LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: August 15th, 2014
Linux Advisory Watch: August 8th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
FreeBSD: buffer management error Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
FreeBSD A bug has been found in OpenSSH's buffer handling where a buffer could be marked as grown when the actual reallocation failed.

=============================================================================
FreeBSD-SA-03:12                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          OpenSSH buffer management error

Category:       core, ports
Module:         openssh, ports_openssh, openssh-portable
Announced:      2003-09-16
Credits:        The OpenSSH Project <openssh@openssh.org>
Affects:        All FreeBSD releases after 4.0-RELEASE
                FreeBSD 4-STABLE prior to the correction date
                openssh port prior to openssh-3.6.1_1
                openssh-portable port prior to openssh-portable-3.6.1p2_1
Corrected:      2003-09-16 16:24:02 UTC (RELENG_4)
                2003-09-16 16:27:57 UTC (RELENG_5_1)
                2003-09-16 17:34:32 UTC (RELENG_5_0)
                2003-09-16 16:24:02 UTC (RELENG_4_8)
                2003-09-16 16:45:16 UTC (RELENG_4_7)
                2003-09-16 17:44:15 UTC (RELENG_4_6)
                2003-09-16 17:45:23 UTC (RELENG_4_5)
                2003-09-16 17:46:02 UTC (RELENG_4_4)
                2003-09-16 17:46:37 UTC (RELENG_4_3)
                2003-09-16 12:43:09 UTC (ports/security/openssh)
                2003-09-16 12:43:10 UTC (ports/security/openssh-portable)
CVE:            CAN-2003-0693
FreeBSD only:   NO

I.   Background

OpenSSH is a free version of the SSH protocol suite of network
connectivity tools.  OpenSSH encrypts all traffic (including
passwords) to effectively eliminate eavesdropping, connection
hijacking, and other network-level attacks. Additionally, OpenSSH
provides a myriad of secure tunneling capabilities, as well as a
variety of authentication methods. `ssh' is the client application,
while `sshd' is the server.

II.  Problem Description

When a packet is received that is larger than the space remaining in
the currently allocated buffer, OpenSSH's buffer management attempts
to reallocate a larger buffer.  During this process, the recorded size
of the buffer is increased.  The new size is then range checked.  If
the range check fails, then fatal() is called to cleanup and exit.
In some cases, the cleanup code will attempt to zero and free the
buffer that just had its recorded size (but not actual allocation)
increased.  As a result, memory outside of the allocated buffer will
be overwritten with NUL bytes.

III. Impact

A remote attacker can cause OpenSSH to crash.  The bug is not believed
to be exploitable for code execution on FreeBSD.

IV.  Workaround

Do one of the following:

1) Disable the base system sshd by executing the following command as
   root:

   # kill `cat /var/run/sshd.pid`

   Be sure that sshd is not restarted when the system is restarted
   by adding the following line to the end of /etc/rc.conf:

   sshd_enable="NO"

   AND

   Deinstall the openssh or openssh-portable ports if you have one of
   them installed.

V.   Solution

Do one of the following:

[For OpenSSH included in the base system]

1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1,
   RELENG_4_8, or RELENG_4_7 security branch dated after
   the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or
   4.7-RELEASE-p15, respectively).

2) FreeBSD systems prior to the correction date:

The following patches have been verified to apply to FreeBSD 4.x and
FreeBSD 5.x systems prior to the correction date.

Download the appropriate patch and detached PGP signature from the following
locations, and verify the signature using your PGP utility.

[FreeBSD 4.3 through 4.5]
# fetch  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch
# fetch  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc

[FreeBSD 4.6 and later, FreeBSD 5.0 and later]
# fetch  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch
# fetch  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc

Execute the following commands as root:

# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all install
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install

Be sure to restart `sshd' after updating.

# kill `cat /var/run/sshd.pid`
# (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})

[For the OpenSSH ports]

One of the following:

1) Upgrade your entire ports collection and rebuild the OpenSSH port.

2) Deinstall the old package and install a new package obtained from
the following directory:

[i386] 
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/

[other platforms]
Packages are not automatically generated for other platforms at this
time due to lack of build resources.

3) Download a new port skeleton for the openssh or openssh-portable
port from:
 
http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
 
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz 
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz

Be sure to restart `sshd' after updating.

# kill `cat /var/run/sshd.pid`
# test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in the FreeBSD base system and ports collection.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
[Base system]
RELENG_4
  src/crypto/openssh/buffer.c                                 1.1.1.1.2.5
  src/crypto/openssh/version.h                               1.1.1.1.2.11
RELENG_5_1
  src/UPDATING                                                  1.251.2.4
  src/crypto/openssh/buffer.c                                 1.1.1.6.4.1
  src/crypto/openssh/version.h                                   1.20.2.1
  src/sys/conf/newvers.sh                                        1.50.2.5
RELENG_5_0
  src/UPDATING                                                 1.229.2.18
  src/crypto/openssh/buffer.c                                 1.1.1.6.2.1
  src/crypto/openssh/version.h                                   1.18.2.1
  src/sys/conf/newvers.sh                                       1.48.2.13
RELENG_4_8
  src/UPDATING                                              1.73.2.80.2.7
  src/crypto/openssh/buffer.c                             1.1.1.1.2.4.4.1
  src/crypto/openssh/version.h                           1.1.1.1.2.10.2.1
  src/sys/conf/newvers.sh                                   1.44.2.29.2.6
RELENG_4_7
  src/UPDATING                                             1.73.2.74.2.18
  src/crypto/openssh/buffer.c                             1.1.1.1.2.4.2.1
  src/crypto/openssh/version.h                            1.1.1.1.2.9.2.1
  src/sys/conf/newvers.sh                                  1.44.2.26.2.17
RELENG_4_6
  src/UPDATING                                             1.73.2.68.2.46
  src/crypto/openssh/buffer.c                             1.1.1.1.2.3.4.2
  src/crypto/openssh/version.h                            1.1.1.1.2.8.2.2
  src/sys/conf/newvers.sh                                  1.44.2.23.2.35
RELENG_4_5
  src/UPDATING                                             1.73.2.50.2.47
  src/crypto/openssh/buffer.c                             1.1.1.1.2.3.2.1
  src/crypto/openssh/version.h                            1.1.1.1.2.7.2.2
  src/sys/conf/newvers.sh                                  1.44.2.20.2.31
RELENG_4_4
  src/UPDATING                                             1.73.2.43.2.48
  src/crypto/openssh/buffer.c                             1.1.1.1.2.2.4.1
  src/crypto/openssh/version.h                            1.1.1.1.2.5.2.3
  src/sys/conf/newvers.sh                                  1.44.2.17.2.39
RELENG_4_3
  src/UPDATING                                             1.73.2.28.2.35
  src/crypto/openssh/buffer.c                             1.1.1.1.2.2.2.1
  src/crypto/openssh/version.h                            1.1.1.1.2.4.2.3
  src/sys/conf/newvers.sh                                  1.44.2.14.2.25
[Ports]
  ports/security/openssh-portable/Makefile                           1.73
  ports/security/openssh-portable/files/patch-buffer.c                1.1
  ports/security/openssh/Makefile                                   1.120
  ports/security/openssh/files/patch-buffer.c                         1.1
- -------------------------------------------------------------------------

Branch                       Version string
- -------------------------------------------------------------------------
HEAD                         OpenSSH_3.6.1p1 FreeBSD-20030916
RELENG_4                     OpenSSH_3.5p1 FreeBSD-20030916
RELENG_5_1                   OpenSSH_3.6.1p1 FreeBSD-20030916
RELENG_4_8                   OpenSSH_3.5p1 FreeBSD-20030916
RELENG_4_7                   OpenSSH_3.4p1 FreeBSD-20030916
RELENG_4_6                   OpenSSH_3.4p1 FreeBSD-20030916
RELENG_4_5                   OpenSSH_2.9 FreeBSD localisations 20030916
RELENG_4_4                   OpenSSH_2.3.0 FreeBSD localisations 20030916
RELENG_4_3                   OpenSSH_2.3.0 green@FreeBSD.org 20030916
- -------------------------------------------------------------------------

To view the version string of the OpenSSH server, execute the
following command:

  % /usr/sbin/sshd -\?

The version string is also displayed when a client connects to the
server.

To view the version string of the OpenSSH client, execute the
following command:

  % /usr/bin/ssh -V

VII. References

http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html>

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0693 to this issue.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693>

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
State-of-the-art spear phishing and defenses
Linux kernel source code repositories get better security
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.