKEY and BSD_AUTH options are not enabled by default in many
distributions. However, if these options are explicitly enabled, that
build of OpenSSH may be vulnerable.
Recommendations:
Internet Scanner X-Press Update 6.13 includes a check, OpenSshRunning,
to detect potentially vulnerable installations of OpenSSH. XPU 6.13 is
available from the ISS Download Center at: http://www.iss.net/download.
For questions about downloading and installing this XPU, email
support@iss.net.
ISS X-Force recommends that system administrators disable unused OpenSSH
authentication mechanisms. Administrators can remove this vulnerability
by disabling the Challenge-Response authentication parameter within the
OpenSSH daemon configuration file. This filename and path is typically:
/etc/ssh/sshd_config. To disable this parameter, locate the
corresponding line and change it to the line below:
ChallengeResponseAuthentication no
The "sshd" process must be restarted for this change to take effect.
This workaround will permanently remove the vulnerability. X-Force
recommends that administrators upgrade to OpenSSH version 3.4
immediately. This version implements privilege separation, contains a
patch to block this vulnerability, and contains many additional pro-
active security fixes. Privilege separation was designed to limit
exposure to known and unknown vulnerabilities. Visit
http://www.openssh.com for more information.
Additional Information:
ISS X-Force and Black Hat consulting will host a presentation titled,
"Professional Source Code Auditing" at Black Hat Briefings USA 2002. The
presentation will explore advanced source code auditing techniques as
well as secure development best-practices. Please refer to
http://www.blackhat.com and
http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#Dowd for
more information.
Credits:
The vulnerability described in this advisory was discovered and
researched by Mark Dowd of the ISS X-Force. ISS would like to thank Theo
de Raadt of the OpenBSD Project for his assistance with this advisory.
Time to get patching chaps ( oh joy - cancel *everything* I had planned for tomorrow )
Steve
Internet Security Systems Security Advisory
June 26, 2002
OpenSSH Remote Challenge Vulnerability
Synopsis:
ISS X-Force has discovered a serious vulnerability in the default
installation of OpenSSH on the OpenBSD operating system. OpenSSH is a
free version of the SSH (Secure Shell) communications suite and is used
as a secure replacement for protocols such as Telnet, Rlogin, Rsh, and
Ftp. OpenSSH employs end-to-end encryption (including all passwords) and
is resistant to network monitoring, eavesdropping, and connection
hijacking attacks. X-Force is aware of active exploit development for
this vulnerability.
Impact:
OpenBSD, FreeBSD-Current, and other OpenSSH implementations may be
vulnerable to a remote, superuser compromise.
Affected Versions:
OpenBSD 3.0
OpenBSD 3.1
FreeBSD-Current
OpenSSH 3.0-3.2.3
OpenSSH version 3.3 implements "privilege separation" which mitigates
the risk of a superuser compromise. Prior to the release of this
advisory, ISS and OpenBSD encouraged all OpenSSH users to upgrade to
version 3.3. Versions of FreeBSD-Current built between March 18, 2002
and June 23, 2002 are vulnerable to remote superuser compromise.
Privilege separation was implemented in FreeBSD-Current on June 23,
2002.
Note: OpenSSH is included in many operating system distributions,
networking equipment, and security appliances. Refer to the following
address for information about vendors that implement OpenSSH:
http://www.openssh.com/users.html
Description:
A vulnerability exists within the "challenge-response" authentication
mechanism in the OpenSSH daemon (sshd). This mechanism, part of the SSH2
protocol, verifies a user's identity by generating a challenge and
forcing the user to supply a number of responses. It is possible for a
remote attacker to send a specially-crafted reply that triggers an
overflow. This can result in a remote denial of service attack on the
OpenSSH daemon or a complete remote compromise. The OpenSSH daemon runs
with superuser privilege, so remote attackers can gain superuser access
by exploiting this vulnerability.
OpenSSH supports the SKEY and BSD_AUTH authentication options. These are
compile-time options. At least one of these options must be enabled
before the OpenSSH binaries are compiled for the vulnerable condition to
be present. OpenBSD 3.0 and later is distributed with BSD_AUTH enabled.
The SKEY and BSD_AUTH options are not enabled by default in many
distributions. However, if these options are explicitly enabled, that
build of OpenSSH may be vulnerable.
Recommendations:
Internet Scanner X-Press Update 6.13 includes a check, OpenSshRunning,
to detect potentially vulnerable installations of OpenSSH. XPU 6.13 is
available from the ISS Download Center at: http://www.iss.net/download.
For questions about downloading and installing this XPU, email
support@iss.net.
ISS X-Force recommends that system administrators disable unused OpenSSH
authentication mechanisms. Administrators can remove this vulnerability
by disabling the Challenge-Response authentication parameter within the
OpenSSH daemon configuration file. This filename and path is typically:
/etc/ssh/sshd_config. To disable this parameter, locate the
corresponding line and change it to the line below:
ChallengeResponseAuthentication no
The "sshd" process must be restarted for this change to take effect.
This workaround will permanently remove the vulnerability. X-Force
recommends that administrators upgrade to OpenSSH version 3.4
immediately. This version implements privilege separation, contains a
patch to block this vulnerability, and contains many additional pro-
active security fixes. Privilege separation was designed to limit
exposure to known and unknown vulnerabilities. Visit
http://www.openssh.com for more information.
Additional Information:
ISS X-Force and Black Hat consulting will host a presentation titled,
"Professional Source Code Auditing" at Black Hat Briefings USA 2002. The
presentation will explore advanced source code auditing techniques as
well as secure development best-practices. Please refer to
http://www.blackhat.com and
http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#Dowd for
more information.
Credits:
The vulnerability described in this advisory was discovered and
researched by Mark Dowd of the ISS X-Force. ISS would like to thank Theo
de Raadt of the OpenBSD Project for his assistance with this advisory.
Thread
Thread Starter
Forum
Replies
Last Post
Nicks VR4
Computer & Technology Related
1
04 August 2003 06:14 PM
Jeff Wiltshire
Computer & Technology Related
2
25 January 2003 09:53 PM
Puff The Magic Wagon!
Computer & Technology Related
4
09 April 2002 03:01 AM