Articles / Details about the OpenSSH v…

Details about the OpenSSH vulnerability disclosed

The ISS recently discovered a vulnerability within the "challenge-response" authentication mechanism in the OpenSSH daemon (sshd). This mechanism, part of the SSH2 protocol, verifies a user's identity by generating a challenge and forcing the user to supply a number of responses. It is possible for a remote attacker to send a specially-crafted reply that triggers an overflow. This can result in a remote denial of service attack on the OpenSSH daemon or a complete remote compromise. The OpenSSH daemon runs with superuser privilege, so remote attackers can gain superuser access by exploiting this vulnerability. OpenSSH supports the SKEY and BSD_AUTH authentication options. These are compile-time options. At least one of these options must be enabled before the OpenSSH binaries are compiled for the vulnerable condition to be present.
Internet Security Systems Security Advisory
June 26, 2002

OpenSSH Remote Challenge Vulnerability

Synopsis:

ISS X-Force has discovered a serious vulnerability in the default
installation of OpenSSH on the OpenBSD operating system. OpenSSH is a
free version of the SSH (Secure Shell) communications suite and is used
as a secure replacement for protocols such as Telnet, Rlogin, Rsh, and
Ftp. OpenSSH employs end-to-end encryption (including all passwords) and
is resistant to network monitoring, eavesdropping, and connection
hijacking attacks. X-Force is aware of active exploit development for
this vulnerability.

Impact:

OpenBSD, FreeBSD-Current, and other OpenSSH implementations may be
vulnerable to a remote, superuser compromise.

Affected Versions:

OpenBSD 3.0
OpenBSD 3.1
FreeBSD-Current
OpenSSH 3.0-3.2.3

OpenSSH version 3.3 implements "privilege separation" which mitigates
the risk of a superuser compromise. Prior to the release of this
advisory, ISS and OpenBSD encouraged all OpenSSH users to upgrade to
version 3.3. Versions of FreeBSD-Current built between March 18, 2002
and June 23, 2002 are vulnerable to remote superuser compromise.
Privilege separation was implemented in FreeBSD-Current on June 23,
2002.

Note: OpenSSH is included in many operating system distributions,
networking equipment, and security appliances. Refer to the following
address for information about vendors that implement OpenSSH:
http://www.openssh.com/users.html

Description:

A vulnerability exists within the "challenge-response" authentication
mechanism in the OpenSSH daemon (sshd). This mechanism, part of the SSH2
protocol, verifies a user's identity by generating a challenge and
forcing the user to supply a number of responses. It is possible for a
remote attacker to send a specially-crafted reply that triggers an
overflow. This can result in a remote denial of service attack on the
OpenSSH daemon or a complete remote compromise. The OpenSSH daemon runs
with superuser privilege, so remote attackers can gain superuser access
by exploiting this vulnerability.

OpenSSH supports the SKEY and BSD_AUTH authentication options. These are
compile-time options. At least one of these options must be enabled
before the OpenSSH binaries are compiled for the vulnerable condition to
be present. OpenBSD 3.0 and later is distributed with BSD_AUTH enabled.
The SKEY and BSD_AUTH options are not enabled by default in many
distributions. However, if these options are explicitly enabled, that
build of OpenSSH may be vulnerable.

Recommendations:

Internet Scanner X-Press Update 6.13 includes a check, OpenSshRunning,
to detect potentially vulnerable installations of OpenSSH. XPU 6.13 is
available from the ISS Download Center at: http://www.iss.net/download.
For questions about downloading and installing this XPU, email
support@iss.net.

ISS X-Force recommends that system administrators disable unused OpenSSH
authentication mechanisms. Administrators can remove this vulnerability
by disabling the Challenge-Response authentication parameter within the
OpenSSH daemon configuration file. This filename and path is typically:
/etc/ssh/sshd_config. To disable this parameter, locate the
corresponding line and change it to the line below:

ChallengeResponseAuthentication no

The "sshd" process must be restarted for this change to take effect.
This workaround will permanently remove the vulnerability. X-Force
recommends that administrators upgrade to OpenSSH version 3.4
immediately. This version implements privilege separation, contains a
patch to block this vulnerability, and contains many additional pro-
active security fixes. Privilege separation was designed to limit
exposure to known and unknown vulnerabilities. Visit
http://www.openssh.com for more information.

Additional Information:

ISS X-Force and Black Hat consulting will host a presentation titled,
"Professional Source Code Auditing" at Black Hat Briefings USA 2002. The
presentation will explore advanced source code auditing techniques as
well as secure development best-practices. Please refer to
http://www.blackhat.com and
http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#Dowd for
more information.

Credits:

The vulnerability described in this advisory was discovered and
researched by Mark Dowd of the ISS X-Force. ISS would like to thank Theo
de Raadt of the OpenBSD Project for his assistance with this advisory.



______

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email xforce@iss.net for
permission.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.

Recent comments

28 Jun 2002 05:49 Avatar jdassen

Re: Curse the ISS

> And if anyone from the OpenSSH team or
> the Debian OpenSSH maintainer would care
> to tell the readers of Freshmeat *WHY*
> they allow root logins by default?


Perhaps you would care to read the fine documentation?
In this case, /usr/share/doc/ssh/README.Debian.gz .

26 Jun 2002 22:28 Avatar opless

Re: Curse the ISS

>
> % That's *twice* now that the ISS has
> % leaked an exploit before the
> agreed-upon
> % date. Can they work together as a
> % member of this community, are are they
>
> % going to continually act like a bunch
> of
> % ya-hoo children? Their patches don't
>
> % fix the exploits they pre-leak, they
> % don't keep to the promised delay time,
>
> % they Suck. But boy, are they ever
> l33t,
> % d00d.
> %
>
>
> Well, it's not nice but then again, they
> find the bugs
> and twice the responsible projectteams
> fixed them in
> record time. Wow. Now it's just hard for
> the admins
> to get the upgrades done. After all, I
> guess it's
> better that way than having the bug in
> there any
> longer.
>


Still they may of let the core team patch up properly, but think of the poor sysadmins (myself included) that scurried around when the likes of Debian hurriedly release OpenSSH 3.3 and tell you to upgrade. Turns out that now debian users *look* like they are more vunerable than they were before.

Why did ISS do it? Same reason McAffee et al release press releases about concept virii. To keep their subscriptions up. IIS may be winning friends in management, but they've lost respect at the sysadmin level. This stuff only benifits one group of people - the script kiddies. (Well apart from ISS's shareholders)

And if anyone from the OpenSSH team or the Debian OpenSSH maintainer would care to tell the readers of Freshmeat *WHY* they allow root logins by default? Clearly the correct way is to log in as a staff user that can use 'su' or preferably sudo, rather than let any fool ssh in as root. Two passwords are more secure than one, *and* the admin has a greater chance of catching and tracing the L33T H4><0R whos managed to guess a valid user/password...

Just my 2p

26 Jun 2002 19:05 Avatar dazk

Re: Curse the ISS

> That's *twice* now that the ISS has
> leaked an exploit before the agreed-upon
> date. Can they work together as a
> member of this community, are are they
> going to continually act like a bunch of
> ya-hoo children? Their patches don't
> fix the exploits they pre-leak, they
> don't keep to the promised delay time,
> they Suck. But boy, are they ever l33t,
> d00d.
>


Well, it's not nice but then again, they find the bugs
and twice the responsible projectteams fixed them in
record time. Wow. Now it's just hard for the admins
to get the upgrades done. After all, I guess it's
better that way than having the bug in there any
longer.

26 Jun 2002 16:21 Avatar cnbishop

Curse the ISS
That's *twice* now that the ISS has leaked an exploit before the agreed-upon date. Can they work together as a member of this community, are are they going to continually act like a bunch of ya-hoo children? Their patches don't fix the exploits they pre-leak, they don't keep to the promised delay time, they Suck. But boy, are they ever l33t, d00d.

Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.