[ISN] Fix Is In for OpenSSH Flaw

From: InfoSec News (isnat_private)
Date: Thu Jun 27 2002 - 01:02:58 PDT

  • Next message: InfoSec News: "[ISN] Government Not Ready for Cyberattacks"

    June 26, 2002 
    By Chris Gonsalves 
    A vulnerability in a popular, free implementation of the Secure Shell 
    protocols that prompted a warning from the suite's developers has been 
    quickly capped. 
    The vulnerability in OpenSSH versions 2.9.9 through 3.3 was the result 
    of an input validation error that enabled an integer overflow and 
    privilege escalation, according to developers. OpenSSH, a free set of 
    network connectivity tools developed by the OpenBSD Project, is 
    frequently used in place of telnet, rlogin and ftp access and comes 
    bundled with OpenBSD and many other Unix operating systems, including 
    the recently released Solaris 9. 
    The vulnerability was first disclosed on the OpenSSH Web site Tuesday, 
    with a warning that users should enable privilege separation features 
    and prepare to upgrade to OpenSSH 3.4 on Monday, July 1. The security 
    threat was detailed by Internet Security Systems researchers on 
    Wednesday morning, however, prompting an early release on the new SSH 
    According to the ISS advisory, the vulnerability exists within the 
    "challenge-response" authentication mechanism in the OpenSSH daemon or 
    "This mechanism, part of the SSH2 protocol, verifies a user's identity 
    by generating a challenge and forcing the user to supply a number of 
    responses. It is possible for a remote attacker to send a 
    specially-crafted reply that triggers an overflow," ISS researchers 
    wrote. "This can result in a remote denial of service attack on the 
    OpenSSH daemon or a complete remote compromise. The OpenSSH daemon 
    runs with superuser privilege, so remote attackers can gain superuser 
    access by exploiting this vulnerability." 
    ISS researchers said they are aware of active development efforts to 
    exploit the vulnerability. 
    The OpenSSH advisory and patch is at www.openssh.org/txt/preauth.adv. 
    The initial vulnerability disclosure came just days after the release 
    of the Version 3.3 of the SSH package. 
    "We believe we have the information contained. It is after all in 
    27,000 lines of code," developer Theo de Raadt, founder of the OpenBSD 
    and OpenSSH projects said late Tuesday. "If it does leak out, or a 
    parallel discovery of it happens, we will be ready with an immediate 
    Even before the latest vulnerability was disclosed, OpenSSH developers 
    have consistently suggested that users employ the tool's privilege 
    separation feature. The feature safeguards against any corruption in 
    the sshd, which could lead to root compromise, according to OpenSSH 
    OpenSSH encrypts all traffic, including passwords, to thwart 
    eavesdropping, connection hijacking and other network-level attacks, 
    according to developers. In addition, OpenSSH provides secure 
    tunneling capabilities and a variety of authentication methods. 
    In addition to OpenBSD and FreeBSD, OpenSSH works with dozens of 
    operating systems including most flavors of Linux; NetBSD; Computone; 
    Stallion; MacOS X Version 10.1; HP Procurve Switch 4108GL and 
    2524/2512; and IBM AIX. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 04:04:55 PDT