OpenSSH "Challenge-Response" authentication buffer overflow

openssh-challenge-response-bo (9169) The risk level is classified as HighHigh Risk

Description:

OpenSSH is vulnerable to a buffer overflow in the "Challenge-Response" authentication mechanism. When a challenge is generated, the user is expected to supply a number of responses to verify their identity. The response the user sends supplies an integer that indicates how many responses they are supplying, followed by the responses themselves. By supplying an overly large integer to indicate the number of responses, a remote attacker could overflow a buffer and execute arbitrary code on the system with root privileges.

Platforms Affected:

  • Conectiva, Linux 6.0
  • Conectiva, Linux 7.0
  • Conectiva, Linux 8.0
  • Debian, Debian Linux 2.2
  • Debian, Debian Linux 3.0
  • EngardeLinux, Secure Linux
  • FreeBSD, FreeBSD CURRENT
  • FreeBSD, FreeBSD Ports Collection
  • Immunix, Immunix OS 7+-beta
  • Immunix, Immunix OS 7.0
  • MandrakeSoft, Mandrake Linux 7.1
  • MandrakeSoft, Mandrake Linux 7.2
  • MandrakeSoft, Mandrake Linux 8.0
  • MandrakeSoft, Mandrake Linux 8.1
  • MandrakeSoft, Mandrake Linux 8.2
  • MandrakeSoft, Mandrake Linux Corporate Server 1.0.1
  • MandrakeSoft, Mandrake Single Network Firewall 7.2
  • NetBSD, NetBSD 1.5
  • NetBSD, NetBSD 1.5.1
  • NetBSD, NetBSD 1.5.2
  • NetBSD, NetBSD 1.6 beta
  • OpenBSD, OpenBSD 3.0
  • OpenBSD, OpenBSD 3.1
  • OpenBSD, OpenSSH 3.0
  • OpenBSD, OpenSSH 3.0.1
  • OpenBSD, OpenSSH 3.0.1p1
  • OpenBSD, OpenSSH 3.0.2
  • OpenBSD, OpenSSH 3.0.2p1
  • OpenBSD, OpenSSH 3.0p1
  • OpenBSD, OpenSSH 3.1
  • OpenBSD, OpenSSH 3.1p1
  • OpenBSD, OpenSSH 3.2
  • OpenBSD, OpenSSH 3.2.2
  • OpenBSD, OpenSSH 3.2.2p1
  • OpenBSD, OpenSSH 3.2.3p1
  • OpenPKG, OpenPKG 1.0
  • RedHat, Enterprise Linux 2.1 AS
  • RedHat, Linux 7
  • RedHat, Linux 7.1
  • RedHat, Linux 7.1 for iSeries
  • RedHat, Linux 7.1 for pSeries
  • RedHat, Linux 7.2
  • RedHat, Linux 7.3
  • SCO, Caldera OpenLinux Server 3.1
  • SCO, Caldera OpenLinux Server 3.1.1
  • SCO, Caldera OpenLinux Workstation 3.1
  • SCO, Caldera OpenLinux Workstation 3.1.1
  • Sun, Solaris 9
  • SuSE, SuSE eMail Server III
  • SuSE, SuSE Linux 6.4
  • SuSE, SuSE Linux 7.0
  • SuSE, SuSE Linux 7.1
  • SuSE, SuSE Linux 7.2
  • SuSE, SuSE Linux 7.3
  • SuSE, SuSE Linux 8.0
  • SuSE, SuSE Linux Database Server
  • SuSE, SuSE Linux Enterprise Server 7.0
  • SuSE, SuSE Linux Firewall
  • Trustix, Secure Linux 1.1
  • Trustix, Secure Linux 1.2
  • Trustix, Secure Linux 1.5

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
openssh-challenge-response-bo

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
SSH_ChallengeReponse_Bo

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 22

For Manual Protection:

Upgrade to the latest version of OpenSSH (3.4 or later), available from the OpenSSH Web site. See References.

For Conectiva Linux 6.0:
Upgrade to the latest openssh package (3.4p1-1U60_1cl or later), as listed in Conectiva Linux Security Announcement CLSA-2002:502. See References.

For Conectiva Linux 7.0:
Upgrade to the latest openssh package (3.4p1-1U70_1cl or later), as listed in Conectiva Linux Security Announcement CLSA-2002:502. See References.

For Conectiva Linux 8.0:
Upgrade to the latest openssh package (3.4p1-1U8_1cl or later), as listed in Conectiva Linux Security Announcement CLSA-2002:502. See References

For Caldera OpenLinux 3.1 and 3.1.1 Workstation and Server:
As a precaution, disable both the ChallengeResponseAuthentication option in the /etc/ssh/sshd_config file and the sshd_config PAMAuthenticationViaKbdInt option. See References.

For FreeBSD-Current (2002-03-18 and 2002-06-25):
Apply the workaround for this vulnerability or upgrade to the latest version of FreeBSD-Current dated after 2002-06-25, as listed in FreeBSD Security Advisory FreeBSD-SA-02:31. See References.

For EnGarde Secure Linux: Community Edition:
Upgrade to the latest openssh package (3.4p1-1.0.22 or later), as listed in Engarde Secure Linux Security Advisory ESA-20020702-016. See References.

For Mandrake Linux 7.1, 7.2, and Corporate Server 1.0.1:
Upgrade to the latest openssh package (3.4p1-1.2mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:040-1 : openssh. See References.

For Mandrake Linux 7.1, 7.2, Single Network Firewall 7.2 and Corporate Server 1.0.1:
Upgrade to the latest openssh package (3.4p1-1.2mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:040-1 : openssh. See References.

For Mandrake Linux 8.0 and 8.2:
Upgrade to the latest openssh package (3.4p1-1.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:040-1 : openssh. See References.

For Red Hat Linux 7.0 and 7.1:
Upgrade to the latest openssh package (3.1p1-5 or later), as listed in RHSA-2002:127-18. See References.

For Red Hat Linux 7.2 and 7.3:
Upgrade to the latest openssh package (3.1p1-6 or later), as listed in RHSA-2002:127-18. See References.

For Trustix Linux 1.1, 1.2, and 1.5:
Upgrade to the latest openssh package (3.1p1-6 or later), as listed in Trustix Secure Linux Security Advisory #2002-0059. See References.

For SuSE Linux:
Upgrade to the latest openssh package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2002:024 for more information. See References.

SuSE Linux 8.0 (Intel): 3.4p1-4 or later

SuSE Linux 7.2 and 7.3 (Intel): 2.9.9p2-103 or later

SuSE Linux 7.1(Intel): 2.9.9p2-102 or later

SuSE Linux 7.0 (Intel): 2.9.9p2-101or later

SuSE Linux 6.4 (Intel): 2.9.9p2-100 or later

SuSE Linux 7.3 (Sparc): 2.9.9p2-39 or later

SuSE Linux 7.1(Sparc): 2.9.9p2-38 or later

SuSE Linux 7.0 (Sparc): 2.9.9p2-37 or later

SuSE Linux 7.1(AXP Alpha): 2.9.9p2-42 or later

SuSE Linux 6.4 and 7.0 (AXP Alpha): 2.9.9p2-41 or later

SuSE Linux 7.1 and 7.3 (PPC Power): 2.9.9p2-72 or later

SuSE Linux 6.4 and 7.0 (PPC Power): 2.9.9p2-71 or later

For FreeBSD Ports Collection:
Upgrade to the latest ports collection, as listed in FreeBSD Security Notice FreeBSD-SN-02:05. See References.

For Solaris 9:
Apply patch 113273-01, as listed in Sun Alert ID: 45525. See References.

For Solais:
Apply the patch for this vulnerability, as listed in Sun Alert ID: 45508. See References.

— OR —

As a workaround, follow the instructions as listed in Sun Alert ID: 45508. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

Reported:

Jun 26, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page