CERT® Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSHOriginal release date: September 16, 2003
Last revised: Aug 12, 2008
A complete revision history can be found at the end of this file.
There is a remotely exploitable vulnerability in a general buffer management function in versions of OpenSSH prior to 3.7.1. This may allow a remote attacker to corrupt heap memory which could cause a denial-of-service condition. It may also be possible for an attacker to execute arbitrary code.
We are updating this advisory to inform users that Version 3.7.1 of OpenSSH has been released to patch a similar vulnerability in the buffer management code.
There are two errors in the buffer management code of OpenSSH. These vulnerabilities affect versions prior to 3.7.1. Version 3.7 is affected by one of these errors. The errors occur when a buffer is allocated for a large packet. When the buffer is cleared, an improperly sized chunk of memory is filled with zeros. This leads to heap corruption, which could cause a denial-of-service condition. These vulnerabilities may also allow an attacker to execute arbitrary code.
The OpenSSH advisory has been updated to include a patch for version 3.7 as well as 3.6.1 and prior.
Other systems that use or derive code from OpenSSH may be affected. This includes network equipment and embedded systems. We have monitored incident reports that may be related to this vulnerability.
Vulnerability Note VU#333628 lists the vendors we contacted about these vulnerabilities. The vulnerability note is available from
This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) number:
While the full impact of this issues are unclear, the most likely result is heap corruption, which could lead to a denial of service.
If it is possible for an attacker to execute arbitrary code, then they may be able to so with the privileges of the user running the sshd process, typically root. This impact may be limited on systems using the privilege separation (privsep) feature available in OpenSSH.
Upgrade to OpenSSH version 3.7.1
This vulnerability is resolved in OpenSSH version 3.7.1, which is available from the OpenSSH web site at
Apply a patch from your vendor
A patches for these issues are included in the OpenSSH advisory at
This patch may be manually applied to correct this vulnerability in affected versions of OpenSSH. If your vendor has provided a patch or upgrade, you may want to apply it rather than using the patch from OpenSSH. Find information about vendor patches in Appendix A. We will update this document as vendors provide additional information.
Use privilege separation to minimize impact
System administrators running OpenSSH versions 3.2 or higher may be able to reduce the impact of this vulnerability by enabling the "UsePrivilegeSeparation" configuration option in their sshd configuration file. Typically, this is accomplished by creating a privsep user, setting up a restricted (chroot) environment, and adding the following line to /etc/ssh/sshd_config:
This workaround does not prevent this vulnerability from being exploited, however due to the privilege separation mechanism, the intruder may be limited to a constrained chroot environment with restricted privileges. This workaround will not prevent this vulnerability from creating a denial-of-service condition. Not all operating system vendors have implemented the privilege separation code, and on some operating systems it may limit the functionality of OpenSSH. System administrators are encouraged to carefully review the implications of using the workaround in their environment and use a more comprehensive solution if one is available. The use of privilege separation to limit the impact of future vulnerabilities is encouraged.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in the revision history. Additional vendors who have not provided direct statements, but who have made public statements or informed us of their status are listed in VU#333628. If a vendor is not listed below or in VU#333628, we have not received their comments.
AppGate Network Security AB
AppGate versions from 4.0 up to and including 5.3.1 does include the vulnerable code. Patches are available from the appgate support pages at http://www.appgate.com.
Apple Computers Inc.
Our software shares no codebase with the OpenSSH implementation, therefore we believe that, in our products, this problem does not exist.
Cisco has some products which are vulnerable to this issue. Cisco's response is now published at
Cray Inc. supports OpenSSH through its Cray Open Software (COS) package. Cray is vulnerable to this buffer management error and is in the process of compiling OpenSSH 3.7. The new version will be made available in the next COS release.
Mandrake Linux is affected and MDKSA-2003:090 will be released today with patched versions of OpenSSH to resolve this issue.
Mirapoint released a patch (D3_SSH_CA_2003_24) last night to fix the first reported vulnerability and will release D3_SSH_CA_2003_24_1 to cover the second.
The NetBSD Security Advisory on the OpenSSH buffer management issue is available here:
This issue applies only to SecureAdmin on Data ONTAP versions earlier than 6.4.3, and SecureAdmin for NetCache releases earlier than 5.5R2.
The OpenSSH package in Openwall GNU/*/Linux did contain the buffer / memory management errors. As of 2003/09/17, we have included the fixes from OpenSSH 3.7.1 as well as 4 additional fixes to other such real or potential errors based on an exhaustive review of the OpenSSH source code for uses of *realloc() functions. At this time, it is uncertain whether and which of these bugs are exploitable. If exploits are possible, due to privilege separation, the worst direct impact should be limited to arbitrary code execution under the sshd pseudo-user account restricted within the chroot jail /var/empty, or under the logged in user account
We have tested our code and double checked for the code vulnerability and we have found that our code is NOT vulnerable.
PuTTY is not based on the OpenSSH code base, so it should not be vulnerable to any OpenSSH-specific attacks.
Red Hat, Inc.
Red Hat Linux and Red Hat Enterprise Linux ship with an OpenSSL package vulnerable to these issues. Updated OpenSSL packages are available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool.
Riverstone Networks has issued an advisory on this issue at http://www.riverstonenet.com/support/tb0265-9.html.
Secure Computing Corporation
Sidewinder(r) and Sidewinder G2 Firewall(tm) (including all appliances)Not Vulnerable.
SSH Communications Security
SSH Secure Shell products do not contain the buffer management error. SSH Communications Security products have different code base than OpenSSH.
The Solaris Secure Shell in Solaris 9 is impacted by this issue described in CERT Vulnerability Note VU#333628. Sun has published Sun Alert 56861 available here:
The CERT/CC thanks Markus Friedl of the OpenSSH project for his technical assistance in producing this advisory.
Authors: Jason A. Rafail and Art Manion
This document is available from: http://www.cert.org/advisories/CA-2003-24.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
September 16, 2003: Initial release September 17, 2003: Updated with new information regarding 3.7.1 release September 17, 2003: Added SSH Communications Security vendor statement September 17, 2003: Added Red Hat, Inc. vendor statement September 17, 2003: Added Sun Microsystems vendor statement September 17, 2003: Added NetBSD vendor statement September 17, 2003: Added Network Appliance vendor statement September 18, 2003: Added Cisco vendor statement September 18, 2003: Updated Red Hat, Inc. links in vendor statement September 18, 2003: Added IBM vendor statement September 18, 2003: Added F-Secure vendor statement September 18, 2003: Added OpenWall GNU/*/Linux vendor statement September 22, 2003: Added Juniper Networks vendor statement September 22, 2003: Added Mirapoint vendor statement September 23, 2003: Added Secure Computing Corp. vendor statement September 23, 2003: Added AppGate Network Security AB vendor statement October 01, 2003: Added Apple Computers vendor statement October 01, 2003: Added Pragma Systems vendor statement October 01, 2003: Updated IBM vendor statement October 01, 2003: Added Riverstone vendor statement January 16, 2007: Updated Sun vendor statement August 12, 2008: Updated Network Appliance vendor statement