LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: December 12th, 2014
Linux Security Week: December 9th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
NetBSD: openssh buffer overflow vulnerability Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
NetBSD A buffer overwrite with unknown consequences has been found in OpenSSH.

	 NetBSD Security Advisory 2003-012
		 =================================

Topic:		Out of bounds memset(0) in sshd

Version:	NetBSD-current:	source prior to September 17, 2003
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		pkgsrc:		packages prior to 3.7.1

Severity:	Unknown - Rumours speculate remote root exploitability

Fixed:		NetBSD-current:		September 17, 2003
		NetBSD-1.6 branch:	September 17, 2003 (1.6.2 will include the fix)
		NetBSD-1.5 branch:	September 17, 2003 (1.5.4 will include the fix)
		pkgsrc:			openssh-3.7.1 corrects this issue


Abstract
========

A buffer overwrite with unknown consequences has been found in OpenSSH.

No evidence to support remote root exploitability has been provided by
any source.

The ssh daemon does not run by default in a NetBSD installation, but is
often enabled by administrators for convenience of remote
administration.

Changes are still being committed to the OpenSSH source distribution. We
will continue to update this advisory as new information becomes
available. Currently, we expect that more patches are likely, so if you
are maintaining a large number of machines, use the workarounds
discussed below if appropriate, and be prepared for further updates.

The NetBSD Project will make binary patchsets available when builds have
completed. This advisory will be updated with details when they are
available.


Technical Details
=================

In NetBSD installations where OpenSSH 3.2.1 and later are used -
including the base system installations of NetBSD-1.6 and later, the
privilege separation feature of OpenSSH is enabled by default. In the
case of this buffer issue, privilege separation may prevent exploitation
of these buffer problems, and this advisory will be updated once any
exploits are demonstrated, whether successfully or not.

Regardless of privilege separation being enabled, this buffer issue
occurs in the child process of sshd, and so any over-zero'd buffer will
not crash the parent service, and will not deny ssh connectivity to the
machine. If the over-zeroing is exploitable, the attacker could of
course shut down the ssh daemon manually.

There is a lot of commotion over this buffer issue. Individuals have
mentioned an increased occurrence of port scans searching for open sshd
services. Since hard facts are not available yet, individuals
will have to decide whether to believe the rumours, and apply patches to
protect against this possible issue, or to use workarounds provided
below, where appropriate, and await further information.

 
http://www.openssh.com/txt/buffer.adv
 
http://xforce.iss.net/xforce/alerts/id/144


Solutions and Workarounds
=========================

Workaround: Disable sshd.

If not required, and alternate means of administration, such as consoles
or serial consoles are available, disabling sshd may be acceptable.

Confirm that sshd is running. It is usually configured to start by the
presence of a line in /etc/rc.conf, such as:

sshd=YES

Stop any currently running daemon, with

/etc/rc.d/sshd stop

OR - for a pkgsrc installation:

/usr/pkg/etc/rc.d/sshd stop

Change YES to NO in /etc/rc.conf


Workaround: Constrain hosts which can connect to sshd.

In order to overflow this buffer, a client must be able to connect to
the sshd in question. As a workaround, the tcp wrapper functionality
included in all NetBSD installations of OpenSSH can be used to restrict
connections to a limited list of source IPs.

As an example, populating /etc/hosts.allow with:

sshd : 192.168.1.1

And /etc/hosts.deny with:

sshd : ALL

Will result in only allowing connections from the (RFC 1918, private
network) IP address 192.168.1.1.

Host names may also be used in the hosts.allow file. Lists are comma
separated, as explained in the hosts_access(5) manpage.  Review the
manpage hosts_access(5) for further details. If you use hostnames, it
may also be desirable to specify hosts.deny as 'sshd : ALL, PARANOID',
to require the forward and reverse DNS lookups to correspond. This
provides protection in cases where the host you are allowing access from
is on a remote network outside your control, and you wish to protect
against hijacked nameservers.

Another workaround is to prevent network access to only trusted
systems via a perimeter router or firewall, or using IPFilter on the
host itself.

Solution:

The following instructions describe how to upgrade your OpenSSH
binaries by updating your source tree and rebuilding and
installing a new version.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2003-09-16
	should be upgraded to NetBSD-current dated 2003-09-17 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		src/crypto/dist/ssh

	To update from CVS, re-build, and re-install ssh related
	binaries:

		# cd src
		# cvs update -d -P crypto/dist/ssh
		# cd usr.bin/ssh

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 1.6, 1.6.1:

	The binary distribution of NetBSD 1.6 and 1.6.1 are vulnerable.

	Systems running NetBSD 1.6 sources dated from before 2003-09-16
	should be upgraded from NetBSD 1.6 sources dated 2003-09-17 or
	later.

	NetBSD 1.6.2 will include the fix.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		src/crypto/dist/ssh

	To update from CVS, re-build, and re-install ssh related
        binaries:

		# cd src
		# cvs update -d -P -r netbsd-1-6 crypto/dist/ssh
		# cd usr.bin/ssh

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	The binary distribution of NetBSD 1.5 to 1.5.3 are vulnerable.   

	Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
	from before 2003-09-16 should be upgraded from NetBSD 1.5.*
	sources dated 2003-09-17 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		src/crypto/dist/ssh

	To update from CVS, re-build, and re-install ssh related
        binaries:

		# cd src
		# cvs update -d -P -r netbsd-1-5 crypto/dist/ssh
		# cd usr.bin/ssh

		# make cleandir dependall
		# make install


Thanks To
=========

Christos Zoulas for the fix to NetBSD-current, Grant Beattie for
pullups to NetBSD release branches.

The Full-Disclosure rumour mill.


Revision History
================

	2003-09-17	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
   ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2003-012.txt.asc

Information about NetBSD and NetBSD security can be found at 
http://www.NetBSD.org/ and  http://www.NetBSD.org/Security/.


Copyright 2003, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2003-012.txt,v 1.9 2003/09/17 03:26:25 david Exp $



 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
University of California, Berkeley Hacked, Data Compromised
London teen pleads guilty to Spamhaus DDoS
New England security group shares threat intelligence, strives to bolster region
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.