[ale] FW: Revised OpenSSH Security Advisory

Jim Popovitch jimpop at rocketship.com
Wed Jun 26 15:48:43 EDT 2002


Hi Chris,

I would do a complete full upgrade, but that's just me.  I never have been a
big fan of patch.  Theoretically you could start with version 1.0 and just
keep applying all the patches...but there is always that feeling that you
might have included or missed something other than what the project
developers have put into the version(s) they built and tested.  ymmv.

-Jim P.

> -----Original Message-----
> From: Christopher Fowler [mailto:cfowler at outpostsentinel.com]
> Sent: Wednesday, June 26, 2002 3:46 PM
> To: Jim Popovitch
> Cc: ALE
> Subject: Re: [ale] FW: Revised OpenSSH Security Advisory
>
>
> I'm using 3.1p1  Can I just apply the patch below or do I need to do a
> full upgrade?
>
> Chris
>
> On Wed, 2002-06-26 at 15:35, Jim Popovitch wrote:
> > PLEASE READ!  There are several things you need to do to secure your SSH
> > implementation.  This is the SECOND Advisory.
> >
> > -----Original Message-----
> > Sent: Wednesday, June 26, 2002 3:08 PM
> > To: openssh-unix-announce at mindrot.org
> >
> > This is the 2nd revision of the Advisory.
> >
> > 1. Versions affected:
> >
> >         Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3
> >         contain an input validation error that can result in an
> >         integer overflow and privilege escalation.
> >
> >         All versions between 2.3.1 and 3.3 contain a bug in the
> >         PAMAuthenticationViaKbdInt code.
> >
> >         All versions between 2.9.9 and 3.3 contain a bug in the
> >         ChallengeResponseAuthentication code.
> >
> >         OpenSSH 3.4 and later are not affected.
> >
> >         OpenSSH 3.2 and later prevent privilege escalation if
> >         UsePrivilegeSeparation is enabled in sshd_config.  OpenSSH
> >         3.3 enables UsePrivilegeSeparation by default.
> >
> >         Although some earlier versions are not affected upgrading
> >         to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds
> >         checks for a class of potential bugs.
> >
> > 2. Impact:
> >
> >         This bug can be exploited remotely if
> > 		ChallengeResponseAuthentication
> > 	is enabled in sshd_config.
> >
> >         Affected are at least systems supporting s/key over
> >         SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD
> >         as well as other systems supporting s/key with SSH).
> >         Exploitablitly of systems using
> > 		PAMAuthenticationViaKbdInt
> > 	has not been verified.
> >
> > 3. Short-Term Solution:
> >
> >         Disable ChallengeResponseAuthentication in sshd_config.
> >
> > 	and
> >
> > 	Disable PAMAuthenticationViaKbdInt in sshd_config.
> >
> > 	Alternatively you can prevent privilege escalation
> > 	if you enable UsePrivilegeSeparation in sshd_config.
> >
> > 4. Solution:
> >
> > 	Upgrade to OpenSSH 3.4 or apply the following patches.
> >
> > 5. Credits:
> >
> > 	ISS.
> >
> > Appendix:
> >
> > A:
> >
> > Index: auth2-chall.c
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v
> > retrieving revision 1.18
> > diff -u -r1.18 auth2-chall.c
> > --- auth2-chall.c	19 Jun 2002 00:27:55 -0000	1.18
> > +++ auth2-chall.c	26 Jun 2002 09:37:03 -0000
> > @@ -256,6 +256,8 @@
> >
> >  	authctxt->postponed = 0;	/* reset */
> >  	nresp = packet_get_int();
> > +	if (nresp > 100)
> > +		fatal("input_userauth_info_response: nresp too big
> %u", nresp);
> >  	if (nresp > 0) {
> >  		response = xmalloc(nresp * sizeof(char*));
> >  		for (i = 0; i < nresp; i++)
> >
> > B:
> >
> > Index: auth2-pam.c
> > ===================================================================
> > RCS file: /var/cvs/openssh/auth2-pam.c,v
> > retrieving revision 1.12
> > diff -u -r1.12 auth2-pam.c
> > --- auth2-pam.c	22 Jan 2002 12:43:13 -0000	1.12
> > +++ auth2-pam.c	26 Jun 2002 10:12:31 -0000
> > @@ -140,6 +140,15 @@
> >  	nresp = packet_get_int();	/* Number of responses. */
> >  	debug("got %d responses", nresp);
> >
> > +
> > +	if (nresp != context_pam2.num_expected)
> > +		fatal("%s: Received incorrect number of responses "
> > +		    "(expected %u, received %u)", __func__, nresp,
> > +		    context_pam2.num_expected);
> > +
> > +	if (nresp > 100)
> > +		fatal("%s: too many replies", __func__);
> > +
> >  	for (i = 0; i < nresp; i++) {
> >  		int j = context_pam2.prompts[i];
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ---
> > This message has been sent through the ALE general discussion list.
> > See http://www.ale.org/mailing-lists.shtml for more info.
> Problems should be
> > sent to listmaster at ale dot org.
> >
> >
> >
>
>
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info.
> Problems should be
> sent to listmaster at ale dot org.
>


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list