A complete revision history can be found at the end of this file.
There is a remotely exploitable vulnerability in a general buffer management function in versions of OpenSSH prior to 3.7.1. This may allow a remote attacker to corrupt heap memory which could cause a denial-of-service condition. It may also be possible for an attacker to execute arbitrary code.
SARA Note: If openSSH is patched rather than upgraded, SARA may generate
a false positive. If you cannot confirm that the openSSH patch has been
applied, by your organization or vendor, recommend that openSSH be upgraded
to 3.7.1 or later.
We are updating this advisory to inform users that Version 3.7.1 of OpenSSH has been released to patch a similar vulnerability in the buffer management code.
There are two errors in the buffer management code of OpenSSH. These vulnerabilities affect versions prior to 3.7.1. Version 3.7 is affected by one of these errors. The errors occur when a buffer is allocated for a large packet. When the buffer is cleared, an improperly sized chunk of memory is filled with zeros. This leads to heap corruption, which could cause a denial-of-service condition. These vulnerabilities may also allow an attacker to execute arbitrary code.
The OpenSSH advisory has been updated to include a patch for version 3.7 as well as 3.6.1 and prior.
http://www.openssh.com/txt/buffer.adv
Other systems that use or derive code from OpenSSH may be affected. This includes network equipment and embedded systems. We have monitored incident reports that may be related to this vulnerability.
Vulnerability Note VU#333628 lists the vendors we contacted about these vulnerabilities. The vulnerability note is available from
http://www.kb.cert.org/vuls/id/333628
This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) number:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693
While the full impact of this issues are unclear, the most likely result is heap corruption, which could lead to a denial of service.
If it is possible for an attacker to execute arbitrary code, then they may be able to so with the privileges of the user running the sshd process, typically root. This impact may be limited on systems using the privilege separation (privsep) feature available in OpenSSH.
This vulnerability is resolved in OpenSSH version 3.7.1, which is available from the OpenSSH web site at
http://www.openssh.com/
A patches for these issues are included in the OpenSSH advisory at
http://www.openssh.com/txt/buffer.adv
This patch may be manually applied to correct this vulnerability in affected versions of OpenSSH. If your vendor has provided a patch or upgrade, you may want to apply it rather than using the patch from OpenSSH. Find information about vendor patches in Appendix A. We will update this document as vendors provide additional information.
System administrators running OpenSSH versions 3.2 or higher may be able to reduce the impact of this vulnerability by enabling the "UsePrivilegeSeparation" configuration option in their sshd configuration file. Typically, this is accomplished by creating a privsep user, setting up a restricted (chroot) environment, and adding the following line to /etc/ssh/sshd_config:
UsePrivilegeSeparation yes
This workaround does not prevent this vulnerability from being exploited, however due to the privilege separation mechanism, the intruder may be limited to a constrained chroot environment with restricted privileges. This workaround will not prevent this vulnerability from creating a denial-of-service condition. Not all operating system vendors have implemented the privilege separation code, and on some operating systems it may limit the functionality of OpenSSH. System administrators are encouraged to carefully review the implications of using the workaround in their environment and use a more comprehensive solution if one is available. The use of privilege separation to limit the impact of future vulnerabilities is encouraged.
This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in the revision history. Additional vendors who have not provided direct statements, but who have made public statements or informed us of their status are listed in VU#333628. If a vendor is not listed below or in VU#333628, we have not received their comments.
Our software shares no codebase with the OpenSSH implementation, therefore we believe that, in our products, this problem does not exist.
Cisco has some products which are vulnerable to this issue. Cisco's response is now published athttp://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml
Cray Inc. supports OpenSSH through its Cray Open Software (COS) package. Cray is vulnerable to this buffer management error and is in the process of compiling OpenSSH 3.7. The new version will be made available in the next COS release.
Debian has issued DSA 382 and DSA 383 for these issues.
http://www.debian.org/security/2003/dsa-382
http://www.debian.org/security/2003/dsa-383
This vulnerability does not affect any version of F-Secure SSH software that utilizes ssh protocol version 2. The non-affected versions have been available since 1998.
This vulnerability only affects the following F-Secure SSH server versions: F-Secure SSH for Unix versions 1.3.14 and earlier.
More information is available from
http://www.f-secure.com/support/technical/ssh/ssh1_openssh_buffer_management.shtml
The AIX Security Team is aware of the issues discussed in CERT Vulnerability Note VU#333628 and CERT Advisory CA-2003-24.
OpenSSH is available for AIX via the AIX Toolbox for Linux or the Bonus Pack.
OpenSSH 3.4p1, revision 9 contains fixes for this issue for the AIX Toolbox for Linux. For more information about the AIX Toolbox for Linux or to download OpenSSH 3.4p1 revision 9, please see:
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.htmlPlease note that AIX Toolbox for Linux is available "as-is" and is unwarranted.
Fixes for OpenSSH for the Bonus Pack will be available shortly.
For more information about OpenSSH for the Bonus Pack, please see:
http://oss.software.ibm.com/developerworks/projects/opensshi
Juniper Networks has identified this vulnerability in all shipping versions of JUNOS and coded a software fix. The fix will be included in all releases of JUNOS Internet software built on or after September 17. Customers with current support contracts should contact JTAC to obtain the fix for this vulnerability.
JUNOSe and SDX are not vulnerable to this issue.
Contract customers can review the details at:
https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2003-09-007&actionBtn=Search
Mandrake Linux is affected and MDKSA-2003:090 will be released today with patched versions of OpenSSH to resolve this issue.
Mirapoint released a patch (D3_SSH_CA_2003_24) last night to fix the first reported vulnerability and will release D3_SSH_CA_2003_24_1 to cover the second.
The NetBSD Security Advisory on the OpenSSH buffer management issue is available here:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-012.txt.asc
This vulnerability applies to SecureAdmin 3.0 on filer, and SecureAdmin for NetCache releases 5.5 and above. For a workaround or a new release with a fix for this problem, please visit NOW or contact NetApp support.
The OpenSSH package in Openwall GNU/*/Linux did contain the buffer / memory management errors. As of 2003/09/17, we have included the fixes from OpenSSH 3.7.1 as well as 4 additional fixes to other such real or potential errors based on an exhaustive review of the OpenSSH source code for uses of *realloc() functions. At this time, it is uncertain whether and which of these bugs are exploitable. If exploits are possible, due to privilege separation, the worst direct impact should be limited to arbitrary code execution under the sshd pseudo-user account restricted within the chroot jail /var/empty, or under the logged in user account
PuTTY is not based on the OpenSSH code base, so it should not be vulnerable to any OpenSSH-specific attacks.
Red Hat Linux and Red Hat Enterprise Linux ship with an OpenSSL package vulnerable to these issues. Updated OpenSSL packages are available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool.Red Hat Linux:
http://rhn.redhat.com/errata/RHSA-2003-279.htmlRed Hat Enterprise Linux:http://rhn.redhat.com/errata/RHSA-2003-280.html
SSH Secure Shell products do not contain the buffer management error. SSH Communications Security products have different code base than OpenSSH.
Sun Microsystems confirms that the Solaris 9 version of Secure Shell daemon (sshd) is affected by VU#333628. We are currently working on a solution. A Sun Alert will be released soon that will allow customers to track our progress on this issue. Sun Alerts are available fromhttp://sunsolve.sun.com/pub-cgi/search.pl?mode=results&origin=advanced&range=20&so=date&coll=fsalert&zone_32=category:security
The CERT/CC thanks Markus Friedl of the OpenSSH project for his technical assistance in producing this advisory.
Authors: Jason A. Rafail and Art Manion
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
CERT publications and other security information are available from our web site
To subscribe to the CERT mailing list for advisories and bulletins, send email to
majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.
Copyright 2003 Carnegie Mellon University.
Revision History
September 16, 2003: Initial release September 17, 2003: Updated with new information regarding 3.7.1 release September 17, 2003: Added SSH Communications Security vendor statement September 17, 2003: Added Red Hat, Inc. vendor statement September 17, 2003: Added Sun Microsystems vendor statement September 17, 2003: Added NetBSD vendor statement September 17, 2003: Added Network Appliance vendor statement September 18, 2003: Added Cisco vendor statement September 18, 2003: Updated Red Hat, Inc. links in vendor statement September 18, 2003: Added IBM vendor statement September 18, 2003: Added F-Secure vendor statement September 18, 2003: Added OpenWall GNU/*/Linux vendor statement September 22, 2003: Added Juniper Networks vendor statement September 22, 2003: Added Mirapoint vendor statement