CERT-SEI

Buffer Management Vulnerability in OpenSSH

Original release date: September 16, 2003
Last revised: Aug 12, 2008
Source: CERT/CC

A complete revision history can be found at the end of this file.


Systems Affected

  • Systems running versions of OpenSSH prior to 3.7.1
  • Systems that use or derive code from vulnerable versions of OpenSSH

Overview

There is a remotely exploitable vulnerability in a general buffer management function in versions of OpenSSH prior to 3.7.1.  This may allow a remote attacker to corrupt heap memory which could cause a denial-of-service condition. It may also be possible for an attacker to execute arbitrary code.


I. Description

We are updating this advisory to inform users that Version 3.7.1 of OpenSSH has been released to patch a similar vulnerability in the buffer management code.

There are two errors in the buffer management code of OpenSSH.  These vulnerabilities affect versions prior to 3.7.1.  Version 3.7 is affected by one of these errors. The errors occur when a buffer is allocated for a large packet.  When the buffer is cleared, an improperly sized chunk of memory is filled with zeros.  This leads to heap corruption, which could cause a denial-of-service condition. These vulnerabilities may also allow an attacker to execute arbitrary code.

The OpenSSH advisory has been updated to include a patch for version 3.7 as well as 3.6.1 and prior.

http://www.openssh.com/txt/buffer.adv

Other systems that use or derive code from OpenSSH may be affected.  This includes network equipment and embedded systems.  We have monitored incident reports that may be related to this vulnerability.

Vulnerability Note VU#333628 lists the vendors we contacted about these vulnerabilities.  The vulnerability note is available from

http://www.kb.cert.org/vuls/id/333628

This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) number:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693

II. Impact

While the full impact of this issues are unclear, the most likely result is heap corruption, which could lead to a denial of service.

If it is possible for an attacker to execute arbitrary code, then they may be able to so with the privileges of the user running the sshd process, typically root. This impact may be limited on systems using the privilege separation (privsep) feature available in OpenSSH.


III. Solution

Upgrade to OpenSSH version 3.7.1

This vulnerability is resolved in OpenSSH version 3.7.1, which is available from the OpenSSH web site at

http://www.openssh.com/

Apply a patch from your vendor

A patches for these issues are included in the OpenSSH advisory at

http://www.openssh.com/txt/buffer.adv

This patch may be manually applied to correct this vulnerability in affected versions of OpenSSH. If your vendor has provided a patch or upgrade, you may want to apply it rather than using the patch from OpenSSH.  Find information about vendor patches in Appendix A.  We will update this document as vendors provide additional information.

Use privilege separation to minimize impact

System administrators running OpenSSH versions 3.2 or higher may be able to reduce the impact of this vulnerability by enabling the "UsePrivilegeSeparation" configuration option in their sshd configuration file.  Typically, this is accomplished by creating a privsep user, setting up a restricted (chroot) environment, and adding the following line to /etc/ssh/sshd_config:

UsePrivilegeSeparation yes

This workaround does not prevent this vulnerability from being exploited, however due to the privilege separation mechanism, the intruder may be limited to a constrained chroot environment with restricted privileges.  This workaround will not prevent this vulnerability from creating a denial-of-service condition.  Not all operating system vendors have implemented the privilege separation code, and on some operating systems it may limit the functionality of OpenSSH.  System administrators are encouraged to carefully review the implications of using the workaround in their environment and use a more comprehensive solution if one is available.  The use of privilege separation to limit the impact of future vulnerabilities is encouraged.


Appendix A. - Vendor Information

This appendix contains information provided by vendors for this advisory.  As vendors report new information to the CERT/CC, we will update this section and note the changes in the revision history. Additional vendors who have not provided direct statements, but who have made public statements or informed us of their status are listed in VU#333628.  If a vendor is not listed below or in VU#333628, we have not received their comments.

AppGate Network Security AB

AppGate versions from 4.0 up to and including 5.3.1 does include the vulnerable code. Patches are available from the appgate support pages at http://www.appgate.com.

Apple Computers Inc.

Mac OS X 10.2.8 contains the patches to address CVE CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. On Mac OS X versions prior to 10.2.8, the vulnerability is limited to a denial of service from the possibility of causing sshd to crash. Each login session has its own sshd, so established connections are preserved up to the point where system resources are exhausted by an attack.

To deliver the update in a rapid and reliable manner, only the patches for CVE IDs listed above were applied, and not the entire set of patches for OpenSSH 3.7.1.  Thus, the OpenSSH version in Mac OS X 10.2.8, as obtained via the "ssh -V" command, is:

OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090609f

Mac OS X 10.2.8 is available as a free update for customers running Mac OS X 10.2.x.  It is available from:

Mac OS X Client (updating from 10.2 - 10.2.5):
http://www.info.apple.com/kbnum/n120244

Mac OS X Client (updating from 10.2.6 - 10.2.7):
http://www.info.apple.com/kbnum/n120245

Mac OS X Server (updating from 10.2 - 10.2.5):
http://www.info.apple.com/kbnum/n120246

Mac OS X Server (updating from 10.2.6 - 10.2.7):
http://www.info.apple.com/kbnum/n120247

Bitvise

Our software shares no codebase with the OpenSSH implementation, therefore we believe that, in our products, this problem does not exist.

Cisco

Cisco has some products which are vulnerable to this issue. Cisco's response is now published at
http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml

Cray, Inc.

Cray Inc. supports OpenSSH through its Cray Open Software (COS) package.  Cray is vulnerable to this buffer management error and is in the process of compiling OpenSSH 3.7.  The new version will be made available in the next COS release.

Debian

Debian has issued DSA 382 and DSA 383 for these issues.

http://www.debian.org/security/2003/dsa-382
http://www.debian.org/security/2003/dsa-383

F-Secure

This vulnerability does not affect any version of F-Secure SSH software that utilizes ssh protocol version 2. The non-affected versions have been available since 1998.

This vulnerability only affects the following F-Secure SSH server versions: F-Secure SSH for Unix versions 1.3.14 and earlier.

More information is available from

http://www.f-secure.com/support/technical/ssh/ssh1_openssh_buffer_management.shtml

IBM AIX

The AIX Security Team is aware of the issues discussed in CERT
Vulnerability Note VU#333628 and CERT Advisory CA-2003-24.

OpenSSH is available for AIX via the AIX Toolbox for Linux or the
Bonus Pack.

OpenSSH 3.4p1, revision 9 contains fixes for this issue for the AIX Toolbox
for Linux. For more information about the AIX Toolbox for Linux or to download
OpenSSH 3.4p1 revision 9, please see:

http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html

Please note that AIX Toolbox for Linux is available "as-is" and is unwarranted.

Patched versions of OpenSSH for the Bonus Pack on AIX 5.1 and 5.2 are available
Please see:

http://oss.software.ibm.com/developerworks/projects/opensshi

Juniper Networks

Juniper Networks has identified this vulnerability in all shipping versions of JUNOS and coded a software fix. The fix will be included in all releases of JUNOS Internet software built on or after September 17. Customers with current support contracts should contact JTAC to obtain the fix for this vulnerability.

JUNOSe and SDX are not vulnerable to this issue.

Contract customers can review the details at:

https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2003-09-007&actionBtn=Search

Mandrake Software

Mandrake Linux is affected and MDKSA-2003:090 will be released today with patched versions of OpenSSH to resolve this issue.

Mirapoint

Mirapoint released a patch (D3_SSH_CA_2003_24) last night to fix the first reported vulnerability and will release D3_SSH_CA_2003_24_1 to cover the second.

NetBSD

The NetBSD Security Advisory on the OpenSSH buffer management issue is available here:
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-012.txt.asc

Network Appliance

This issue applies only to SecureAdmin on Data ONTAP versions earlier than 6.4.3, and SecureAdmin for NetCache releases earlier than 5.5R2.

All current releases (NetCache 5.6, 6.0 and 6.1, and Filer 6.5, 7.0, 7.1, 7.2, 7.3 and 10.0) have been secured against this issue.

If you have an affected release:
Disable the SSH server on the filer or NetCache appliance, or if it must remain enabled, ensure that the ssh.access option (config.admin.trusted_hosts in NetCache) is used to restrict ssh connections to authorized administrative hosts.

Openwall GNU/*/Linux

The OpenSSH package in Openwall GNU/*/Linux did contain the buffer / memory management errors.  As of 2003/09/17, we have included the fixes from OpenSSH 3.7.1 as well as 4 additional fixes to other such real or potential errors based on an exhaustive review of the OpenSSH source code for uses of *realloc() functions.  At this time, it is uncertain whether and which of these bugs are exploitable.  If exploits are possible, due to privilege separation, the worst direct impact should be limited to arbitrary code execution under the sshd pseudo-user account restricted within the chroot jail /var/empty, or under the logged in user account

Pragma Systems

We have tested our code and double checked for the code vulnerability and we have found that our code is NOT vulnerable.

PuTTY

PuTTY is not based on the OpenSSH code base, so it should not be vulnerable to any OpenSSH-specific attacks.

Red Hat, Inc.

Red Hat Linux and Red Hat Enterprise Linux ship with an OpenSSL package vulnerable to these issues.  Updated OpenSSL packages are available along with our advisory at the URLs below.  Users of the Red Hat Network can update their systems using the 'up2date' tool.

Red Hat Linux:

http://rhn.redhat.com/errata/RHSA-2003-279.html
Red Hat Enterprise Linux:
http://rhn.redhat.com/errata/RHSA-2003-280.html

Riverstone Networks

Riverstone Networks has issued an advisory on this issue at http://www.riverstonenet.com/support/tb0265-9.html.

Secure Computing Corporation

Sidewinder(r) and Sidewinder G2 Firewall(tm) (including all appliances)
Not Vulnerable.

Sidewinder v5.x & Sidewinder G2 v6.x's embedded Type Enforcement(r) technology strictly limits the capabilities of Secure Computing's modified version of the OpenSSH daemon code integrated into the firewall's SecureOS operating system.  Any attempt to exploit this vulnerability in the OpenSSH daemon code running on the firewalls results in an automatic termination of the attacker's connection and multiple Type Enforcement alarms.

Gauntlet(tm) & e-ppliance

Not Vulnerable.

Gauntlet and e-ppliance do not include SSH server software, and are thus immune to this vulnerability.

SSH Communications Security

SSH Secure Shell products do not contain the buffer management error. SSH Communications Security products have different code base than OpenSSH.

Sun Microsystems

The Solaris Secure Shell in Solaris 9 is impacted by this issue described in CERT Vulnerability Note VU#333628. Sun has published Sun Alert 56861 available here:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-56861-1
which details the impact, contributing factors, workaround options, and resolution.  This issue does not affect the Solaris Secure Shell in Solaris 10.

The CERT/CC thanks Markus Friedl of the OpenSSH project for his technical assistance in producing this advisory.


Authors: Jason A. Rafail and Art Manion

Copyright 2003 Carnegie Mellon University.

Revision History

September 16, 2003: Initial release
September 17, 2003: Updated with new information regarding 3.7.1 release
September 17, 2003: Added SSH Communications Security vendor statement
September 17, 2003: Added Red Hat, Inc.  vendor statement
September 17, 2003: Added Sun Microsystems vendor statement
September 17, 2003: Added NetBSD vendor statement
September 17, 2003: Added Network Appliance vendor statement
September 18, 2003: Added Cisco vendor statement
September 18, 2003: Updated Red Hat, Inc. links in vendor statement
September 18, 2003: Added IBM vendor statement
September 18, 2003: Added F-Secure vendor statement
September 18, 2003: Added OpenWall GNU/*/Linux vendor statement
September 22, 2003: Added Juniper Networks vendor statement
September 22, 2003: Added Mirapoint vendor statement
September 23, 2003: Added Secure Computing Corp. vendor statement
September 23, 2003: Added AppGate Network Security AB vendor statement
October 01, 2003: Added Apple Computers vendor statement
October 01, 2003: Added Pragma Systems vendor statement
October 01, 2003: Updated IBM vendor statement
October 01, 2003: Added Riverstone vendor statement
January 16, 2007: Updated Sun vendor statement
August 12, 2008: Updated Network Appliance vendor statement