Fix Is In for OpenSSH Flaw

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,284460,00.asp

June 26, 2002 
By Chris Gonsalves 

A vulnerability in a popular, free implementation of the Secure Shell 
protocols that prompted a warning from the suite's developers has been 
quickly capped. 

The vulnerability in OpenSSH versions 2.9.9 through 3.3 was the result 
of an input validation error that enabled an integer overflow and 
privilege escalation, according to developers. OpenSSH, a free set of 
network connectivity tools developed by the OpenBSD Project, is 
frequently used in place of telnet, rlogin and ftp access and comes 
bundled with OpenBSD and many other Unix operating systems, including 
the recently released Solaris 9. 

The vulnerability was first disclosed on the OpenSSH Web site Tuesday, 
with a warning that users should enable privilege separation features 
and prepare to upgrade to OpenSSH 3.4 on Monday, July 1. The security 
threat was detailed by Internet Security Systems researchers on 
Wednesday morning, however, prompting an early release on the new SSH 
suite. 

According to the ISS advisory, the vulnerability exists within the 
"challenge-response" authentication mechanism in the OpenSSH daemon or 
sshd. 

"This mechanism, part of the SSH2 protocol, verifies a user's identity 
by generating a challenge and forcing the user to supply a number of 
responses. It is possible for a remote attacker to send a 
specially-crafted reply that triggers an overflow," ISS researchers 
wrote. "This can result in a remote denial of service attack on the 
OpenSSH daemon or a complete remote compromise. The OpenSSH daemon 
runs with superuser privilege, so remote attackers can gain superuser 
access by exploiting this vulnerability." 

ISS researchers said they are aware of active development efforts to 
exploit the vulnerability. 

The OpenSSH advisory and patch is at www.openssh.org/txt/preauth.adv. 

The initial vulnerability disclosure came just days after the release 
of the Version 3.3 of the SSH package. 

"We believe we have the information contained. It is after all in 
27,000 lines of code," developer Theo de Raadt, founder of the OpenBSD 
and OpenSSH projects said late Tuesday. "If it does leak out, or a 
parallel discovery of it happens, we will be ready with an immediate 
patch." 

Even before the latest vulnerability was disclosed, OpenSSH developers 
have consistently suggested that users employ the tool's privilege 
separation feature. The feature safeguards against any corruption in 
the sshd, which could lead to root compromise, according to OpenSSH 
developers. 

OpenSSH encrypts all traffic, including passwords, to thwart 
eavesdropping, connection hijacking and other network-level attacks, 
according to developers. In addition, OpenSSH provides secure 
tunneling capabilities and a variety of authentication methods. 

In addition to OpenBSD and FreeBSD, OpenSSH works with dozens of 
operating systems including most flavors of Linux; NetBSD; Computone; 
Stallion; MacOS X Version 10.1; HP Procurve Switch 4108GL and 
2524/2512; and IBM AIX. 
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.