SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Intrusion Detection)  >   Juniper IDP Vendors:   NetScreen
(NetScreen Issues Fix for NetScreen-IDP) Re: OpenSSH buffer_append_space() and Other Buffer Management Errors May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007767
SecurityTracker URL:  http://securitytracker.com/id/1007767
CVE Reference:   CVE-2003-0693, CVE-2003-0695, CVE-2003-0682   (Links to External Site)
Updated:  Dec 10 2003
Original Entry Date:  Sep 20 2003
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): IDP 2.1
Description:   Several buffer management vulnerabilities were reported in OpenSSH. A remote user may be able to execute arbitrary code on the target system. The NetScreen-IDP appliance uses OpenSSH and, therefore, is affected.

It is reported that there are potentially exploitable buffer management errors in OpenSSH in the buffer_append_space(), buffer_init(), and buffer_free() functions in 'buffer.c'. A similiar flaw resides in 'channels.c', the report said. (CVE-2003-0693 and CVE-2003-0695). The flaws affect version 3.7 and prior versions. The vendor reports that it is not certain if these flaws are exploitable or not.

Solar Designer has reportedly identified four additional similar bugs as the result of a review of the OpenSSH 3.6.1p2 source code for potentially incorrect uses of *realloc(). According to Solar Designer, two of the bugs are in 'sshd'. Of those two bugs, one reportedly cannot be triggered in the current code, and the other occurs after the authentication process. Solar Designer believes that none of the four bugs should give an unauthenticated shell via sshd, not even in cases where 'privsep' is not used. CVE has assigned CVE-2003-0682 to these four bugs. These four bugs have *not* been fixed in version 3.7.1, but have been fixed in the OpenBSD CVS and will be included in the next release of OpenSSH. These four additional bugs are reportedly not considered to present a security risk.

Impact:   The report indicated that it is not known whether the flaws are exploitable. If exploitable, a remote user may be able to execute arbitrary code. The report did not indicate what privileges the code would execute with and whether or not privilege separation provides protection against possible root exploitation.
Solution:   NetScreen has issued a fix for the SSH service used by NetScreen-IDP, available at:

https://www.netscreen.com/cso

For installation instructions, see the NetScreen Advisory 57961:

http://www.netscreen.com/services/security/alerts/openssh_1.jsp

Vendor URL:  www.netscreen.com/services/security/alerts/openssh_1.jsp (Links to External Site)
Cause:   Boundary error

Message History:   This archive entry is a follow-up to the message listed below.
Sep 16 2003 OpenSSH buffer_append_space() and Other Buffer Management Errors May Let Remote Users Execute Arbitrary Code



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC