SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   OpenSSH Vendors:   OpenSSH.org
(NetBSD Issues Fix) Re: OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System
SecurityTracker Alert ID:  1004674
SecurityTracker URL:  http://securitytracker.com/id/1004674
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 2 2002
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.3.1 - 3.3
Description:   Two vulnerabilities were reported in the OpenSSH implementation of the Secure Shell SSH protocol. A remote user can obtain root access on the system in certain configurations.

ISS originally reported that a buffer overflow vulnerability exists within the "challenge-response" authentication mechanism in the OpenSSH daemon (sshd). It has since been clarified that there are two separate but related vulnerabilities that occur in processing challenge responses.

One vulnerability is an integer overflow in the processing of the number of responses received during challenge response authentication. If the server is configured for challenge response authentication *and* the system is using SKEY or BSD_AUTH authentication, the system may be vulnerable. A remote user can send a specially-crafted reply to cause the daemon to crash or to execute arbitrary code with root privileges. This flaw is reported to be present in version 2.9.9 through 3.3.

The other vulnerability is a buffer overflow in the processing of the number of responses received during challenge response authentication. If the server is using using PAM modules that use interactive keyboard authentication (PAMAuthenticationViaKbdInt), the system may be vulnerable (however, this apparently has not been confirmed). This flaw is reported to be present in versoin 2.3.1 through 3.3.

Impact:   A remote user can obtain root level access on the system, under certain system configurations.
Solution:   NetBSD has issued a fix. Releases of NetBSD 1.5.3 and NetBSD 1.6 are imminent. Users with version older than NetBSD 1.5.3 are encouraged to upgrade.

To check if your system has a vulnerable version of sshd, run "sshd -V" (it is an invalid argument, but it will present the version number). Any version dated "NetBSD_Secure_Shell-20020626" or later will identify that the fix is in place.

Some workarounds are provided in the Source Message.

The following guidance is provided by NetBSD regarding updating your software:

For NetBSD-current:

Systems running NetBSD-current dated from before 2002-05-13 should be upgraded to NetBSD-current dated 2002-05-14 or later if you wish to use privilege separation support as a stopgap measure. It is recommended to update to source dated 2002-06-26 for a complete fix (with OpenSSH 3.4).

The following directories need to be updated from the netbsd-current CVS branch (aka HEAD):

crypto/dist/ssh
usr.bin/ssh

To update from CVS, re-build, and re-install:

# cd src
# cvs update -d -P crypto/dist/ssh usr.bin/ssh
# cd usr.bin/ssh

# make cleandir dependall
# make install

You also need to have an sshd UID and GID, as well as /var/chroot/sshd directory (chroot jail), as below:

Create a group, with /usr/sbin/groupadd, or vi /etc/group

sshd:*:16:

Create a user, with vipw, or /usr/sbin/useradd

sshd:*:16:16::0:0:sshd privsep:/var/chroot/sshd:/sbin/nologin

Create the directory /var/chroot/sshd

Make sure you have "UsePrivilegeSeparation yes" in your /etc/ssh/sshd_config (or it can be commented out, as the default value is "yes"), to mitigate future issues.


For NetBSD 1.6 and beta:

Systems running NetBSD 1.6 beta systems have OpenSSH privilege separation turned on by default, follow the workaround section as approriate for your environment, and upgrade to source dated 2002-06-26 (with OpenSSH 3.4) to close this vulnerability.

NetBSD 1.6 will ship with OpenSSH 3.4, which has a complete fix.

The following directories need to be updated from the netbsd-1-6 CVS branch:

crypto/dist/ssh
usr.bin/ssh

To update from CVS, re-build, and re-install:

# cd src
# cvs update -d -P crypto/dist/ssh usr.bin/ssh
# cd usr.bin/ssh

# make cleandir dependall
# make install

The sshd user, group, and chroot jail directories should already exist in a 1.6 installation.

For NetBSD 1.5, 1.5.1, 1.5.2:

Systems running NetBSD 1.5.* releases dated from before 2002-06-26 should be upgraded to sources dated 2002-06-26 or later. Sources on the branch after that date include changes presented in the following advisory:

http://openssh.org/txt/preauth.adv

NOTE: the upgrade process will pull in changes presented in this advisory. Therefore, (1) it won't get you OpenSSH 3.4, (2) It won't make your sshd support privilege separation. If you need to enable privilege separation, install OpenSSH from pkgsrc (openssh-3.4.0.1).

The following directories need to be updated from the netbsd-1-5 CVS branch:

crypto/dist/ssh
usr.bin/ssh

To update from CVS, re-build, and re-install:

# cd src
# cvs update -d -P crypto/dist/ssh usr.bin/ssh
# cd usr.bin/ssh

# make cleandir dependall
# make install


For pkgsrc: (All systems, including NetBSD 1.4.*)

For a complete fix, openssh-3.4.0.1 or later should be installed from pkgsrc/security/openssh. See above, as well as console messages during pkgsrc build, for instructions to enable privilege separation functionality.

Vendor URL:  www.openssh.org/ (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  1.6_BETAx, 1.5, 1.5.1, 1.5.2; NetBSD-current prior to May 14, 2002; pkgsrc: packages prior to openssh-3.3.0.1

Message History:   This archive entry is a follow-up to the message listed below.
Jun 24 2002 OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System



 Source Message Contents

Subject:  NetBSD Security Advisory 2002-005: OpenSSH protocol version 2 challenge-response authentication



-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-005
		 =================================

Topic:		OpenSSH protocol version 2 challenge-response authentication
		vulnerability

Version:	NetBSD-current:	prior to May 14, 2002
		NetBSD-1.6_BETAx: affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	not affected (does not ship with OpenSSH)
		pkgsrc:		packages prior to openssh-3.3.0.1

Severity:	high, remote root compromise

Workaround:	NetBSD-current:		May 14, 2002
		NetBSD-1.6 branch:	partial by default (priv sep)
		NetBSD-1.5 branch:	instructions below, OpenSSH 3 and later
		pkgsrc:			June 25, 2002 (with openssh-3.3.0.1)

Fixed:		NetBSD-current:		June 26, 2002 (OpenSSH 3.4)
		NetBSD-1.6 branch:	June 26, 2002 (OpenSSH 3.4)
		NetBSD-1.5 branch:	June 26, 2002 (patch on advisory)
		pkgsrc:			June 26, 2002 (with openssh-3.4.0.1)

		Version string "NetBSD_Secure_Shell-20020626" will identify
		that the fix is in place.


Abstract
========

OpenSSH has a vulnerability in protocol version 2 challenge-response
authentication.  OpenSSH 3.4 must be installed to completely overcome the
problem.

Technical Details
=================

Vulnerability itself:
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584
http://openssh.org/txt/iss.adv
http://openssh.org/txt/preauth.adv

CERT CA-2002-18
http://www.cert.org/advisories/CA-2002-18.html
http://www.kb.cert.org/vuls/id/369347


Solutions and Workarounds
=========================

Some workarounds are available, which may somewhat mitigate the risk:

 - Turn off challenge-response authentication by having the following
   in sshd_config:
	ChallengeResponseAuthentication no

   On some systems, the following option is also required together
   with the above. It is not relevant for NetBSD.
	PAMAuthenticationViaKbdInt no

   Note that turning these features off will disable SSH logins via
   S/Key (OTP) authentication.  Compiling OpenSSH without support for
   S/Key and PAM authentication will also eliminate this
   vulnerability.

 - If you do not require SSH Protocol version 2 support, disabling it
   will eliminate the vulnerable codepath. Remember that version 1 is
   considered significantly less secure than version 2, and this
   workaround is not recommended for long term use. Additionally, if
   your users use version 2 authentication methods, they will be unable
   to connect.

 - The new Privelege Separation feature (available since OpenSSH
   3.2.x) has been promoted as a potential mitigation of this issue.
   This feature is available in NetBSD-current as of May 14th, and is
   enabled by default.

   Privilege Separation might provide a benefit, potentially
   preventing this or future vulnerabilities from being root exploits,
   and limiting their nature to a denial of service.  Although a
   useful defensive feature, this is not guaranteed, expecially given
   the implementation has not yet met the test of time.

   Do not avoid patching this issue simply because you have enabled
   Privelege Separation.

   Effect of privilege separation:
     http://www.citi.umich.edu/u/provos/ssh/privsep.html


The following instructions describe how to upgrade your OpenSSH
binaries by updating your source tree and rebuilding and
installing a new version.

Releases of NetBSD 1.5.3 and NetBSD 1.6 are imminent. This is a reminder
to consider upgrading when they are available, if you are running
anything older than NetBSD 1.5.3.  Many security-related improvements
have been made.

To check if your system has a vulnerable version of sshd, run "sshd -V"
(it is an invalid argument, but it will present the version number).
Any version dated "NetBSD_Secure_Shell-20020626" or later will identify
that the fix is in place.

Although workarounds were provided above, update your binaries to make
very sure that you don't have vulnerable binaries around.  


* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-05-13
	should be upgraded to NetBSD-current dated 2002-05-14 or later
	if you wish to use privilege separation support as a stopgap measure.
	It is recommended to update to source dated 2002-06-26 for a
	complete fix (with OpenSSH 3.4).

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		crypto/dist/ssh
		usr.bin/ssh

	To update from CVS, re-build, and re-install:
		# cd src
		# cvs update -d -P crypto/dist/ssh usr.bin/ssh
		# cd usr.bin/ssh

		# make cleandir dependall
		# make install

	You also need to have an sshd UID and GID, as well as /var/chroot/sshd
	directory (chroot jail), as below:

		Create a group, with /usr/sbin/groupadd, or vi /etc/group

		sshd:*:16:
		
		Create a user, with vipw, or /usr/sbin/useradd

		sshd:*:16:16::0:0:sshd privsep:/var/chroot/sshd:/sbin/nologin

		Create the directory /var/chroot/sshd
		
	Make sure you have "UsePrivilegeSeparation yes" in your
	/etc/ssh/sshd_config (or it can be commented out, as the default value
	is "yes"), to mitigate future issues.


* NetBSD 1.6 and beta:

	Systems running NetBSD 1.6 beta systems have OpenSSH privilege
	separation turned on by default, follow the workaround section
	as approriate for your environment, and upgrade to source dated
	2002-06-26 (with OpenSSH 3.4) to close this vulnerability.

	NetBSD 1.6 will ship with OpenSSH 3.4, which has a complete fix.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		crypto/dist/ssh
		usr.bin/ssh

	To update from CVS, re-build, and re-install:
		# cd src
		# cvs update -d -P crypto/dist/ssh usr.bin/ssh
		# cd usr.bin/ssh

		# make cleandir dependall
		# make install

	The sshd user, group, and chroot jail directories should already exist
	in a 1.6 installation.

* NetBSD 1.5, 1.5.1, 1.5.2:

	Systems running NetBSD 1.5.* releases dated from before
	2002-06-26 should be upgraded to sources dated 2002-06-26
	or later.  Sources on the branch after that date include changes
	presented in the following advisory:
		http://openssh.org/txt/preauth.adv

	NOTE: the upgrade process will pull in changes presented in this
	advisory.  Therefore, (1) it won't get you OpenSSH 3.4, (2) It
	won't make your sshd support privilege separation.  If you need
	to enable privilege separation, install OpenSSH from pkgsrc
	(openssh-3.4.0.1).

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		crypto/dist/ssh
		usr.bin/ssh

	To update from CVS, re-build, and re-install:
		# cd src
		# cvs update -d -P crypto/dist/ssh usr.bin/ssh
		# cd usr.bin/ssh

		# make cleandir dependall
		# make install


* pkgsrc: (All systems, including NetBSD 1.4.*)

	For a complete fix, openssh-3.4.0.1 or later should be
	installed from pkgsrc/security/openssh.  See above, as well as
	console messages during pkgsrc build, for instructions to enable
	privilege separation functionality.


Thanks To
=========

Markus Friedl and Jun-ichiro itojun Hagino for patches, and initial
advisory text.


Revision History
================

	2002-06-26	Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-005.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-005.txt,v 1.25 2002/06/27 14:27:43 david Exp $


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPRrmHD5Ru2/4N2IFAQF7HQP+IIcCWFouTSuh/7jZZYVzXSzGFPGCJ2XW
1FRBhThxci6IpR+k7D6hrphaSKtyksP0MLNLC9fZowwiZFINE+2rqoyZ76YX7j7p
wZU01Xxiai59a8v54SiHRBfCu4OKmTkdvUahwyPMQ6g+CLEwDl2fF68Uow42w7U2
1w5jn+FmAXE=
=r1yo
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC