[ale] FW: Revised OpenSSH Security Advisory

Christopher Fowler cfowler at outpostsentinel.com
Wed Jun 26 15:46:28 EDT 2002


I'm using 3.1p1  Can I just apply the patch below or do I need to do a
full upgrade?

Chris

On Wed, 2002-06-26 at 15:35, Jim Popovitch wrote:
> PLEASE READ!  There are several things you need to do to secure your SSH
> implementation.  This is the SECOND Advisory.
> 
> -----Original Message-----
> Sent: Wednesday, June 26, 2002 3:08 PM
> To: openssh-unix-announce at mindrot.org
> 
> This is the 2nd revision of the Advisory.
> 
> 1. Versions affected:
> 
>         Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3
>         contain an input validation error that can result in an
>         integer overflow and privilege escalation.
> 
>         All versions between 2.3.1 and 3.3 contain a bug in the
>         PAMAuthenticationViaKbdInt code.
> 
>         All versions between 2.9.9 and 3.3 contain a bug in the
>         ChallengeResponseAuthentication code.
> 
>         OpenSSH 3.4 and later are not affected.
> 
>         OpenSSH 3.2 and later prevent privilege escalation if
>         UsePrivilegeSeparation is enabled in sshd_config.  OpenSSH
>         3.3 enables UsePrivilegeSeparation by default.
> 
>         Although some earlier versions are not affected upgrading
>         to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds
>         checks for a class of potential bugs.
> 
> 2. Impact:
> 
>         This bug can be exploited remotely if
> 		ChallengeResponseAuthentication
> 	is enabled in sshd_config.
> 
>         Affected are at least systems supporting s/key over
>         SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD
>         as well as other systems supporting s/key with SSH).
>         Exploitablitly of systems using
> 		PAMAuthenticationViaKbdInt
> 	has not been verified.
> 
> 3. Short-Term Solution:
> 
>         Disable ChallengeResponseAuthentication in sshd_config.
> 
> 	and
> 
> 	Disable PAMAuthenticationViaKbdInt in sshd_config.
> 
> 	Alternatively you can prevent privilege escalation
> 	if you enable UsePrivilegeSeparation in sshd_config.
> 
> 4. Solution:
> 
> 	Upgrade to OpenSSH 3.4 or apply the following patches.
> 
> 5. Credits:
> 
> 	ISS.
> 
> Appendix:
> 
> A:
> 
> Index: auth2-chall.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v
> retrieving revision 1.18
> diff -u -r1.18 auth2-chall.c
> --- auth2-chall.c	19 Jun 2002 00:27:55 -0000	1.18
> +++ auth2-chall.c	26 Jun 2002 09:37:03 -0000
> @@ -256,6 +256,8 @@
> 
>  	authctxt->postponed = 0;	/* reset */
>  	nresp = packet_get_int();
> +	if (nresp > 100)
> +		fatal("input_userauth_info_response: nresp too big %u", nresp);
>  	if (nresp > 0) {
>  		response = xmalloc(nresp * sizeof(char*));
>  		for (i = 0; i < nresp; i++)
> 
> B:
> 
> Index: auth2-pam.c
> ===================================================================
> RCS file: /var/cvs/openssh/auth2-pam.c,v
> retrieving revision 1.12
> diff -u -r1.12 auth2-pam.c
> --- auth2-pam.c	22 Jan 2002 12:43:13 -0000	1.12
> +++ auth2-pam.c	26 Jun 2002 10:12:31 -0000
> @@ -140,6 +140,15 @@
>  	nresp = packet_get_int();	/* Number of responses. */
>  	debug("got %d responses", nresp);
> 
> +
> +	if (nresp != context_pam2.num_expected)
> +		fatal("%s: Received incorrect number of responses "
> +		    "(expected %u, received %u)", __func__, nresp,
> +		    context_pam2.num_expected);
> +
> +	if (nresp > 100)
> +		fatal("%s: too many replies", __func__);
> +
>  	for (i = 0; i < nresp; i++) {
>  		int j = context_pam2.prompts[i];
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
> 
> 
> 



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list