-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: Juniper Networks NetScreen Advisory 59739 Date: 2 September 2004 Version: 2 Impact: Malicious ssh server may overwrite arbitrary files on the IDP filesystem. Affected Products: All Juniper Networks NetScreen IDP up to and including 3.0r2 Unaffected Products: All other Juniper Networks products Max Risk: Low Summary: A directory-traversal vulnerability in OpenSSH scp allows remote malicious servers to overwrite arbitrary files. Details: Scp is part of the OpenSSH package. It is a file transfer utility using the OpenSSH protocol. It can be used to transmit files both ways, to and from an ssh server. A malicious ssh server may be able to exploit a security vulnerability in all versions of scp. When a user on the IDP initiates an scp copy to retrieve files from an untrusted server to the IDP, the malicious server can cause the scp client on the IDP to overwrite sensitive files. To be at risk a number of conditions have to be met: a. The user must have write access to the file to be overwritten by the malicious server. b. The user must run scp from the IDP and copy a file from the server. c. Connection to a malicious ssh server has to be made from the IDP. We are currently not aware of any active exploit code for this vulnerability. d. Verification of the ssh server key fingerprint will reveal an attempt to spoof a legitimate ssh server. Recommended Actions: Customers have a number of choices to mitigate the attack: Option 1: Upgrade the IDP with the latest OpenSSH rpm packages Version MD5 Hash openssh-3.1p1-14.idp.2.i386.rpm d2165c9ade41573a17ccf4c718981a3e openssh-client-3.1p1-14.idp.2.i386.rpm 36c02ddb5267ac17aff907e906bbeffe openssh-server-3.1p1-14.idp.2.i386.rpm f20f558aa7c9aa20fea6cdeccbc11c5f a. Copy the RPM packages to the /tmp directory on the IDP appliance. b. Login to the IDP as the root user using the serial interface, or directly on the appliance (keyboard/monitor). c. Upgrade the RPM packages by typing the following as the root user: $ rpm -Uvh --force /tmp/openssh*3.1p1-14.idp.2.i386.rpm Option 2: Do not use scp command on the IDP. Use scp client on remote host to push files to the IDP. Option 3: Do not use scp command to connect to an untrusted OpenSSH server. Option 4: Use sftp as an alternative to scp for files download. Patch Availability: Juniper Networks currently has updated OpenSSH packages available for immediate download. How to get Juniper Networks NetScreen IDP packages: Customers with a valid product warranty or a support contract may download the software from the Juniper Networks CSC web portal: http://www.juniper.net/support/ For all other customers, including those with expired support contracts, please call your regional Juniper Networks TAC (JTAC) center. To get a listing of JTAC phone numbers, please sign up for a CSC account at: http://www.juniper.net/entitlement/setupAccountInfo.do Select option 2 from the telephone menu and be sure to select the correct product from the phone tree. Once connected with an engineer state that you are calling in regards to a Security Advisory and provide the title of this notice as evidence of your entitlement to the specified release. Please note that customers with expired support contracts will be provided only with the software update for the version of software that they are currently using, when that version becomes available. As with any new software installation, Juniper Networks customers planning to upgrade to any version of ScreenOS should carefully read the release notes and other relevant documentation before beginning any upgrade. If you wish to verify the validity of this Security Advisory, the public PGP key can be accessed at: http://www.juniper.net/support/security/ Changes in Version 2: . Corrected typo in rpm package names . Corrected typo in rpm update command -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQUcu9FtgcOkI6l0XEQLVCACeLJCn+ahOc+0deb0xMq3uhPpeNdYAoJLA rD25r3MHMbP4U8nujv3Vy47X =wyDc -----END PGP SIGNATURE-----