Major Security Warning - sshd (update)

There is currently a world-wide "flap" about a vulnerability with open-ssh, which is arguably the most widely used single application in use on internet servers in the world today. If you use ssh, you should read this.

Because of the undisclosed nature of this vulnerability, nobody is really quite sure what it is. Implications are that it affects virtually all versions of open-ssh currently available. A new version (3.3.1) is being rushed out, but vendor recommendations are that anyone using ssh either immediately upgrade to 3.3.0 (itself only just out) and use the new feature "privsep". It is unclear if this will simply restrict the vulnerability to user privs instead of a root exploit, but my expectation is that this is the case.

Since a lot of our customers have machines with sshd enabled, we have (today) added filter rules to our core router to prevent incomming ssh requests on port 22 in an effort to afford our customers some protection from this as-yet unquantified threat. This should NOT affect outgoing ssh requests (ie, from our customers OUT to other hosts), but if you have users from outside who need to access your systems, please contact so we can arrange a work-around for you.

Now that most of the dust has settled, the official summary from is as follows:

1. Versions affected:
Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation error that
can result in an integer overflow and privilege escalation.
All versions between 2.3.1 and 3.3 contain a bug in the PAMAuthenticationViaKbdInt code.
All versions between 2.9.9 and 3.3 contain a bug in the ChallengeResponseAuthentication code.
OpenSSH 3.4 and later are not affected.
OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config.
OpenSSH 3.3 enables UsePrivilegeSeparation by default.
Although some earlier versions are not affected upgrading to OpenSSH 3.4 is recommended,
because OpenSSH 3.4 adds checks for a class of potential bugs.

2. Impact:
This bug can be exploited remotely if ChallengeResponseAuthentication is enabled in sshd_config.
Affected are at least systems supporting s/key over SSH protocol version 2 (OpenBSD, FreeBSD
and NetBSD as well as other systems supporting s/key with SSH).
Exploitablitly of systems using PAMAuthenticationViaKbdInt has not been verified.

3. Short-Term Solution:
Disable ChallengeResponseAuthentication in sshd_config.
Disable PAMAuthenticationViaKbdInt in sshd_config.
Alternatively you can prevent privilege escalation if you enable UsePrivilegeSeparation in sshd_config.

(Published on 27-Jun-2002 12:52 by RossW, read 1262 times)
Missed an article? Check the archives