Privilege escalation vulnerability in OpenSSH 2.9.9 through 3.3
| Package(s): | openssh | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 26, 2002 | Updated: | July 3, 2002 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | OpenSSH versions 2.9.9 through 3.3 have a
bug in input validation which can lead to
an integer overflow and privilege escalation.
According to the OpenSSH developers:
Systems running with UsePrivilegeSeparation yes or ChallengeResponseAuthentication no are not affected.
The 3.4 release contain many other fixes done over a week long audit started when this issue came to light. We believe that some of those fixes are likely to be important security fixes. Therefore, we urge an upgrade to 3.4. Upgrading to OpenSSH 3.4 is recommended. See the CERT Advisory and OpenSSH Security Advisory for more information including patches for the "pre-authentication problem." OpenSSH 3.3 users are encouranced to also read the previous vulnerability report. OpenSSH 3.2 and later have the bug in input validation but prevent the privilege escalation if privilege separation is enabled by setting UsePrivilegeSeparation in sshd_config. Version 3.3 was the first release to turn on "privilege separation" by default Essentially, privilege separation works by splitting the ssh server into two cooperating processes. One process is charged with talking to the network; it runs without privilege. The other process sits back, makes decisions, and hands out privileges when it's convinced that is the right thing to do. CERT Advisory: CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Handling | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||