Date: 17 September 2003
References: ESB-2003.0644 ESB-2003.0645 ESB-2003.0647 ESB-2003.0648 ESB-2003.0653 ESB-2003.0654 ESB-2003.0655 ESB-2003.0660 ESB-2003.0661 ESB-2003.0674
ESB-2003.0675 ESB-2003.0679 ESB-2003.0687 ESB-2003.0691 ESB-2003.0701 ESB-2003.0704 ESB-2003.0834 ESB-2003.0858 ESB-2004.0065
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2003.16 -- AUSCERT ALERT
Buffer Management Vulnerability in OpenSSH
CERT Advisory CA-2003-24
17 September 2003
===========================================================================
AusCERT Alert Summary
---------------------
Product: OpenSSH prior to 3.7
Implementations of code derived from
OpenSSH prior to 3.7
Publisher: CERT/CC
Impact: Denial of Service
Execute Arbitrary Code/Commands
Access Required: Remote
CVE Names: CAN-2003-0693
AusCERT is issuing this external security bulletin as an AusCERT ALERT
to emphasize the significance of the newly discovered vulnerability
in OpenSSH prior to 3.7.
AusCERT advises users and sites running OpenSSH prior to 3.7, and any
implementations of code derived from OpenSSH prior to 3.7, to evaluate
their exposure to these vulnerabilities and to apply the vendor patches,
and/or network filters as deemed necessary.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH
Original release date: September 16, 2003
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* Systems running versions of OpenSSH prior to 3.7
* Systems that use or derive code from vulnerable versions of
OpenSSH
Overview
There is a remotely exploitable vulnerability in a general buffer
management function in versions of OpenSSH prior to 3.7. This may
allow a remote attacker to corrupt heap memory which could cause a
denial-of-service condition. It may also be possible for an attacker
to execute arbitrary code.
I. Description
A vulnerability exists in the buffer management code of OpenSSH. This
vulnerability affects versions prior to 3.7. The error occurs when a
buffer is allocated for a large packet. When the buffer is cleared, an
improperly sized chunk of memory is filled with zeros. This leads to
heap corruption, which could cause a denial-of-service condition. This
vulnerability may also allow an attacker to execute arbitrary code.
This vulnerability is described in an advisory from OpenSSH
<http://www.openssh.com/txt/buffer.adv>
and in FreeBSD-SA-03:12:
<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.
openssh.asc>
Other systems that use or derive code from OpenSSH may be affected.
This includes network equipment and embedded systems. We have
monitored incident reports that may be related to this vulnerability.
Vulnerability Note VU#333628 lists the vendors we contacted about this
vulnerability. The vulnerability note is available from
<http://www.kb.cert.org/vuls/id/333628>
This vulnerability has been assigned the following Common
Vulnerabilities and Exposures (CVE) number:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693
II. Impact
While the full impact of this vulnerability is unclear, the most
likely result is heap corruption, which could lead to a denial of
service.
If it is possible for an attacker to execute arbitrary code, then they
may be able to so with the privileges of the user running the sshd
process, typically root. This impact may be limited on systems using
the privilege separation (privsep) feature available in OpenSSH.
III. Solution
Upgrade to OpenSSH version 3.7
This vulnerability is resolved in OpenSSH version 3.7, which is
available from the OpenSSH web site at
<http://www.openssh.com/>
Apply a patch from your vendor
A patch for this vulnerability is included in the OpenSSH advisory at
<http://www.openssh.com/txt/buffer.adv>
This patch may be manually applied to correct this vulnerability in
affected versions of OpenSSH. If your vendor has provided a patch or
upgrade, you may want to apply it rather than using the patch from
OpenSSH. Find information about vendor patches in Appendix A. We will
update this document as vendors provide additional information.
Use privilege separation to minimize impact
System administrators running OpenSSH versions 3.2 or higher may be
able to reduce the impact of this vulnerability by enabling the
"UsePrivilegeSeparation" configuration option in their sshd
configuration file. Typically, this is accomplished by creating a
privsep user, setting up a restricted (chroot) environment, and adding
the following line to /etc/ssh/sshd_config:
UsePrivilegeSeparation yes
This workaround does not prevent this vulnerability from being
exploited, however due to the privilege separation mechanism, the
intruder may be limited to a constrained chroot environment with
restricted privileges. This workaround will not prevent this
vulnerability from creating a denial-of-service condition. Not all
operating system vendors have implemented the privilege separation
code, and on some operating systems it may limit the functionality of
OpenSSH. System administrators are encouraged to carefully review the
implications of using the workaround in their environment and use a
more comprehensive solution if one is available. The use of privilege
separation to limit the impact of future vulnerabilities is
encouraged.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in the revision history.
Additional vendors who have not provided direct statements, but who
have made public statements or informed us of their status are listed
in VU#333628. If a vendor is not listed below or in VU#333628, we have
not received their comments.
Bitvise
Our software shares no codebase with the OpenSSH implementation,
therefore we believe that, in our products, this problem does not
exist.
Cray, Inc.
Cray Inc. supports OpenSSH through its Cray Open Software (COS)
package. Cray is vulnerable to this buffer management error and is
in the process of compiling OpenSSH 3.7. The new version will be
made available in the next COS release.
Debian
A fix for the buffer management vulnerability is available for the
ssh package at http://www.debian.org/security/2003/dsa-382
A fix for the ssh-krb5 (ssh with kerberos support) package is
available at http://www.debian.org/security/2003/dsa-383
Mandrake Software
Mandrake Linux is affected and MDKSA-2003:090 will be released
today with patched versions of OpenSSH to resolve this issue.
PuTTY
PuTTY is not based on the OpenSSH code base, so it should not be
vulnerable to any OpenSSH-specific attacks.
_________________________________________________________________
The CERT/CC thanks Markus Friedl of the OpenSSH project for his
technical assistance in producing this advisory.
_________________________________________________________________
Authors: Jason A. Rafail and Art Manion
______________________________________________________________________
This document is available from:
<http://www.cert.org/advisories/CA-2003-24.html>
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
<http://www.cert.org/CERT_PGP.key>
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
<http://www.cert.org/>
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
______________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
Revision History
September 16, 2003: Initial release
- -----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBP2eByzpmH2w9K/0VAQGnaAP/Zb54OjkSVC0594mOAQDT5s92IOUHY2ND
aonp3h1jPmg6kJ6jJyh1Z4ZyC3tFoQa8EnAgKs7tFYJHr/65t4ASLycB/X/tJu1T
KGIG+yJ/MP9OZ0s/i2Rp95x1u8wrQHoq1TuDs+sJ6clu638dFcgZk2CzZSojPIr9
hgzCzPOAscA=
=Xysb
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This alert is provided as a service to AusCERT's members. As AusCERT did
not write the document quoted above, AusCERT has had no control over its
content. The decision to follow or act on information or advice contained in
this security bulletin is the responsibility of each user or organisation, and
should be considered in accordance with your organisation's site policies and
procedures. AusCERT takes no responsibility for consequences which may arise
from following or acting on information or advice contained in this security
bulletin.
NOTE: This is only the original release of the alert. It may not be
updated when updates to the original are made. If downloading at a later
date, it is recommended that the alert is retrieved directly from the
author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the alert above. If you have any questions or need further information,
please contact them directly.
Previous advisories, alerts and external security bulletins can be
retrieved from:
http://www.auscert.org.au/render.html?cid=1977
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBP2ebbSh9+71yA2DNAQHoDgP/a+MMItJdhv17pqaYTmjYv2fx7NqfDCno
E6l7xFUeMSOV72fFF4u8yZiMEXNQ6C1hcfaCethwLqN0VNoHp58wJMdtwZIoTdFi
1nyVfWVQRpIiVn4UDvjLG7mAFgvePQSSvOrOZhWWi55AJ6B0ngXmRRmymHRHjZNm
DI3e3Pt5bys=
=iop1
-----END PGP SIGNATURE-----
|