• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: OpenSSH Challenge-Response Buffer Overflow Vulnerabilities

Severity: CRITICAL

Description:

The OpenSSH team has reported two vulnerabilities in OpenSSH that are remotely exploitable and may allow for unauthenticated attackers to obtain root privileges.

The conditions are related to the OpenSSH SSH2 challenge-response mechanism. They occur when the OpenSSH server is configured at compile time to support BSD_AUTH or SKEY. OpenBSD 3.0 and later ship with OpenSSH built to support BSD_AUTH. Systems are vulnerable when either of the following configuration options are enabled:

PAMAuthenticationViaKbdInt
ChallengeResponseAuthentication

Attackers can exploit the vulnerabilities by crafting a malicious response. Since this occurs before the authentication process completes, remote attackers without valid credentials may exploit this. Successful exploits may result in the execution of shellcode or a denial of service.

OpenSSH 3.4 addresses the problem. Upgrading to this version will eliminate the vulnerabilities. Administrators who cannot install OpenSSH 3.4 should upgrade to version 3.3 and enable the privilege-separation feature.

To enable privilege separation:

1. Modify the 'sshd' configuration file, which is found at the following location (but note that on many systems, configuration may differ):

/etc/ssh/sshd_config

2. Set the configuration option 'UsePrivilegeSeparation' to 'Yes':

UsePrivilegeSeparation yes

3. Save the file.

4. Restart the service completely.

Administrators of systems using versions prior to OpenSSH 3.3 are urged to upgrade immediately and follow the instructions listed above. If privilege separation does not work or if the version of OpenSSH cannot be upgraded, the following workaround is prescribed:

disable ChallengeResponseAuthentication in sshd_config.

and

disable PAMAuthenticationViaKbdInt in sshd_config.


Proof-of-concept code has been made public. See the reference titled 'Compromised OpenBSD 3.0 with SSH *GOBBLE*'. Users are advised to upgrade immediately.

**UPDATE: One of these issues is trivially exploitable and is still present in OpenSSH 3.5p1 and 3.4p1. Although these reports have not been confirmed, administrators are advised to implement the OpenSSH privilege-separation feature as a workaround. BSD administrators are also advised to upgrade to the newest kernel versions because recently patched vulnerabilities may allow root compromise despite the use of the privilege-separation feature.

Affected Products:

• Apple Mac OS X 10.0.0
• Apple Mac OS X 10.0.1
• Apple Mac OS X 10.0.2
• Apple Mac OS X 10.0.3
• Apple Mac OS X 10.0.4
• Apple Mac OS X 10.1.0
• Apple Mac OS X 10.1.0
• Apple Mac OS X 10.1.1
• Apple Mac OS X 10.1.2
• Apple Mac OS X 10.1.3
• Apple Mac OS X 10.1.4
• Apple Mac OS X 10.1.5
• Blue Coat Systems Security Gateway OS 2.1.5001 SP1
• Caldera OpenLinux Server 3.1.0
• Caldera OpenLinux Server 3.1.1
• Caldera OpenLinux Workstation 3.1.0
• Caldera OpenLinux Workstation 3.1.1
• Conectiva Linux 5.1.0
• Conectiva Linux 6.0.0
• Conectiva Linux 7.0.0
• Conectiva Linux 8.0.0
• EnGarde Secure Linux 1.0.1
• FreeBSD FreeBSD 4.4.0 -RELENG
• FreeBSD FreeBSD 4.5.0
• FreeBSD FreeBSD 4.5.0 -RELEASE
• FreeBSD FreeBSD 4.5.0 -STABLEpre2002-03-07
• FreeBSD FreeBSD 4.6.0
• FreeBSD FreeBSD 4.6.0 -RELEASE
• Guardian Digital Engarde Secure Linux 1.0.1
• HP HP-UX 11.0.0
• HP HP-UX 11.11.0
• HP HP-UX Secure Shell A.03.10
• HP Secure OS software for Linux 1.0.0
• HP VirtualVault 4.6.0
• IBM Linux Affinity Toolkit 0.0.0
• Immunix Immunix OS 7.0.0
• Juniper Networks NetScreen-IDP 10 3.0.0
• Juniper Networks NetScreen-IDP 10 3.0.0 r1
• Juniper Networks NetScreen-IDP 10 3.0.0 r2
• Juniper Networks NetScreen-IDP 100 3.0.0
• Juniper Networks NetScreen-IDP 100 3.0.0 r1
• Juniper Networks NetScreen-IDP 100 3.0.0 r2
• Juniper Networks NetScreen-IDP 1000 3.0.0
• Juniper Networks NetScreen-IDP 1000 3.0.0 r1
• Juniper Networks NetScreen-IDP 1000 3.0.0 r2
• Juniper Networks NetScreen-IDP 500 3.0.0
• Juniper Networks NetScreen-IDP 500 3.0.0 r1
• Juniper Networks NetScreen-IDP 500 3.0.0 r2
• MandrakeSoft Corporate Server 1.0.1
• MandrakeSoft Linux Mandrake 7.1.0
• MandrakeSoft Linux Mandrake 7.2.0
• MandrakeSoft Linux Mandrake 8.0.0
• MandrakeSoft Linux Mandrake 8.0.0 ppc
• MandrakeSoft Linux Mandrake 8.1.0
• MandrakeSoft Single Network Firewall 7.2.0
• NetBSD NetBSD 1.5.0
• NetBSD NetBSD 1.5.1
• NetBSD NetBSD 1.5.2
• OpenBSD OpenBSD 3.0
• OpenBSD OpenBSD 3.1
• OpenPKG OpenPKG 1.0.0
• OpenSSH OpenSSH 1.2.2
• OpenSSH OpenSSH 1.2.3
• OpenSSH OpenSSH 2.1.0
• OpenSSH OpenSSH 2.1.1
• OpenSSH OpenSSH 2.2.0
• OpenSSH OpenSSH 2.3.0
• OpenSSH OpenSSH 2.5.0
• OpenSSH OpenSSH 2.5.1
• OpenSSH OpenSSH 2.5.2
• OpenSSH OpenSSH 2.9.0
• OpenSSH OpenSSH 2.9.0p1
• OpenSSH OpenSSH 2.9.0p2
• OpenSSH OpenSSH 2.9.9
• OpenSSH OpenSSH 3.0.0
• OpenSSH OpenSSH 3.0.0 p1
• OpenSSH OpenSSH 3.0.1
• OpenSSH OpenSSH 3.0.1 p1
• OpenSSH OpenSSH 3.0.2
• OpenSSH OpenSSH 3.0.2 p1
• OpenSSH OpenSSH 3.1.0
• OpenSSH OpenSSH 3.1.0 P1
• OpenSSH OpenSSH 3.2.0
• OpenSSH OpenSSH 3.2.2 p1
• OpenSSH OpenSSH 3.2.3 p1
• OpenSSH OpenSSH 3.3.0
• OpenSSH OpenSSH 3.3.0 p1
• Openwall Openwall GNU/*/Linux (Owl)-current
• Openwall Openwall GNU/*/Linux 0.1.0 -stable
• RedHat Enterprise Linux AS 2.1
• RedHat Enterprise Linux AS 2.1 IA64
• RedHat Enterprise Linux ES 2.1
• RedHat Enterprise Linux ES 2.1 IA64
• RedHat Enterprise Linux WS 2.1
• RedHat Enterprise Linux WS 2.1 IA64
• RedHat Linux 7.0.0
• RedHat Linux 7.1.0
• RedHat Linux 7.2.0
• RedHat Linux 7.3.0
• RedHat Linux for iSeries 7.1.0
• RedHat Linux for pSeries 7.1.0
• S.u.S.E. Linux 7.0.0 alpha
• S.u.S.E. Linux 7.0.0 i386
• S.u.S.E. Linux 7.0.0 ppc
• S.u.S.E. Linux 7.0.0 sparc
• S.u.S.E. Linux 7.1.0
• S.u.S.E. Linux 7.2.0
• S.u.S.E. Linux 7.3.0
• S.u.S.E. Linux 7.3.0 i386
• S.u.S.E. Linux 7.3.0 ppc
• S.u.S.E. Linux 7.3.0 sparc
• S.u.S.E. Linux 8.0.0
• S.u.S.E. Linux Database Server
• S.u.S.E. Linux Enterprise Server 7
• S.u.S.E. Linux Firewall on CD
• S.u.S.E. Linux Live-CD for Firewall 0.0.0
• S.u.S.E. SuSE eMail Server III
• Slackware Linux 8.1.0
• Sun Cobalt RaQ 550
• Sun Linux 5.0.7
• Sun Solaris 9
• Trustix Secure Linux 1.1.0
• Trustix Secure Linux 1.2.0
• Trustix Secure Linux 1.5.0

References:

• Apple: Security Updates
• CORE Security: OpenSSH authentication exploit (SKey-bsdauth)
• Honeynet.ch: Compromised OpenBSD 3.0 with SSH *GOBBLE*
• Markus Friedl <markus@openbsd.org>: Re: Upcoming OpenSSH vulnerability
• OpenSSH: OpenSSH Security Advisory (adv.iss)
• RedHat: RHSA-2002:127-25
• Sun: OpenSSH-2.9p2-12C4 May Allow root Exploit in Sun Cobalt RaQ 550
• Sun: Sun Alert ID: 45508
• Sun: Sun Alert ID: 45508
• Sun: Sun Alert ID: 45525
• Sun Microsystems: Sun Alert ID: 45508

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.