[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Fix Is In for OpenSSH Flaw
From: InfoSec News <isn () c4i ! org>
Date: 2002-06-27 8:02:58
[Download RAW message or body]
http://www.eweek.com/article2/0,3959,284460,00.asp
June 26, 2002
By Chris Gonsalves
A vulnerability in a popular, free implementation of the Secure Shell
protocols that prompted a warning from the suite's developers has been
quickly capped.
The vulnerability in OpenSSH versions 2.9.9 through 3.3 was the result
of an input validation error that enabled an integer overflow and
privilege escalation, according to developers. OpenSSH, a free set of
network connectivity tools developed by the OpenBSD Project, is
frequently used in place of telnet, rlogin and ftp access and comes
bundled with OpenBSD and many other Unix operating systems, including
the recently released Solaris 9.
The vulnerability was first disclosed on the OpenSSH Web site Tuesday,
with a warning that users should enable privilege separation features
and prepare to upgrade to OpenSSH 3.4 on Monday, July 1. The security
threat was detailed by Internet Security Systems researchers on
Wednesday morning, however, prompting an early release on the new SSH
suite.
According to the ISS advisory, the vulnerability exists within the
"challenge-response" authentication mechanism in the OpenSSH daemon or
sshd.
"This mechanism, part of the SSH2 protocol, verifies a user's identity
by generating a challenge and forcing the user to supply a number of
responses. It is possible for a remote attacker to send a
specially-crafted reply that triggers an overflow," ISS researchers
wrote. "This can result in a remote denial of service attack on the
OpenSSH daemon or a complete remote compromise. The OpenSSH daemon
runs with superuser privilege, so remote attackers can gain superuser
access by exploiting this vulnerability."
ISS researchers said they are aware of active development efforts to
exploit the vulnerability.
The OpenSSH advisory and patch is at www.openssh.org/txt/preauth.adv.
The initial vulnerability disclosure came just days after the release
of the Version 3.3 of the SSH package.
"We believe we have the information contained. It is after all in
27,000 lines of code," developer Theo de Raadt, founder of the OpenBSD
and OpenSSH projects said late Tuesday. "If it does leak out, or a
parallel discovery of it happens, we will be ready with an immediate
patch."
Even before the latest vulnerability was disclosed, OpenSSH developers
have consistently suggested that users employ the tool's privilege
separation feature. The feature safeguards against any corruption in
the sshd, which could lead to root compromise, according to OpenSSH
developers.
OpenSSH encrypts all traffic, including passwords, to thwart
eavesdropping, connection hijacking and other network-level attacks,
according to developers. In addition, OpenSSH provides secure
tunneling capabilities and a variety of authentication methods.
In addition to OpenBSD and FreeBSD, OpenSSH works with dozens of
operating systems including most flavors of Linux; NetBSD; Computone;
Stallion; MacOS X Version 10.1; HP Procurve Switch 4108GL and
2524/2512; and IBM AIX.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn'
in the BODY of the mail.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn'
in the BODY of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic