WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

OpenSSH daemon challenge-response allows DoS or remote compromise

Risk
High

Date Discovered
06-26-2002

Description
The challenge response handling code in OpenSSH versions 2.3.1p1 through 3.3,contain two related vulnerabilities. These vulnerabilities may allow a remote malicious user to execute arbitrary code as the user running sshd which is often root.

OpenSSH is a free version of the Secure Shell communications suite and is used as a secure replacement for protocols such as Telnet, Rlogin, Rsh, and Ftp. OpenSSH employs end-to-end encryption (including all passwords) and is resistant to network monitoring, eavesdropping, as well as connection hijacking attacks.

The first vulnerability is an integer overflow in the handling of the number of responses received during challenge response authentication. This affects OpenSSH versions 2.9.9 through 3.3 that have the challenge response option enabled and that also use SKEY or BSD_AUTH authentication.

The second vulnerability is a buffer overflow involving the number of responses received during challenge response authentication. This affects PAM modules using interactive keyboard authentication in OpenSSH versions 2.3.1p1 through 3.3, regardless of the challenge response option setting.

PAM is a Pluggable Authentication Module which provides a way to develop programs that are independent of authentication scheme.

A remote attacker can execute code with the privileges of the user running the sshd (often root). These vulnerabilities may also be used to cause a denial-of-service condition.

Platforms Affected
Multiple

Components Affected
Mandrake Soft Linux 7.1, 7.2, 8.0, 8.1, 8.2
OpenBSD BSD 3.0, 3.1
OpenBSD OpenSSH 3.0 - 3.2.3
Red Hat Software, Inc. Linux 7.0, 7.1, 7.2, 7.3
S.U.S.E. GmbH Linux 6.4, 7.0, 7.1, 7.2, 7.3
S.U.S.E. GmbH Linux Database Server
S.U.S.E. GmbH Linux eMail Server III
S.U.S.E. GmbH Linux Enterprise Server 7
S.U.S.E. GmbH Linux Firewall on CD

Recommendations
Upgrade : OpenSSH 3.4 Upgrade

Ensure you are using the most current and most secure version of OpenSSH.

OpenSSH 3.4 is the most current version and is available for download at:

http://www.openssh.com/openbsd.html

Follow the instructions given by the vendor and verify the proper patches have been installed on older versions of OpenSSH prior to 3.1.

Mandrake OpenSSH update 
Patch : Mandrake OpenSSH update

RedHat OpenSSH RPM 
Patch : RedHat OpenSSH RPM

SuSE OpenSSH update 
Patch : SuSE OpenSSH update

Workaround : Enable privilege-separation in OpenSSH

To enable privilege separation, the following configuration option must be in the sshd_config file (often located at /etc/ssh/sshd_config):

UsePrivilegeSeparation yes

This workaround does not prevent the exploitation of these vulnerabilities, however due to the privilege separation mechanism, the intruder may be limited to a constrained chroot environment with restricted privileges.

A denial-of-service condition could still be created. Not all operating system vendors have implemented the privilege separation code, and on some operating systems, it may limit the functionality of OpenSSH.

System administrators are encouraged to consider the implications of using this workaround in their environment, and use a more comprehensive solution if one is available.

Using privilege separation to limit the impact of future vulnerabilities is highly encouraged.

Policy : Best Practice - Ensure your security patches and upgrades are current

Stay informed of your vendors' security-related updates to their products, which may be called updates, upgrades, patches, service packs, hot fixes, or workarounds. Whenever an update is released, you need to evaluate it, determine if it is applicable to your organization's computers, and, if so, install it.
References
Source: OpenBSD
URL: http://www.openssh.com/txt/preauth.adv

Source: SecurityFocus.com 5093
URL: http://online.securityfocus.com/bid/5093

Source: Mandrake MDKSA-2002-040
URL: http://www.mandrakelinux.com/en/security/2002/MDKSA-2002-040.php?dis=8.2

Source: SuSE SA:2002:023
URL: http://lists2.suse.com/archive/suse-security-announce/2002-Jun/0005.html

Source: CERT CA-2002-18
URL: http://www.cert.org//advisories/CA-2002-18.html

Source: Red Hat RHSA-2002-127
URL: http://rhn.redhat.com/errata/RHSA-2002-127.html

Source: CVE CAN-2002-0639
URL: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0639

Source: CVE CAN-2002-0640
URL: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0640

Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Site Map · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2010 Symantec Corporation