OpenSSH "Challenge-Response" authentication buffer overflow

openssh-challenge-response-bo (9169)

High Risk

Description:

OpenSSH is vulnerable to a buffer overflow in the "Challenge-Response" authentication mechanism. When a challenge is generated, the user is expected to supply a number of responses to verify their identity. The response the user sends supplies an integer that indicates how many responses they are supplying, followed by the responses themselves. By supplying an overly large integer to indicate the number of responses, a remote attacker could overflow a buffer and execute arbitrary code on the system with root privileges.

Consequences:

Gain Access

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
openssh-challenge-response-bo

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
SSH_ChallengeReponse_Bo

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 22

For Manual Protection:

Upgrade to the latest version of OpenSSH (3.4 or later), available from the OpenSSH Web site. See References.

For Conectiva Linux 6.0:
Upgrade to the latest openssh package (3.4p1-1U60_1cl or later), as listed in Conectiva Linux Security Announcement CLSA-2002:502. See References.

For Conectiva Linux 7.0:
Upgrade to the latest openssh package (3.4p1-1U70_1cl or later), as listed in Conectiva Linux Security Announcement CLSA-2002:502. See References.

For Conectiva Linux 8.0:
Upgrade to the latest openssh package (3.4p1-1U8_1cl or later), as listed in Conectiva Linux Security Announcement CLSA-2002:502. See References

For Caldera OpenLinux 3.1 and 3.1.1 Workstation and Server:
As a precaution, disable both the ChallengeResponseAuthentication option in the /etc/ssh/sshd_config file and the sshd_config PAMAuthenticationViaKbdInt option. See References.

For FreeBSD-Current (2002-03-18 and 2002-06-25):
Apply the workaround for this vulnerability or upgrade to the latest version of FreeBSD-Current dated after 2002-06-25, as listed in FreeBSD Security Advisory FreeBSD-SA-02:31. See References.

For EnGarde Secure Linux: Community Edition:
Upgrade to the latest openssh package (3.4p1-1.0.22 or later), as listed in Engarde Secure Linux Security Advisory ESA-20020702-016. See References.

For Mandrake Linux 7.1, 7.2, and Corporate Server 1.0.1:
Upgrade to the latest openssh package (3.4p1-1.2mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:040-1 : openssh. See References.

For Mandrake Linux 7.1, 7.2, Single Network Firewall 7.2 and Corporate Server 1.0.1:
Upgrade to the latest openssh package (3.4p1-1.2mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:040-1 : openssh. See References.

For Mandrake Linux 8.0 and 8.2:
Upgrade to the latest openssh package (3.4p1-1.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:040-1 : openssh. See References.

For Red Hat Linux 7.0 and 7.1:
Upgrade to the latest openssh package (3.1p1-5 or later), as listed in RHSA-2002:127-18. See References.

For Red Hat Linux 7.2 and 7.3:
Upgrade to the latest openssh package (3.1p1-6 or later), as listed in RHSA-2002:127-18. See References.

For Trustix Linux 1.1, 1.2, and 1.5:
Upgrade to the latest openssh package (3.1p1-6 or later), as listed in Trustix Secure Linux Security Advisory #2002-0059. See References.

For SuSE Linux:
Upgrade to the latest openssh package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2002:024 for more information. See References.

SuSE Linux 8.0 (Intel): 3.4p1-4 or later

SuSE Linux 7.2 and 7.3 (Intel): 2.9.9p2-103 or later

SuSE Linux 7.1(Intel): 2.9.9p2-102 or later

SuSE Linux 7.0 (Intel): 2.9.9p2-101or later

SuSE Linux 6.4 (Intel): 2.9.9p2-100 or later

SuSE Linux 7.3 (Sparc): 2.9.9p2-39 or later

SuSE Linux 7.1(Sparc): 2.9.9p2-38 or later

SuSE Linux 7.0 (Sparc): 2.9.9p2-37 or later

SuSE Linux 7.1(AXP Alpha): 2.9.9p2-42 or later

SuSE Linux 6.4 and 7.0 (AXP Alpha): 2.9.9p2-41 or later

SuSE Linux 7.1 and 7.3 (PPC Power): 2.9.9p2-72 or later

SuSE Linux 6.4 and 7.0 (PPC Power): 2.9.9p2-71 or later

For FreeBSD Ports Collection:
Upgrade to the latest ports collection, as listed in FreeBSD Security Notice FreeBSD-SN-02:05. See References.

For Solaris 9:
Apply patch 113273-01, as listed in Sun Alert ID: 45525. See References.

For Solais:
Apply the patch for this vulnerability, as listed in Sun Alert ID: 45508. See References.

— OR —

As a workaround, follow the instructions as listed in Sun Alert ID: 45508. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

• BugTraq Mailing List, Fri Jun 28 2002 - 16:12:47 CDT: Sun statement on the OpenSSH Remote Challenge Vulnerability.
• BugTraq Mailing List, Mon Jun 24 2002 - 16:00:10 CDT: Upcoming OpenSSH vulnerability.
• Caldera International, Inc. Security Advisory CSSA-2002-030.0: OpenSSH Vulnerabilities in Challenge Response Handling.
• CERT Advisory CA-2002-18: OpenSSH Vulnerabilities in Challenge Response Handling.
• CIAC Information Bulletin M-095: OpenSSH Challenge Response Vulnerabilities.
• Conectiva Linux Announcement CLSA-2001:502: Remote vulnerability in openssh.
• Conectiva Linux Announcement CLSA-2002:500: Remote vulnerability in OpenSSH.
• EnGarde Secure Linux Security Advisory ESA-20020625-015: openssh. (From LinuxSecurity archive)
• EnGarde Secure Linux Security Advisory ESA-20020702-016: several vulnerabilities in the OpenSSH daemon..
• FreeBSD Security Advisory FreeBSD-SA-02:31: openssh contains remote vulnerability.
• FreeBSD Security Notice FreeBSD-SN-02:05 : security issues in ports.
• Global InterSec LLC Security Advisory 2002062801: OpenSSH kbd-interactive buffer overflow.
• Immunix OS Security Advisory 25-June-2002: Immunix: 'OpenSSH' Remote Vulnerability. (From LinuxSecurity archive)
• Internet Security Systems Security Advisory, June 26, 2002: OpenSSH Remote Challenge Vulnerability.
• NetBSD Security Advisory 2002-005: OpenSSH protocol version 2 challenge-response authentication vulnerability.
• OpenBSD Web site: OpenBSD.
• OpenSSH Security Advisory: adv.iss.
• OpenSSH Web site: OpenSSH.
• Sun Alert ID: 45508: OpenSSH-2.9p2-12C4 May Allow root Exploit in Sun Cobalt RaQ 550.
• Sun Alert ID: 45525: Secure Shell ("ssh") Integer Overflow can Cause a Remote Security Exploit in Solaris 9.
• Trustix Secure Linux Security Advisory #2002-0059: openssh.
• BID-5093: OpenSSH Challenge-Response Buffer Overflow Vulnerabilities
• CVE-2002-0639: Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote attackers to execute arbitrary code during challenge response authentication (ChallengeResponseAuthentication) when OpenSSH is using SKEY or BSD_AUTH authentication.
• DSA-134: ssh -- remote exploit
• MDKSA-2002:040: Updated openssh packages provide privilege separation
• MDKSA-2002:040-1: Updated openssh packaegs fix remote vulnerability
• OpenPKG-SA-2002.005: OpenSSH
• OSVDB ID: 6245: OpenSSH SKEY/BSD_AUTH Challenge-Response Remote Overflow
• RHSA-2002-127: Updated OpenSSH packages fix various security issues
• RHSA-2002-131: openssh security update
• US-CERT VU#369347: OpenSSH vulnerabilities in challenge response handling

Platforms Affected:

• Conectiva Linux 6.0
• Conectiva Linux 7.0
• Conectiva Linux 8.0
• Debian Debian Linux 2.2
• Debian Debian Linux 3.0
• EngardeLinux Secure Linux
• FreeBSD FreeBSD CURRENT
• FreeBSD FreeBSD Ports Collection
• Immunix Immunix OS 7+-beta
• Immunix Immunix OS 7.0
• MandrakeSoft Mandrake Linux 7.1
• MandrakeSoft Mandrake Linux 7.2
• MandrakeSoft Mandrake Linux 8.0
• MandrakeSoft Mandrake Linux 8.1
• MandrakeSoft Mandrake Linux 8.2
• MandrakeSoft Mandrake Linux Corporate Server 1.0.1
• MandrakeSoft Mandrake Single Network Firewall 7.2
• NetBSD NetBSD 1.5
• NetBSD NetBSD 1.5.1
• NetBSD NetBSD 1.5.2
• NetBSD NetBSD 1.6 beta
• Novell SuSE Linux Enterprise Server 7.0
• OpenBSD OpenBSD 3.0
• OpenBSD OpenBSD 3.1
• OpenBSD OpenSSH 3.0
• OpenBSD OpenSSH 3.0.1
• OpenBSD OpenSSH 3.0.1p1
• OpenBSD OpenSSH 3.0.2
• OpenBSD OpenSSH 3.0.2p1
• OpenBSD OpenSSH 3.0p1
• OpenBSD OpenSSH 3.1
• OpenBSD OpenSSH 3.1p1
• OpenBSD OpenSSH 3.2
• OpenBSD OpenSSH 3.2.2
• OpenBSD OpenSSH 3.2.2p1
• OpenBSD OpenSSH 3.2.3p1
• OpenPKG OpenPKG 1.0
• RedHat Enterprise Linux 2.1 AS
• RedHat Linux 7
• RedHat Linux 7.1
• RedHat Linux 7.1 for iSeries
• RedHat Linux 7.1 for pSeries
• RedHat Linux 7.2
• RedHat Linux 7.3
• SCO Caldera OpenLinux Server 3.1
• SCO Caldera OpenLinux Server 3.1.1
• SCO Caldera OpenLinux Workstation 3.1
• SCO Caldera OpenLinux Workstation 3.1.1
• Sun Solaris 9
• SuSE SuSE eMail Server III
• SUSE SuSE Linux 6.4
• SUSE SuSE Linux 7.0
• SUSE SuSE Linux 7.1
• SUSE SuSE Linux 7.2
• SUSE SuSE Linux 7.3
• SUSE SuSE Linux 8.0
• SuSE SuSE Linux Database Server
• SuSE SuSE Linux Firewall
• Trustix Secure Linux 1.1
• Trustix Secure Linux 1.2
• Trustix Secure Linux 1.5

Reported:

Jun 26, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page