[ale] FW: Revised OpenSSH Security Advisory

James P. Kinney III jkinney at localnetsolutions.com
Wed Jun 26 15:54:02 EDT 2002 

Do the upgrade. It will get you some other useful features like
compression.

On Wed, 2002-06-26 at 15:46, Christopher Fowler wrote:
> I'm using 3.1p1  Can I just apply the patch below or do I need to do a
> full upgrade?
> 
> Chris
> 
> On Wed, 2002-06-26 at 15:35, Jim Popovitch wrote:
> > PLEASE READ!  There are several things you need to do to secure your SSH
> > implementation.  This is the SECOND Advisory.
> > 
> > -----Original Message-----
> > Sent: Wednesday, June 26, 2002 3:08 PM
> > To: openssh-unix-announce at mindrot.org
> > 
> > This is the 2nd revision of the Advisory.
> > 
> > 1. Versions affected:
> > 
> >         Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3
> >         contain an input validation error that can result in an
> >         integer overflow and privilege escalation.
> > 
> >         All versions between 2.3.1 and 3.3 contain a bug in the
> >         PAMAuthenticationViaKbdInt code.
> > 
> >         All versions between 2.9.9 and 3.3 contain a bug in the
> >         ChallengeResponseAuthentication code.
> > 
> >         OpenSSH 3.4 and later are not affected.
> > 
> >         OpenSSH 3.2 and later prevent privilege escalation if
> >         UsePrivilegeSeparation is enabled in sshd_config.  OpenSSH
> >         3.3 enables UsePrivilegeSeparation by default.
> > 
> >         Although some earlier versions are not affected upgrading
> >         to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds
> >         checks for a class of potential bugs.
> > 
> > 2. Impact:
> > 
> >         This bug can be exploited remotely if
> > 		ChallengeResponseAuthentication
> > 	is enabled in sshd_config.
> > 
> >         Affected are at least systems supporting s/key over
> >         SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD
> >         as well as other systems supporting s/key with SSH).
> >         Exploitablitly of systems using
> > 		PAMAuthenticationViaKbdInt
> > 	has not been verified.
> > 
> > 3. Short-Term Solution:
> > 
> >         Disable ChallengeResponseAuthentication in sshd_config.
> > 
> > 	and
> > 
> > 	Disable PAMAuthenticationViaKbdInt in sshd_config.
> > 
> > 	Alternatively you can prevent privilege escalation
> > 	if you enable UsePrivilegeSeparation in sshd_config.
> > 
> > 4. Solution:
> > 
> > 	Upgrade to OpenSSH 3.4 or apply the following patches.
> > 
> > 5. Credits:
> > 
> > 	ISS.
> > 
> > Appendix:
> > 
> > A:
> > 
> > Index: auth2-chall.c
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v
> > retrieving revision 1.18
> > diff -u -r1.18 auth2-chall.c
> > --- auth2-chall.c	19 Jun 2002 00:27:55 -0000	1.18
> > +++ auth2-chall.c	26 Jun 2002 09:37:03 -0000
> > @@ -256,6 +256,8 @@
> > 
> >  	authctxt->postponed = 0;	/* reset */
> >  	nresp = packet_get_int();
> > +	if (nresp > 100)
> > +		fatal("input_userauth_info_response: nresp too big %u", nresp);
> >  	if (nresp > 0) {
> >  		response = xmalloc(nresp * sizeof(char*));
> >  		for (i = 0; i < nresp; i++)
> > 
> > B:
> > 
> > Index: auth2-pam.c
> > ===================================================================
> > RCS file: /var/cvs/openssh/auth2-pam.c,v
> > retrieving revision 1.12
> > diff -u -r1.12 auth2-pam.c
> > --- auth2-pam.c	22 Jan 2002 12:43:13 -0000	1.12
> > +++ auth2-pam.c	26 Jun 2002 10:12:31 -0000
> > @@ -140,6 +140,15 @@
> >  	nresp = packet_get_int();	/* Number of responses. */
> >  	debug("got %d responses", nresp);
> > 
> > +
> > +	if (nresp != context_pam2.num_expected)
> > +		fatal("%s: Received incorrect number of responses "
> > +		    "(expected %u, received %u)", __func__, nresp,
> > +		    context_pam2.num_expected);
> > +
> > +	if (nresp > 100)
> > +		fatal("%s: too many replies", __func__);
> > +
> >  	for (i = 0; i < nresp; i++) {
> >  		int j = context_pam2.prompts[i];
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > ---
> > This message has been sent through the ALE general discussion list.
> > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> > sent to listmaster at ale dot org.
> > 
> > 
> > 
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 




---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list