[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] Alert: remote root exploit in openssh daemon



Topic
=====
remote root exploit in ssh daemon

Problem Description
===================
There are two related vulnerabilities in the challenge response
handling code in OpenSSH versions 2.3.1p1 through 3.3. They may allow
a remote intruder to execute arbitrary code as the user running sshd
(often root). The first vulnerability affects OpenSSH versions 2.9.9
through 3.3 that have the challenge response option enabled and that
use SKEY or BSD_AUTH authentication. The second vulnerability affects
PAM modules using interactive keyboard authentication in OpenSSH
versions 2.3.1p1 through 3.3, regardless of the challenge response
option setting. Additionally, a number of other possible security
problems have been corrected in OpenSSH version 3.4.

The first vulnerability is an integer overflow in the handling of the
number of responses received during challenge response authentication.
If the challenge response configuration option is set to yes and the
system is using SKEY or BSD_AUTH authentication then a remote intruder
may be able to exploit the vulnerability to execute arbitrary code.
This vulnerability is present in versions of OpenSSH 2.9.9 through
3.3. An exploit for this vulnerability is reported to exist.
Exploitation of this vulnerability can be prevented by setting

ChallengeResponseAuthentication no

in the sshd_config file (see Workaround below). This will disable
s/key and bsd authentication (which are rarely use anyway).

The second vulnerability is a buffer overflow involving the number of
responses received during challenge response authentication.
This vulnerability is present in versions of OpenSSH 2.3.1 through 3.3.
Regardless of the setting of the challenge response configuration
option, systems using PAM modules that use interactive keyboard
authentication (PAMAuthenticationViaKbdInt), may be vulnerable to the
remote execution of code. At this time, it is not known if this
vulnerability is exploitable.
Setting

PAMAuthenticationViaKbdInt no

in sshd_config prevents exploitation of this vulnerability.

Affected Systems
================
Systems running the OpenSSH daemon sshd with the following versions:
vulnerability 1 (challenge response authentication):
                2.9.9 through 3.3 inclusive
vulnerability 2 (pam interactive keyboard authentication):
                2.3.1 though 3.3 inclusive

Workaround
==========
For versions 2.9p1 and later set in /etc/ssh/sshd_config (or wherever else
your sshd_config file is located)

ChallengeResponseAuthentication no
PAMAuthenticationViaKbdInt no

For versions between 2.3.1 and 2.9 set

ChallengeResponseAuthentication no
KbdInteractiveAuthentication no

and restart sshd after making those changes.

If you are running OpenSSH versions 3.2 or 3.3 the impact of these
vulnerabilities can be reduced by setting 

UsePrivilegeSeparation yes

in /etc/ssh/sshd_config

and restarting sshd. This workaround does not prevent these vulnerabilities
from being exploited, however due to the privilege separation mechanism, the
intruder may be limited to a constrained chroot environment with restricted
privileges. This workaround will not prevent these vulnerabilities from
creating a denial-of-service condition. Furthermore, privilege separation
under 2.2 kernels requires and patch to the openssh source code (provided
by Solar Designer and contained, e.g., in the Mandrake source rpm for their
3.3 version). Mandrake has released new RPMs that let you enable 
privilege separation. However, it may be easier to just disable 
ChallengeResponseAuthentication and PAMAuthenticationViaKbdInt and then
wait until Mandrake releases openssh-3.4 RPMs.

Mandrake 7.1, 7.2, 8.x
----------------------
rpm -Fvh openssh-3.3p1-3.1mdk.i586.rpm \
         openssh-clients-3.3p1-3.1mdk.i586.rpm \
         openssh-server-3.3p1-3.1mdk.i586.rpm \
         openssh-askpass-3.3p1-3.1mdk.i586.rpm \
         openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm

Caldera
-------
Caldera recommends to set
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
as described above.

Solution
========
upgrade to openssh-3.4 (or patched version for your distribution)
(updates to this advisory will be sent out as soon as more information for
distributions other than those listed below becomes available).

Debian 2.2 (potato)
-------------------
upgrade to ssh_3.4p1-0.0potato1_i386.deb,
           ssh-askpass-gnome_3.4p1-0.0potato1_i386.deb,
           libssl-dev_0.9.6c-0.potato.1_i386.deb,
           libssl0.9.6_0.9.6c-0.potato.1_i386.deb,
           openssl_0.9.6c-0.potato.1_i386.deb

RedHat 6.x
----------
RedHat 6.x did not come with openssh. Furthermore, RedHat 6.x uses
openssl-0.9.5a which is incompatible with openssh-2.9.9 and later versions.
Therefore, I patched openssh-2.9p2 against all known vulnerabilities
in openssh-2.9 and later versions including the pam interactive keyboard
authentication vulnerability (openssh-2.9p2 is not vulnerable to
the challenge response authentication vulnerability). You find these rpm
packages in the /vol/vol1/distrib/redhat/6.2/contrib directory on sphinx.
Alternatively you can download those rpms from 
http://www.sfu.ca/acs/ssh/ssh_linux.html

rpm -Fvh openssh-2.9p2-14.6.x.i386.rpm \
         openssh-clients-2.9p2-14.6.x.i386.rpm \
         openssh-server-2.9p2-14.6.x.i386.rpm \
         openssh-askpass-2.9p2-14.6.x.i386.rpm \
         openssh-askpass-gnome-2.9p2-14.6.x.i386.rpm

RedHat 7.0, 7.1
---------------
RedHat patched openssh-3.1p1 against both vulnerabilities.

rpm -Fvh openssh-3.1p1-5.i386.rpm \
         openssh-clients-3.1p1-5.i386.rpm \
         openssh-server-3.1p1-5.i386.rpm \
         openssh-askpass-3.1p1-5.i386.rpm \
         openssh-askpass-gnome-3.1p1-5.i386.rpm

RedHat 7.2, 7.3
---------------
RedHat patched openssh-3.1p1 against both vulnerabilities.

rpm -Fvh openssh-3.1p1-6.i386.rpm \
         openssh-clients-3.1p1-6.i386.rpm \
         openssh-server-3.1p1-6.i386.rpm \
         openssh-askpass-3.1p1-6.i386.rpm \
         openssh-askpass-gnome-3.1p1-6.i386.rpm