AUSCERT External Security Bulletin Redistribution

                ESB-2002.329 -- AIX Security Alert Summary
          OpenSSH Vulnerabilities in Challenge Response Handling
                                3 July 2002


        AusCERT Security Bulletin Summary

Product:                OpenSSH 2.3.1p1 to 3.3
Vendor:                 IBM
Operating System:       AIX with the Linux Affinity Toolkit
Impact:                 Root Compromise
                        Execute Arbitrary Code/Commands
                        Denial of Service
Access Required:        Remote

Ref:                    AL-2002.05

Comments:  This advisory contains the response from IBM on the recent
           OpenSSH Vulnerabilities.  It is an update to the summary 
           information provided in ESB-2002.291.

- --------------------------BEGIN INCLUDED TEXT--------------------

This file contains summary information on AIX security alerts published
by the Computer Emergency Response Team (CERT), and the IBM Emergency
Response Team (ERS).  The full text of these alerts can be obtained from
this mail server by requesting the 'CERT' and 'ERS' files.  This
information (and more) is available from CERT and ERS directly on the
world-wide web at the following URLs:

  CERT: http://www.cert.org/

   ERS: http://www.ers.ibm.com/

In order to keep the size of this file reasonable, it contains only
advisories for the current year..  You can obtain a list of previous
advisories either from the above URLs, or by requesting one of the
"Security_YYYY" documents from this mail server.

The fixes mentioned in this document, when available, can be obtained
from Electronic Fix Distribution at the following URL:


The 'Security_APARs' document on this mail server contains a list of
security related APARs.
CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response

There  are  two  related  vulnerabilities  in  the  challenge response
handling  code in OpenSSH versions 2.3.1p1 through 3.3. They may allow
a  remote  intruder to execute arbitrary code as the user running sshd
(often  root).  The first vulnerability affects OpenSSH versions 2.9.9
through  3.3  that have the challenge response option enabled and that
use  SKEY or BSD_AUTH authentication. The second vulnerability affects
PAM  modules  using  interactive  keyboard  authentication  in OpenSSH
versions  2.3.1p1  through  3.3,  regardless of the challenge response
option  setting.  Additionally,  a  number  of other possible security
problems have been corrected in OpenSSH version 3.4.

IBM's  AIX  operating  system  does  not  ship  with OpenSSH; however,
OpenSSH  is  available  for installation on AIX via the Linux Affinity
Toolkit.  The  version  included  on  the CD containing the Toolkit is
vulnerable to the latest discovered vulnerability discussed here as is
the  version  of  OpenSSH available for downloading from the IBM Linux
Affinity website. Anyone running this version is advised to follow the
recommendations above to limit their vulnerability.

We  working  with  the  changes  for  version  3.4 and will have a new
package  availble for download as soon as possible. When available the
new packages can be downloaded from:


This    site   contains   Linux   Affinity   applications   containing
cryptographic  algorithms,  and  new  users  of this site are asked to
register first.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for member emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key