NetBSD: openssh buffer overflow vulnerability - The Community's Center for Security


The central voice for Linux and Open Source security news

Welcome!

Sign up!

EnGarde Community

Polls

What is the most important Linux security technology?

	SELinux
	grsecurity
	CIS Benchmark
	Bastille Linux
	iptables
	LIDS

Advisories

Community

Linux Events

Linux User Groups

Link to Us

Security Center

Book Reviews

Security Dictionary

Security Tips

SELinux

White Papers

Featured Blogs

All About Linux

DanWalsh LiveJournal

Securitydistro

Latest Newsletters

Linux Security Week: February 6th, 2012

Linux Advisory Watch: February 3rd, 2012

LinuxSecurity Newsletters

RSS Feeds

Get the LinuxSecurity news you want faster with RSS

NetBSD: openssh buffer overflow vulnerability

User Rating:

How can I rate this item?

Posted by LinuxSecurity.com Team

A buffer overwrite with unknown consequences has been found in OpenSSH.


	 NetBSD Security Advisory 2003-012
		 =================================

Topic:		Out of bounds memset(0) in sshd

Version:	NetBSD-current:	source prior to September 17, 2003
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		pkgsrc:		packages prior to 3.7.1

Severity:	Unknown - Rumours speculate remote root exploitability

Fixed:		NetBSD-current:		September 17, 2003
		NetBSD-1.6 branch:	September 17, 2003 (1.6.2 will include the fix)
		NetBSD-1.5 branch:	September 17, 2003 (1.5.4 will include the fix)
		pkgsrc:			openssh-3.7.1 corrects this issue


Abstract
========

A buffer overwrite with unknown consequences has been found in OpenSSH.

No evidence to support remote root exploitability has been provided by
any source.

The ssh daemon does not run by default in a NetBSD installation, but is
often enabled by administrators for convenience of remote
administration.

Changes are still being committed to the OpenSSH source distribution. We
will continue to update this advisory as new information becomes
available. Currently, we expect that more patches are likely, so if you
are maintaining a large number of machines, use the workarounds
discussed below if appropriate, and be prepared for further updates.

The NetBSD Project will make binary patchsets available when builds have
completed. This advisory will be updated with details when they are
available.


Technical Details
=================

In NetBSD installations where OpenSSH 3.2.1 and later are used -
including the base system installations of NetBSD-1.6 and later, the
privilege separation feature of OpenSSH is enabled by default. In the
case of this buffer issue, privilege separation may prevent exploitation
of these buffer problems, and this advisory will be updated once any
exploits are demonstrated, whether successfully or not.

Regardless of privilege separation being enabled, this buffer issue
occurs in the child process of sshd, and so any over-zero'd buffer will
not crash the parent service, and will not deny ssh connectivity to the
machine. If the over-zeroing is exploitable, the attacker could of
course shut down the ssh daemon manually.

There is a lot of commotion over this buffer issue. Individuals have
mentioned an increased occurrence of port scans searching for open sshd
services. Since hard facts are not available yet, individuals
will have to decide whether to believe the rumours, and apply patches to
protect against this possible issue, or to use workarounds provided
below, where appropriate, and await further information.

 
http://www.openssh.com/txt/buffer.adv
 
http://xforce.iss.net/xforce/alerts/id/144


Solutions and Workarounds
=========================

Workaround: Disable sshd.

If not required, and alternate means of administration, such as consoles
or serial consoles are available, disabling sshd may be acceptable.

Confirm that sshd is running. It is usually configured to start by the
presence of a line in /etc/rc.conf, such as:

sshd=YES

Stop any currently running daemon, with

/etc/rc.d/sshd stop

OR - for a pkgsrc installation:

/usr/pkg/etc/rc.d/sshd stop

Change YES to NO in /etc/rc.conf


Workaround: Constrain hosts which can connect to sshd.

In order to overflow this buffer, a client must be able to connect to
the sshd in question. As a workaround, the tcp wrapper functionality
included in all NetBSD installations of OpenSSH can be used to restrict
connections to a limited list of source IPs.

As an example, populating /etc/hosts.allow with:

sshd : 192.168.1.1

And /etc/hosts.deny with:

sshd : ALL

Will result in only allowing connections from the (RFC 1918, private
network) IP address 192.168.1.1.

Host names may also be used in the hosts.allow file. Lists are comma
separated, as explained in the hosts_access(5) manpage.  Review the
manpage hosts_access(5) for further details. If you use hostnames, it
may also be desirable to specify hosts.deny as 'sshd : ALL, PARANOID',
to require the forward and reverse DNS lookups to correspond. This
provides protection in cases where the host you are allowing access from
is on a remote network outside your control, and you wish to protect
against hijacked nameservers.

Another workaround is to prevent network access to only trusted
systems via a perimeter router or firewall, or using IPFilter on the
host itself.

Solution:

The following instructions describe how to upgrade your OpenSSH
binaries by updating your source tree and rebuilding and
installing a new version.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2003-09-16
	should be upgraded to NetBSD-current dated 2003-09-17 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		src/crypto/dist/ssh

	To update from CVS, re-build, and re-install ssh related
	binaries:

		# cd src
		# cvs update -d -P crypto/dist/ssh
		# cd usr.bin/ssh

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 1.6, 1.6.1:

	The binary distribution of NetBSD 1.6 and 1.6.1 are vulnerable.

	Systems running NetBSD 1.6 sources dated from before 2003-09-16
	should be upgraded from NetBSD 1.6 sources dated 2003-09-17 or
	later.

	NetBSD 1.6.2 will include the fix.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		src/crypto/dist/ssh

	To update from CVS, re-build, and re-install ssh related
        binaries:

		# cd src
		# cvs update -d -P -r netbsd-1-6 crypto/dist/ssh
		# cd usr.bin/ssh

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	The binary distribution of NetBSD 1.5 to 1.5.3 are vulnerable.   

	Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
	from before 2003-09-16 should be upgraded from NetBSD 1.5.*
	sources dated 2003-09-17 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		src/crypto/dist/ssh

	To update from CVS, re-build, and re-install ssh related
        binaries:

		# cd src
		# cvs update -d -P -r netbsd-1-5 crypto/dist/ssh
		# cd usr.bin/ssh

		# make cleandir dependall
		# make install


Thanks To
=========

Christos Zoulas for the fix to NetBSD-current, Grant Beattie for
pullups to NetBSD release branches.

The Full-Disclosure rumour mill.


Revision History
================

	2003-09-17	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
   ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2003-012.txt.asc

Information about NetBSD and NetBSD security can be found at 
http://www.NetBSD.org/ and  http://www.NetBSD.org/Security/.


Copyright 2003, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2003-012.txt,v 1.9 2003/09/17 03:26:25 david Exp $