OpenSSH "Challenge-Response" authentication buffer overflow

openssh-challenge-response-bo (9169) The risk level is classified as HighHigh Risk

Description:

OpenSSH is vulnerable to a buffer overflow in the "Challenge-Response" authentication mechanism. When a challenge is generated, the user is expected to supply a number of responses to verify their identity. The response the user sends supplies an integer that indicates how many responses they are supplying, followed by the responses themselves. By supplying an overly large integer to indicate the number of responses, a remote attacker could overflow a buffer and execute arbitrary code on the system with root privileges.


Consequences:

Gain Access

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
openssh-challenge-response-bo

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
SSH_ChallengeReponse_Bo

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 22

For Manual Protection:

Upgrade to the latest version of OpenSSH (3.4 or later), available from the OpenSSH Web site. See References.

For Conectiva Linux 6.0:
Upgrade to the latest openssh package (3.4p1-1U60_1cl or later), as listed in Conectiva Linux Security Announcement CLSA-2002:502. See References.

For Conectiva Linux 7.0:
Upgrade to the latest openssh package (3.4p1-1U70_1cl or later), as listed in Conectiva Linux Security Announcement CLSA-2002:502. See References.

For Conectiva Linux 8.0:
Upgrade to the latest openssh package (3.4p1-1U8_1cl or later), as listed in Conectiva Linux Security Announcement CLSA-2002:502. See References

For Caldera OpenLinux 3.1 and 3.1.1 Workstation and Server:
As a precaution, disable both the ChallengeResponseAuthentication option in the /etc/ssh/sshd_config file and the sshd_config PAMAuthenticationViaKbdInt option. See References.

For FreeBSD-Current (2002-03-18 and 2002-06-25):
Apply the workaround for this vulnerability or upgrade to the latest version of FreeBSD-Current dated after 2002-06-25, as listed in FreeBSD Security Advisory FreeBSD-SA-02:31. See References.

For EnGarde Secure Linux: Community Edition:
Upgrade to the latest openssh package (3.4p1-1.0.22 or later), as listed in Engarde Secure Linux Security Advisory ESA-20020702-016. See References.

For Mandrake Linux 7.1, 7.2, and Corporate Server 1.0.1:
Upgrade to the latest openssh package (3.4p1-1.2mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:040-1 : openssh. See References.

For Mandrake Linux 7.1, 7.2, Single Network Firewall 7.2 and Corporate Server 1.0.1:
Upgrade to the latest openssh package (3.4p1-1.2mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:040-1 : openssh. See References.

For Mandrake Linux 8.0 and 8.2:
Upgrade to the latest openssh package (3.4p1-1.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:040-1 : openssh. See References.

For Red Hat Linux 7.0 and 7.1:
Upgrade to the latest openssh package (3.1p1-5 or later), as listed in RHSA-2002:127-18. See References.

For Red Hat Linux 7.2 and 7.3:
Upgrade to the latest openssh package (3.1p1-6 or later), as listed in RHSA-2002:127-18. See References.

For Trustix Linux 1.1, 1.2, and 1.5:
Upgrade to the latest openssh package (3.1p1-6 or later), as listed in Trustix Secure Linux Security Advisory #2002-0059. See References.

For SuSE Linux:
Upgrade to the latest openssh package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2002:024 for more information. See References.

SuSE Linux 8.0 (Intel): 3.4p1-4 or later

SuSE Linux 7.2 and 7.3 (Intel): 2.9.9p2-103 or later

SuSE Linux 7.1(Intel): 2.9.9p2-102 or later

SuSE Linux 7.0 (Intel): 2.9.9p2-101or later

SuSE Linux 6.4 (Intel): 2.9.9p2-100 or later

SuSE Linux 7.3 (Sparc): 2.9.9p2-39 or later

SuSE Linux 7.1(Sparc): 2.9.9p2-38 or later

SuSE Linux 7.0 (Sparc): 2.9.9p2-37 or later

SuSE Linux 7.1(AXP Alpha): 2.9.9p2-42 or later

SuSE Linux 6.4 and 7.0 (AXP Alpha): 2.9.9p2-41 or later

SuSE Linux 7.1 and 7.3 (PPC Power): 2.9.9p2-72 or later

SuSE Linux 6.4 and 7.0 (PPC Power): 2.9.9p2-71 or later

For FreeBSD Ports Collection:
Upgrade to the latest ports collection, as listed in FreeBSD Security Notice FreeBSD-SN-02:05. See References.

For Solaris 9:
Apply patch 113273-01, as listed in Sun Alert ID: 45525. See References.

For Solais:
Apply the patch for this vulnerability, as listed in Sun Alert ID: 45508. See References.

— OR —

As a workaround, follow the instructions as listed in Sun Alert ID: 45508. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

Platforms Affected:

  • Conectiva Linux 6.0
  • Conectiva Linux 7.0
  • Conectiva Linux 8.0
  • Debian Debian Linux 2.2
  • Debian Debian Linux 3.0
  • EngardeLinux Secure Linux
  • FreeBSD FreeBSD CURRENT
  • FreeBSD FreeBSD Ports Collection
  • Immunix Immunix OS 7+-beta
  • Immunix Immunix OS 7.0
  • MandrakeSoft Mandrake Linux 7.1
  • MandrakeSoft Mandrake Linux 7.2
  • MandrakeSoft Mandrake Linux 8.0
  • MandrakeSoft Mandrake Linux 8.1
  • MandrakeSoft Mandrake Linux 8.2
  • MandrakeSoft Mandrake Linux Corporate Server 1.0.1
  • MandrakeSoft Mandrake Single Network Firewall 7.2
  • NetBSD NetBSD 1.5
  • NetBSD NetBSD 1.5.1
  • NetBSD NetBSD 1.5.2
  • NetBSD NetBSD 1.6 beta
  • Novell SuSE Linux Enterprise Server 7.0
  • OpenBSD OpenBSD 3.0
  • OpenBSD OpenBSD 3.1
  • OpenBSD OpenSSH 3.0
  • OpenBSD OpenSSH 3.0.1
  • OpenBSD OpenSSH 3.0.1p1
  • OpenBSD OpenSSH 3.0.2
  • OpenBSD OpenSSH 3.0.2p1
  • OpenBSD OpenSSH 3.0p1
  • OpenBSD OpenSSH 3.1
  • OpenBSD OpenSSH 3.1p1
  • OpenBSD OpenSSH 3.2
  • OpenBSD OpenSSH 3.2.2
  • OpenBSD OpenSSH 3.2.2p1
  • OpenBSD OpenSSH 3.2.3p1
  • OpenPKG OpenPKG 1.0
  • RedHat Enterprise Linux 2.1 AS
  • RedHat Linux 7
  • RedHat Linux 7.1
  • RedHat Linux 7.1 for iSeries
  • RedHat Linux 7.1 for pSeries
  • RedHat Linux 7.2
  • RedHat Linux 7.3
  • SCO Caldera OpenLinux Server 3.1
  • SCO Caldera OpenLinux Server 3.1.1
  • SCO Caldera OpenLinux Workstation 3.1
  • SCO Caldera OpenLinux Workstation 3.1.1
  • Sun Solaris 9
  • SuSE SuSE eMail Server III
  • SUSE SuSE Linux 6.4
  • SUSE SuSE Linux 7.0
  • SUSE SuSE Linux 7.1
  • SUSE SuSE Linux 7.2
  • SUSE SuSE Linux 7.3
  • SUSE SuSE Linux 8.0
  • SuSE SuSE Linux Database Server
  • SuSE SuSE Linux Firewall
  • Trustix Secure Linux 1.1
  • Trustix Secure Linux 1.2
  • Trustix Secure Linux 1.5

Reported:

Jun 26, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page