Fw: ISS Advisory: OpenSSH Remote Challenge Vulnerability
I think this is serious enough for fellow ISP admins that I would post it
Do you all know how Debian's progress is regarding this? We are starting
to get a large increase in SSH probes... perhaps crackers are already
compiling a list of hosts running SSH, so when the full vunerability is
released, they can attack immediately.
How are you guys handling this?
----- Original Message -----
From: "X-Force" <firstname.lastname@example.org>
Sent: Wednesday, June 26, 2002 11:56 PM
Subject: ISS Advisory: OpenSSH Remote Challenge Vulnerability
> -----BEGIN PGP SIGNED MESSAGE-----
> Internet Security Systems Security Advisory
> June 26, 2002
> OpenSSH Remote Challenge Vulnerability
> ISS X-Force has discovered a serious vulnerability in the default
> installation of OpenSSH on the OpenBSD operating system. OpenSSH is a
> free version of the SSH (Secure Shell) communications suite and is used
> as a secure replacement for protocols such as Telnet, Rlogin, Rsh, and
> Ftp. OpenSSH employs end-to-end encryption (including all passwords) and
> is resistant to network monitoring, eavesdropping, and connection
> hijacking attacks. X-Force is aware of active exploit development for
> this vulnerability.
> OpenBSD, FreeBSD-Current, and other OpenSSH implementations may be
> vulnerable to a remote, superuser compromise.
> Affected Versions:
> OpenBSD 3.0
> OpenBSD 3.1
> OpenSSH 3.0-3.2.3
> OpenSSH version 3.3 implements "privilege separation" which mitigates
> the risk of a superuser compromise. Prior to the release of this
> advisory, ISS and OpenBSD encouraged all OpenSSH users to upgrade to
> version 3.3. Versions of FreeBSD-Current built between March 18, 2002
> and June 23, 2002 are vulnerable to remote superuser compromise.
> Privilege separation was implemented in FreeBSD-Current on June 23,
> Note: OpenSSH is included in many operating system distributions,
> networking equipment, and security appliances. Refer to the following
> address for information about vendors that implement OpenSSH:
> A vulnerability exists within the "challenge-response" authentication
> mechanism in the OpenSSH daemon (sshd). This mechanism, part of the SSH2
> protocol, verifies a user's identity by generating a challenge and
> forcing the user to supply a number of responses. It is possible for a
> remote attacker to send a specially-crafted reply that triggers an
> overflow. This can result in a remote denial of service attack on the
> OpenSSH daemon or a complete remote compromise. The OpenSSH daemon runs
> with superuser privilege, so remote attackers can gain superuser access
> by exploiting this vulnerability.
> OpenSSH supports the SKEY and BSD_AUTH authentication options. These are
> compile-time options. At least one of these options must be enabled
> before the OpenSSH binaries are compiled for the vulnerable condition to
> be present. OpenBSD 3.0 and later is distributed with BSD_AUTH enabled.
> The SKEY and BSD_AUTH options are not enabled by default in many
> distributions. However, if these options are explicitly enabled, that
> build of OpenSSH may be vulnerable.
> Internet Scanner X-Press Update 6.13 includes a check, OpenSshRunning,
> to detect potentially vulnerable installations of OpenSSH. XPU 6.13 is
> available from the ISS Download Center at: http://www.iss.net/download.
> For questions about downloading and installing this XPU, email
> ISS X-Force recommends that system administrators disable unused OpenSSH
> authentication mechanisms. Administrators can remove this vulnerability
> by disabling the Challenge-Response authentication parameter within the
> OpenSSH daemon configuration file. This filename and path is typically:
> /etc/ssh/sshd_config. To disable this parameter, locate the
> corresponding line and change it to the line below:
> ChallengeResponseAuthentication no
> The "sshd" process must be restarted for this change to take effect.
> This workaround will permanently remove the vulnerability. X-Force
> recommends that administrators upgrade to OpenSSH version 3.4
> immediately. This version implements privilege separation, contains a
> patch to block this vulnerability, and contains many additional pro-
> active security fixes. Privilege separation was designed to limit
> exposure to known and unknown vulnerabilities. Visit
> http://www.openssh.com for more information.
> Additional Information:
> ISS X-Force and Black Hat consulting will host a presentation titled,
> "Professional Source Code Auditing" at Black Hat Briefings USA 2002. The
> presentation will explore advanced source code auditing techniques as
> well as secure development best-practices. Please refer to
> http://www.blackhat.com and
> http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#Dowd for
> more information.
> The vulnerability described in this advisory was discovered and
> researched by Mark Dowd of the ISS X-Force. ISS would like to thank Theo
> de Raadt of the OpenBSD Project for his assistance with this advisory.
> About Internet Security Systems (ISS)
> Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
> pioneer and world leader in software and services that protect critical
> online resources from an ever-changing spectrum of threats and misuse.
> Internet Security Systems is headquartered in Atlanta, GA, with
> additional operations throughout the Americas, Asia, Australia, Europe
> and the Middle East.
> Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
> Permission is hereby granted for the electronic redistribution of this
> document. It is not to be edited or altered in any way without the
> express written consent of the Internet Security Systems X-Force. If you
> wish to reprint the whole or any part of this document in any other
> medium excluding electronic media, please email email@example.com for
> Disclaimer: The information within this paper may change without notice.
> Use of this information constitutes acceptance for use in an AS IS
> condition. There are NO warranties, implied or otherwise, with regard to
> this information or its use. Any use of this information is at the
> user's risk. In no event shall the author/distributor (Internet Security
> Systems X-Force) be held liable for any damages whatsoever arising out
> of or in connection with the use or spread of this information.
> X-Force PGP Key available on MIT's PGP key server and PGP.com's key
> server, as well as at http://www.iss.net/security_center/sensitive.php
> Please send suggestions, updates, and comments to: X-Force
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
> -----END PGP SIGNATURE-----
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com