OpenSSH Security Advisory (adv.iss)
| From: | Markus Friedl <markus@openbsd.org> | |
| To: | lwn@lwn.net | |
| Subject: | OpenSSH Security Advisory (adv.iss) | |
| Date: | Wed, 26 Jun 2002 16:42:13 +0200 |
1. Versions affected:
All versions of OpenSSH's sshd between 2.9.9 and 3.3
contain an input validation error that can result in
an integer overflow and privilege escalation.
OpenSSH 3.4 and later are not affected.
OpenSSH 3.2 and later prevent privilege escalation
if UsePrivilegeSeparation is enabled in sshd_config.
OpenSSH 3.3 enables UsePrivilegeSeparation by
default.
Although OpenSSH 2.9 and earlier are not affected
upgrading to OpenSSH 3.4 is recommended, because
OpenSSH 3.4 adds checks for a class of potential bugs.
2. Impact:
This bug can be exploited remotely if
ChallengeResponseAuthentication is enabled in sshd_config.
Affected are at least systems supporting
s/key over SSH protocol version 2 (OpenBSD, FreeBSD
and NetBSD as well as other systems supporting
s/key with SSH). Exploitablitly of systems
using PAM in combination has not been verified.
3. Short-Term Solution:
Disable ChallengeResponseAuthentication in sshd_config.
or
Enable UsePrivilegeSeparation in sshd_config.
4. Solution:
Upgrade to OpenSSH 3.4 or apply the following patches.
5. Credits:
ISS.
Appendix:
A:
Index: auth2-chall.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v
retrieving revision 1.18
diff -u -r1.18 auth2-chall.c
--- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18
+++ auth2-chall.c 26 Jun 2002 09:37:03 -0000
@@ -256,6 +256,8 @@
authctxt->postponed = 0; /* reset */
nresp = packet_get_int();
+ if (nresp > 100)
+ fatal("input_userauth_info_response: nresp too big %u", nresp);
if (nresp > 0) {
response = xmalloc(nresp * sizeof(char*));
for (i = 0; i < nresp; i++)
B:
Index: auth2-pam.c
===================================================================
RCS file: /var/cvs/openssh/auth2-pam.c,v
retrieving revision 1.12
diff -u -r1.12 auth2-pam.c
--- auth2-pam.c 22 Jan 2002 12:43:13 -0000 1.12
+++ auth2-pam.c 26 Jun 2002 10:12:31 -0000
@@ -140,6 +140,15 @@
nresp = packet_get_int(); /* Number of responses. */
debug("got %d responses", nresp);
+
+ if (nresp != context_pam2.num_expected)
+ fatal("%s: Received incorrect number of responses "
+ "(expected %u, received %u)", __func__, nresp,
+ context_pam2.num_expected);
+
+ if (nresp > 100)
+ fatal("%s: too many replies", __func__);
+
for (i = 0; i < nresp; i++) {
int j = context_pam2.prompts[i];
(Log in to post comments)
Posted Jun 26, 2002 15:20 UTC (Wed)
by proski (subscriber, #104)
[Link]
Sorry for using the main site, but mirrors still don't have it.
Build binary RPMs by running
rpm --rebuild openssh-3.4p1-1.src.rpm
To avoid doing it as root, create file ~/.rpmmacros with just one line:
%_usrsrc /home/yourname/src
Then copy /usr/src/redhat to /home/yourname/src/redhat as user. Now you can rebuild RPMs as user.
Posted Jun 26, 2002 15:47 UTC (Wed)
by garloff (subscriber, #319)
[Link]
Given the seriousness of the problem, I do understand why Theo I do not understand why the bugfix has not been communicated to Basically, the message I read from this procedure is
Posted Jun 26, 2002 16:54 UTC (Wed)
by smoogen (subscriber, #97)
[Link] (1 responses)
Posted Jun 26, 2002 19:36 UTC (Wed)
by smoogen (subscriber, #97)
[Link]
Posted Jun 26, 2002 18:16 UTC (Wed)
by jacobo (guest, #76)
[Link] (1 responses)
Now how can we be sure that there aren't more issues they know about but we don't? Very poor handling by the OpenSSH folks... :-(
Posted Jun 26, 2002 20:35 UTC (Wed)
by captrb (guest, #2291)
[Link]
-capt
Source RPM of 3.4p1 is here:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/SRPMS/Source RPM of 3.4p1 available
I'm unimpressed by the handling of this from the OpenSSH team.OpenSSH Security Advisory (adv.iss)
wanted distributors to upgrade to 3.3 (and enable PrivSep) before
publishing the vulnerability.
the Linux distributors before publishing it. Normally that happens.
The different distributors could have coordinated their updates
and released their advisories shortly after the publication from
the OpenSSH team.
"We BSD people don't care about you Linux people."
Wasnt this supposed to be released on Monday of next week? Why the jumpstart.. and isnt this the second ISS pushed fix that may or may not fix things in a month?
OpenSSH Security Advisory (adv.iss)
I have to amend this comment. It would seem that some cracker decided to post a working exploit before anyone could be fixed..
OpenSSH Security Advisory (adv.iss)
Trust destroyed
I'm not sure that I understand your reasoning. They DID release the details of the exploit and made a very public announcement so that people had a chance to prepare. I my mind, this increases my trust in the openssh/bsd developers.Trust destroyed