J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: OpenSSH Channel Code Off-By-One Vulnerability

Severity: CRITICAL

Description:

OpenSSH is a suite implementing the SSH protocol. It includes client and server software, and supports ssh and sftp. It was initially developed for BSD, but is also widely used for Linux, Solaris, and other UNIX-like operating systems.

A vulnerability has been announced in some versions of OpenSSH. An off-by-one error occurs in the channel code. A malicious client may exploit this vulnerability by connecting to a vulnerable server. Valid credentials are believed to be required, since the exploitable condition reportedly occurs after successful authentication. An examination of the code suggests this, but it has not been confirmed by the maintainer.

Administrators should assume that this can be exploited without authentication and should patch vulnerable versions immediately.

Exploiting this issue may allow attackers to execute arbitrary instructions.

If a client program is exploited, the code will run with the privileges of the client process (typically those of the user invoking it). This may provide local access for the attacker in control of the malicious server. If the server process is subverted, code will run as the root user. Because valid credentials are believed to be required, this may allow for an escalation of privileges.

**UPDATE**: a proof-of-concept exploit has been developed and is possibly being used in the wild.

Affected Products:

  • Caldera OpenLinux Server 3.1.0
  • Caldera OpenLinux Server 3.1.1
  • Caldera OpenLinux Workstation 3.1.0
  • Caldera OpenLinux Workstation 3.1.1
  • Conectiva Linux 5.1.0
  • Conectiva Linux 6.0.0
  • Conectiva Linux 7.0.0
  • Conectiva Linux 8.0.0
  • EnGarde Secure Linux 1.0.1
  • FreeBSD FreeBSD 4.4.0 -RELENG
  • FreeBSD FreeBSD 4.5.0
  • FreeBSD FreeBSD 4.5.0 -RELEASE
  • FreeBSD FreeBSD 4.5.0 -STABLEpre2002-03-07
  • FreeBSD FreeBSD 4.6.0
  • FreeBSD FreeBSD 4.6.0 -RELEASE
  • Guardian Digital Engarde Secure Linux 1.0.1
  • HP Secure OS software for Linux 1.0.0
  • HP VirtualVault 4.6.0
  • Immunix Immunix OS 7.0.0
  • MandrakeSoft Corporate Server 1.0.1
  • MandrakeSoft Linux Mandrake 7.1.0
  • MandrakeSoft Linux Mandrake 7.2.0
  • MandrakeSoft Linux Mandrake 8.0.0
  • MandrakeSoft Linux Mandrake 8.0.0 ppc
  • MandrakeSoft Linux Mandrake 8.1.0
  • MandrakeSoft Single Network Firewall 7.2.0
  • NetBSD NetBSD 1.5.0
  • NetBSD NetBSD 1.5.1
  • NetBSD NetBSD 1.5.2
  • OpenBSD OpenBSD 2.8.0
  • OpenPKG OpenPKG 1.0.0
  • OpenSSH OpenSSH 2.1.0
  • OpenSSH OpenSSH 2.1.1
  • OpenSSH OpenSSH 2.2.0
  • OpenSSH OpenSSH 2.3.0
  • OpenSSH OpenSSH 2.5.0
  • OpenSSH OpenSSH 2.5.1
  • OpenSSH OpenSSH 2.5.2
  • OpenSSH OpenSSH 2.9.0
  • OpenSSH OpenSSH 2.9.0p1
  • OpenSSH OpenSSH 2.9.0p2
  • OpenSSH OpenSSH 2.9.9
  • OpenSSH OpenSSH 3.0.1
  • OpenSSH OpenSSH 3.0.2
  • OpenSSH OpenSSH 3.0.2 p1
  • Openwall Openwall GNU/*/Linux 0.1.0 -stable
  • RedHat Linux 7.0.0
  • RedHat Linux 7.1.0
  • RedHat Linux 7.2.0
  • S.u.S.E. Linux 7.0.0 alpha
  • S.u.S.E. Linux 7.0.0 i386
  • S.u.S.E. Linux 7.0.0 ppc
  • S.u.S.E. Linux 7.0.0 sparc
  • S.u.S.E. Linux 7.1.0
  • S.u.S.E. Linux 7.2.0
  • S.u.S.E. Linux 7.3.0
  • S.u.S.E. Linux 7.3.0 i386
  • S.u.S.E. Linux 7.3.0 ppc
  • S.u.S.E. Linux 7.3.0 sparc
  • S.u.S.E. Linux 8.0.0
  • S.u.S.E. Linux Database Server
  • S.u.S.E. Linux Enterprise Server 7
  • S.u.S.E. Linux Firewall on CD
  • S.u.S.E. Linux Live-CD for Firewall 0.0.0
  • S.u.S.E. SuSE eMail Server III
  • Sun Cobalt RaQ 550
  • Trustix Secure Linux 1.1.0
  • Trustix Secure Linux 1.2.0
  • Trustix Secure Linux 1.5.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.