Date: 27 June 2002
References: ESB-2003.0036 ESB-2002.307 ESB-2002.308 ESB-2002.312 ESB-2002.313 ESB-2002.314 ESB-2002.321 ESB-2002.329 ESB-2002.331 ESB-2002.390
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-2002.05 AUSCERT Advisory
OpenSSH Vulnerabilities (Update to AL-2002.05)
27 June 2002
Last Revised: --
- ---------------------------------------------------------------------------
AusCERT is publishing Advisory AA-2002.05 to update AusCERT Alert
AL-2002.05 "Vulnerability in OpenSSH" released 25 June 2002. This advisory
contains the latest information, and solutions, regarding vulnerabilities
in some default installations of OpenSSH.
AusCERT has not received reports of the vulnerabilities being actively
exploited although reports indicate that exploits are being developed.
AusCERT recommends that sites take the steps outlined in section 3 as soon
as possible. This advisory will be updated as more information becomes
available.
- ---------------------------------------------------------------------------
1. Description
There are two vulnerabilities in some default installations of OpenSSH.
The first is in the Challenge-Response authentication mechanism that can
cause Denial of Service or Overflow attacks. The second is in the
Privilege Separation option that can allow users to gain superuser access.
There are discussions of the development of exploit tools for these
vulnerabilities.
Vulnerable versions are:
OpenBSD 3.0
OpenBSD 3.1
FreeBSD-Current
OpenSSH 3.0-3.2.3
and possibly others. Refer to the OpenSSH Security Advisory [4.2] for
more information.
2. Impact
Under certain conditions, there is a vulnerability in the
"challenge-response" authentication option in OpenSSH, SSH protocol version
2. A specially-crafted response to this method of authentication can
cause an overflow. This vulnerability can result in remote denial of
service or remote system compromise, with superuser privileges.
Exploitation of this vulnerability requires that either the SKEY or
BSD_AUTH authentication options by enabled. Note: Versions 3.0 and higher
of OpenBSD are distributed with the BSD_AUTH option enabled.
Initially, Theo de Raadt from OpenBSD and ISS X-force were recommending
that users upgrade to OpenSSH 3.3 and enable the privilege separation
option. This solution has proven to possibly expose other security issues
such as privilege escalation. As such, the following solution supersedes
mitigation information provided in AL-2002.05.
3. Solution
Protection from these OpenSSH vulnerabilities can be attained by disabling
unnecessary authentication mechanisms such as challenge-response
authentication. This can be done by disabling the
ChallengeResponseAuthentication parameter within the OpenSSH daemon
configuration file "sshd_config". To disable challenge response
authentication, ensure that the parameter is set to "no".
ChallengeResponseAuthentication no
Then restart the sshd process to activate the change.
Fixes are available from the OpenSSH site http://www.openssh.org. Upgrading
to OpenSSH version 3.4 is also recommended as it contains several other
fixes and security updates.
This solution supersedes mitigation information provided in AL-2002.05
although the OpenSSH Security Advisory [4.2] states "OpenSSH 3.2 and later
prevent privilege escalation if UsePrivilegeSeparation is enabled in
sshd_config. OpenSSH 3.3 enables UsePrivilegeSeparation by default."
4. Further Information
Further technical details of this vulnerability are included in the ISS
X-force Security Advisory [4.1] and the OpenSSH Security Advisory [4.2].
[4.1] ISS Security Advisory (June 26, 2002) - OpenSSH Remote Challenge
Vulnerability
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584
[4.2] OpenSSH Security Advisory
http://www.openssh.org/txt/preauth.adv
- ---------------------------------------------------------------------------
AusCERT would like to thank the Canadian Computer Emergency Response Team
(CanCERT) (http://www.cancert.ca) for allowing use of their materials in
assembling the information contained in this advisory.
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained in
this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AusCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AusCERT
Advisories, and other computer security information.
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPRrJXCh9+71yA2DNAQG+2gP/TbO3rxCEZgpq8ignFwcU1L1W6sAOzkAb
L/GlygLaEHukgyG0JR3MM7IDhKY7bSLsWaRgsKUo/0UMu91XBHnb/XVF5QvGhOvo
nKk13ZTcScU3d8ozcOyAUHBM+2uccKJWaF/r4nvZN5MZk02u/Q5J3CYxY4gBLMr9
Kkuboav/WOw=
=nmtQ
-----END PGP SIGNATURE-----
|