[LUGOS-SEC] [cert-advisory@cert.org: CERT Advisory CA-2003-24
Buffer Management Vulnerability in OpenSSH]
Martin
martin at amadej.si
Thu Sep 18 00:20:46 CEST 2003
Tudi 3.7.p1 ma luknje.
Zdej je aktualna 3.7.1.p1, pa ne pozabt updajtat tudi sendmail..
L.P.
-Martin
Dne sreda 17. septembra 2003 10:37 je Martin napisal(a):
> Exactly ;-)
>
> Dne sreda 17. septembra 2003 00:57 je Rok Potocnik napisal(a):
> > da ne bo kdo jokal cez par dni...
> > nadgradite cimprej na openssh 3.7p1, pa po moznosti se kak tcpwrappers v
> > roke...
> >
> > ----- Forwarded message from CERT Advisory <cert-advisory at cert.org> -----
> >
> > Date: Tue, 16 Sep 2003 17:43:23 -0400
> > From: CERT Advisory <cert-advisory at cert.org>
> > To: cert-advisory at cert.org
> > Subject: CERT Advisory CA-2003-24 Buffer Management Vulnerability in
> > OpenSSH
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH
> >
> > Original release date: September 16, 2003
> > Last revised: --
> > Source: CERT/CC
> >
> > A complete revision history can be found at the end of this file.
> >
> >
> > Systems Affected
> >
> > * Systems running versions of OpenSSH prior to 3.7
> > * Systems that use or derive code from vulnerable versions of
> > OpenSSH
> >
> >
> > Overview
> >
> > There is a remotely exploitable vulnerability in a general buffer
> > management function in versions of OpenSSH prior to 3.7. This may
> > allow a remote attacker to corrupt heap memory which could cause a
> > denial-of-service condition. It may also be possible for an attacker
> > to execute arbitrary code.
> >
> >
> > I. Description
> >
> > A vulnerability exists in the buffer management code of OpenSSH. This
> > vulnerability affects versions prior to 3.7. The error occurs when a
> > buffer is allocated for a large packet. When the buffer is cleared, an
> > improperly sized chunk of memory is filled with zeros. This leads to
> > heap corruption, which could cause a denial-of-service condition. This
> > vulnerability may also allow an attacker to execute arbitrary code.
> > This vulnerability is described in an advisory from OpenSSH
> >
> > <http://www.openssh.com/txt/buffer.adv>
> >
> > and in FreeBSD-SA-03:12:
> >
> > <ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.
> > openssh.asc>
> >
> > Other systems that use or derive code from OpenSSH may be affected.
> > This includes network equipment and embedded systems. We have
> > monitored incident reports that may be related to this vulnerability.
> >
> > Vulnerability Note VU#333628 lists the vendors we contacted about this
> > vulnerability. The vulnerability note is available from
> >
> > <http://www.kb.cert.org/vuls/id/333628>
> >
> > This vulnerability has been assigned the following Common
> > Vulnerabilities and Exposures (CVE) number:
> >
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693
> >
> >
> > II. Impact
> >
> > While the full impact of this vulnerability is unclear, the most
> > likely result is heap corruption, which could lead to a denial of
> > service.
> >
> > If it is possible for an attacker to execute arbitrary code, then they
> > may be able to so with the privileges of the user running the sshd
> > process, typically root. This impact may be limited on systems using
> > the privilege separation (privsep) feature available in OpenSSH.
> >
> >
> > III. Solution
> >
> > Upgrade to OpenSSH version 3.7
> >
> > This vulnerability is resolved in OpenSSH version 3.7, which is
> > available from the OpenSSH web site at
> >
> > <http://www.openssh.com/>
> >
> > Apply a patch from your vendor
> >
> > A patch for this vulnerability is included in the OpenSSH advisory at
> >
> > <http://www.openssh.com/txt/buffer.adv>
> >
> > This patch may be manually applied to correct this vulnerability in
> > affected versions of OpenSSH. If your vendor has provided a patch or
> > upgrade, you may want to apply it rather than using the patch from
> > OpenSSH. Find information about vendor patches in Appendix A. We will
> > update this document as vendors provide additional information.
> >
> > Use privilege separation to minimize impact
> >
> > System administrators running OpenSSH versions 3.2 or higher may be
> > able to reduce the impact of this vulnerability by enabling the
> > "UsePrivilegeSeparation" configuration option in their sshd
> > configuration file. Typically, this is accomplished by creating a
> > privsep user, setting up a restricted (chroot) environment, and adding
> > the following line to /etc/ssh/sshd_config:
> >
> > UsePrivilegeSeparation yes
> >
> > This workaround does not prevent this vulnerability from being
> > exploited, however due to the privilege separation mechanism, the
> > intruder may be limited to a constrained chroot environment with
> > restricted privileges. This workaround will not prevent this
> > vulnerability from creating a denial-of-service condition. Not all
> > operating system vendors have implemented the privilege separation
> > code, and on some operating systems it may limit the functionality of
> > OpenSSH. System administrators are encouraged to carefully review the
> > implications of using the workaround in their environment and use a
> > more comprehensive solution if one is available. The use of privilege
> > separation to limit the impact of future vulnerabilities is
> > encouraged.
> >
> >
> > Appendix A. - Vendor Information
> >
> > This appendix contains information provided by vendors for this
> > advisory. As vendors report new information to the CERT/CC, we will
> > update this section and note the changes in the revision history.
> > Additional vendors who have not provided direct statements, but who
> > have made public statements or informed us of their status are listed
> > in VU#333628. If a vendor is not listed below or in VU#333628, we have
> > not received their comments.
> >
> > Bitvise
> >
> > Our software shares no codebase with the OpenSSH implementation,
> > therefore we believe that, in our products, this problem does not
> > exist.
> >
> > Cray, Inc.
> >
> > Cray Inc. supports OpenSSH through its Cray Open Software (COS)
> > package. Cray is vulnerable to this buffer management error and is
> > in the process of compiling OpenSSH 3.7. The new version will be
> > made available in the next COS release.
> >
> > Debian
> >
> > A fix for the buffer management vulnerability is available for the
> > ssh package at http://www.debian.org/security/2003/dsa-382
> >
> > A fix for the ssh-krb5 (ssh with kerberos support) package is
> > available at http://www.debian.org/security/2003/dsa-383
> >
> > Mandrake Software
> >
> > Mandrake Linux is affected and MDKSA-2003:090 will be released
> > today with patched versions of OpenSSH to resolve this issue.
> >
> > PuTTY
> >
> > PuTTY is not based on the OpenSSH code base, so it should not be
> > vulnerable to any OpenSSH-specific attacks.
> > _________________________________________________________________
> >
> > The CERT/CC thanks Markus Friedl of the OpenSSH project for his
> > technical assistance in producing this advisory.
> > _________________________________________________________________
> >
> > Authors: Jason A. Rafail and Art Manion
> > ______________________________________________________________________
> >
> > This document is available from:
> > <http://www.cert.org/advisories/CA-2003-24.html>
> > ______________________________________________________________________
> >
> > CERT/CC Contact Information
> >
> > Email: cert at cert.org
> > Phone: +1 412-268-7090 (24-hour hotline)
> > Fax: +1 412-268-6989
> > Postal address:
> > CERT Coordination Center
> > Software Engineering Institute
> > Carnegie Mellon University
> > Pittsburgh PA 15213-3890
> > U.S.A.
> >
> > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
> > EDT(GMT-4) Monday through Friday; they are on call for emergencies
> > during other hours, on U.S. holidays, and on weekends.
> >
> > Using encryption
> >
> > We strongly urge you to encrypt sensitive information sent by email.
> > Our public PGP key is available from
> >
> > <http://www.cert.org/CERT_PGP.key>
> >
> > If you prefer to use DES, please call the CERT hotline for more
> > information.
> >
> > Getting security information
> >
> > CERT publications and other security information are available from
> > our web site
> >
> > <http://www.cert.org/>
> >
> > To subscribe to the CERT mailing list for advisories and bulletins,
> > send email to majordomo at cert.org. Please include in the body of your
> > message
> >
> > subscribe cert-advisory
> >
> > * "CERT" and "CERT Coordination Center" are registered in the U.S.
> > Patent and Trademark Office.
> > ______________________________________________________________________
> >
> > NO WARRANTY
> > Any material furnished by Carnegie Mellon University and the Software
> > Engineering Institute is furnished on an "as is" basis. Carnegie
> > Mellon University makes no warranties of any kind, either expressed or
> > implied as to any matter including, but not limited to, warranty of
> > fitness for a particular purpose or merchantability, exclusivity or
> > results obtained from use of the material. Carnegie Mellon University
> > does not make any warranty of any kind with respect to freedom from
> > patent, trademark, or copyright infringement.
> > ______________________________________________________________________
> >
> > Conditions for use, disclaimers, and sponsorship information
> >
> > Copyright 2003 Carnegie Mellon University.
> >
> > Revision History
> >
> > September 16, 2003: Initial release
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 6.5.8
> >
> > iQCVAwUBP2eByzpmH2w9K/0VAQGnaAP/Zb54OjkSVC0594mOAQDT5s92IOUHY2ND
> > aonp3h1jPmg6kJ6jJyh1Z4ZyC3tFoQa8EnAgKs7tFYJHr/65t4ASLycB/X/tJu1T
> > KGIG+yJ/MP9OZ0s/i2Rp95x1u8wrQHoq1TuDs+sJ6clu638dFcgZk2CzZSojPIr9
> > hgzCzPOAscA=
> > =Xysb
> > -----END PGP SIGNATURE-----
> >
> > ----- End forwarded message -----
More information about the lugos-sec
mailing list