| OpenSSH versions 2.9.9 through 3.3 have a
bug in input validation which can lead to
an integer overflow and privilege escalation.
According to the OpenSSH developers:
Systems running with UsePrivilegeSeparation yes or ChallengeResponseAuthentication no are not affected.
The 3.4 release contain many other fixes done over a week long audit started when this issue came to light. We believe that some of those fixes are likely to be important security fixes. Therefore, we urge an upgrade to 3.4.
Upgrading to
OpenSSH 3.4 is recommended.
See the CERT Advisory and OpenSSH
Security Advisory
for more information including patches for the "pre-authentication problem."
OpenSSH 3.3 users are encouranced to
also read
the previous vulnerability report.
OpenSSH 3.2 and later have the bug in input validation
but prevent the privilege escalation if privilege separation is enabled by setting
UsePrivilegeSeparation in sshd_config.
Version 3.3 was the first release to turn on "privilege separation" by default Essentially, privilege separation works by splitting the ssh server into two cooperating processes. One process is charged with talking to the network; it runs without privilege. The other process sits back, makes decisions, and hands out privileges when it's convinced that is the right thing to do.
CERT Advisory: CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Handling
| 