[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 for fucks sake. so it turns out if you have ChallengeResponseAuthentication set to no, SSH ain't vunrable and debian ssh packages ain't vunrable as they don't use AUTH_BSD or SKEY woo, now wait for 3.4 debian packages ;P ~ Theo - -- forwarded message -- Internet Security Systems Security Advisory June 26, 2002 OpenSSH Remote Challenge Vulnerability Synopsis: ISS X-Force has discovered a serious vulnerability in the default installation of OpenSSH on the OpenBSD operating system. OpenSSH is a free version of the SSH (Secure Shell) communications suite and is used as a secure replacement for protocols such as Telnet, Rlogin, Rsh, and Ftp. OpenSSH employs end-to-end encryption (including all passwords) and is resistant to network monitoring, eavesdropping, and connection hijacking attacks. X-Force is aware of active exploit development for this vulnerability. Impact: OpenBSD, FreeBSD-Current, and other OpenSSH implementations may be vulnerable to a remote, superuser compromise. Affected Versions: OpenBSD 3.0 OpenBSD 3.1 FreeBSD-Current OpenSSH 3.0-3.2.3 OpenSSH version 3.3 implements "privilege separation" which mitigates the risk of a superuser compromise. Prior to the release of this advisory, ISS and OpenBSD encouraged all OpenSSH users to upgrade to version 3.3. Versions of FreeBSD-Current built between March 18, 2002 and June 23, 2002 are vulnerable to remote superuser compromise. Privilege separation was implemented in FreeBSD-Current on June 23, 2002. Note: OpenSSH is included in many operating system distributions, networking equipment, and security appliances. Refer to the following address for information about vendors that implement OpenSSH: http://www.openssh.com/users.html Description: A vulnerability exists within the "challenge-response" authentication mechanism in the OpenSSH daemon (sshd). This mechanism, part of the SSH2 protocol, verifies a user's identity by generating a challenge and forcing the user to supply a number of responses. It is possible for a remote attacker to send a specially-crafted reply that triggers an overflow. This can result in a remote denial of service attack on the OpenSSH daemon or a complete remote compromise. The OpenSSH daemon runs with superuser privilege, so remote attackers can gain superuser access by exploiting this vulnerability. OpenSSH supports the SKEY and BSD_AUTH authentication options. These are compile-time options. At least one of these options must be enabled before the OpenSSH binaries are compiled for the vulnerable condition to be present. OpenBSD 3.0 and later is distributed with BSD_AUTH enabled. The SKEY and BSD_AUTH options are not enabled by default in many distributions. However, if these options are explicitly enabled, that build of OpenSSH may be vulnerable. Recommendations: Internet Scanner X-Press Update 6.13 includes a check, OpenSshRunning, to detect potentially vulnerable installations of OpenSSH. XPU 6.13 is available from the ISS Download Center at: http://www.iss.net/download. For questions about downloading and installing this XPU, email support@xxxxxxxx ISS X-Force recommends that system administrators disable unused OpenSSH authentication mechanisms. Administrators can remove this vulnerability by disabling the Challenge-Response authentication parameter within the OpenSSH daemon configuration file. This filename and path is typically: /etc/ssh/sshd_config. To disable this parameter, locate the corresponding line and change it to the line below: ChallengeResponseAuthentication no The "sshd" process must be restarted for this change to take effect. This workaround will permanently remove the vulnerability. X-Force recommends that administrators upgrade to OpenSSH version 3.4 immediately. This version implements privilege separation, contains a patch to block this vulnerability, and contains many additional pro- active security fixes. Privilege separation was designed to limit exposure to known and unknown vulnerabilities. Visit http://www.openssh.com for more information. Additional Information: ISS X-Force and Black Hat consulting will host a presentation titled, "Professional Source Code Auditing" at Black Hat Briefings USA 2002. The presentation will explore advanced source code auditing techniques as well as secure development best-practices. Please refer to http://www.blackhat.com and http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#Dowd for more information. Credits: The vulnerability described in this advisory was discovered and researched by Mark Dowd of the ISS X-Force. ISS would like to thank Theo de Raadt of the OpenBSD Project for his assistance with this advisory. - -- Theo Zourzouvillys http://zozo.org.uk/ Live in a world of your own, but always welcome visitors. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9Gdwx448CrwpTn6YRAmgWAKDUe1Dq/65tNg68GGn3ZjFd8HZnwwCfVnl1 jew8jsI4tACXiI/9od284zI= =i0t/ -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.