TruSecure ALERT - TSA03-013TSA03-013 - OpenSSH Remote Buffer Overflow Vulnerability Current Assessment: HOT Current Assessment Date: September 16, 2003 Initial Assessment Date: September 15, 2003 Executive Summary: Since the service is customarily used by Unix administrators for managing and administering critical systems, any exploit of OpenSSH would likely result in a denial of service or possibly administrative control of critical systems. If attack code is truly in the wild, then we would expect that attacks will accelerate. TruSecure Customers only: Threat Rate: Vulnerability Prevalence: Cost: Summary: On September 15th, TruSecure issued a TS RADAR notification concerning a new OpenSSH vulnerability. An updated TS RADAR posting was issued early on the 16th, indicating that there was confirmation of the vulnerability and that vendors were preparing fixes for the OpenSSH code. The updated Code base addresses a situation which would occur when more buffer space is needed than has currently been allocated. The changes modify how additional buffer space is allocated before data can be written to the buffer. Availability of patched versions of OpenSSH will vary by OS version/distribution; customers with software maintenance agreements should consult their vendors regarding availability. Customers who are unable to patch or upgrade OpenSSH should consider disabling the service. In general, TruSecure recommends restricting access to vulnerable systems through the use of firewall or router ACLs that will only permit specific hosts to connect to the vulnerable systems. The updated 3.7 version is available from the OpenSSH ftp repository: OpenBSD Source ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.7.tgzMD5 (openssh-3.7.tgz) = 86864ecc276c5f75b06d4872a553fa70 Portable Source (Linux, etc.) ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.7p1.tgzMD5 (openssh-3.7p1.tar.gz) = 77662801ba2a9cadc0ac10054bc6cb37 RPM (various) ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/Although widespread availability of a tool to exploit this issue has NOT been confirmed, the rapid progression from hearsay to code updates appears to indicate that there is a credible threat. The ubiquitous deployment of OpenSSH makes it an attractive target, and should tools become widely available, the likelihood of automated exploitation is significant. Version Summary Conectiva, Debian, Immunix, Mandrake, and Slackware have released security advisories and updates packages to address the OpenSSH buffer overflow. CERT has released a vulnerability note as well. Warning Indicators Systems running versions of OpenSSH prior to 3.7 are vulnerable. OpenSSH.org has stated that the following operating systems, devices, and vendors use OpenSSH or binaries based on it: OpenBSD ------------------------------------------------------------------- The vulnerability exists in buffer.c, and is caused by a misallocation of buffer memory. The flaw occurs because of a segment of code within buffer_append_space() that calls the fatal() function without first examining the passed buffer. The fatal() function calls cleanup handlers that may operate using potentially corrupted information. Under some circumstances the buffer may expand beyond the allocated size. The published fix updates the buffer->alloc after the fatal() check. A diff CVS is available at the following FreeBSD security link for detailed technical review: FreeBSD CVS LogBecause ssh is often part of default Linux installations and is now ships with Solaris and Mac OS X, ssh may be installed and administrators might not be aware of it. The service runs on port 22/tcp and can be found by checking netstat on the local system, port scanning at the network level, or by using the telnet command to check a particular host. MITIGATIONS: 1. Customers are urged to upgrade OpenSSH to the 3.7 version. 2. In addition, TruSecure recommends restricting access to vulnerable systems from unknown/untrusted hosts by implementing appropriate access control lists. Safeguards Administrators are advised to install the applicable patch. Administrators who are unable to patch or upgrade OpenSSH should consider disabling the service, or restricting access to affected systems through the use of firewall or router ACLs. When restricting access to these systems, administrators should specify specific only IP addresses that can access the port assigned to SSH, which is assigned port 22/tcp by default. It is important to remember that the firewalls and routers used to provide the access control mentioned above can also rely on SSH for administrative tasks. These devices should be sure to include themselves then firewall policies or router ACLs are modified. Patches/Software and vendor announcements OpenSSH has released a security advisory at the following link: OpenSSH Conectiva has released a security announcement at the following link: CLSA-2003:739 FreeBSD has released a security advisory that will be available at the following FTP link: FreeBSD-SA-03:12 Guardian Digital has released a security advisory at the following link: ESA-20030916-023 Mandrake has released a security advisory at the following link: MDKSA-2003:090 Red Hat has released a security advisory at the following link: RHSA-2003:279-07 Slackware has released a security advisory at the following link: SSA:2003-259-01 CERT has released a vulnerability note at the following link: VU#333628 DISCLAIMER: Copyright 2003 TruSecure Corporation. All rights reserved. This Alert is the property of the TruSecure Corporation. It may not be redistributed except within your own company or organization. This Alert is being provided for informational purposes only and is provided AS IS." The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct. Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security. IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
|
MENU
MEMBERS LOG-IN
National Threat Level
