Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0644 -- FreeBSD-SA-03:12.openssh
OpenSSH buffer management error
17 September 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenSSH
Publisher: FreeBSD
Operating System: FreeBSD 4.x Releases
FreeBSD 4-STABLE prior to correction date
Impact: Denial of Service
Access Required: Remote
CVE Names: CAN-2003-0693
Ref: AL-2003.16
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-03:12 Security Advisory
FreeBSD, Inc.
Topic: OpenSSH buffer management error
Category: core, ports
Module: openssh, ports_openssh, openssh-portable
Announced: 2003-09-16
Credits: The OpenSSH Project <openssh@openssh.org>
Affects: All FreeBSD releases after 4.0-RELEASE
FreeBSD 4-STABLE prior to the correction date
openssh port prior to openssh-3.6.1_1
openssh-portable port prior to openssh-portable-3.6.1p2_1
Corrected: 2003-09-16 16:24:02 UTC (RELENG_4)
2003-09-16 16:27:57 UTC (RELENG_5_1)
2003-09-16 17:34:32 UTC (RELENG_5_0)
2003-09-16 16:24:02 UTC (RELENG_4_8)
2003-09-16 16:45:16 UTC (RELENG_4_7)
2003-09-16 17:44:15 UTC (RELENG_4_6)
2003-09-16 17:45:23 UTC (RELENG_4_5)
2003-09-16 17:46:02 UTC (RELENG_4_4)
2003-09-16 17:46:37 UTC (RELENG_4_3)
2003-09-16 12:43:09 UTC (ports/security/openssh)
2003-09-16 12:43:10 UTC (ports/security/openssh-portable)
CVE: CAN-2003-0693
FreeBSD only: NO
I. Background
OpenSSH is a free version of the SSH protocol suite of network
connectivity tools. OpenSSH encrypts all traffic (including
passwords) to effectively eliminate eavesdropping, connection
hijacking, and other network-level attacks. Additionally, OpenSSH
provides a myriad of secure tunneling capabilities, as well as a
variety of authentication methods. `ssh' is the client application,
while `sshd' is the server.
II. Problem Description
When a packet is received that is larger than the space remaining in
the currently allocated buffer, OpenSSH's buffer management attempts
to reallocate a larger buffer. During this process, the recorded size
of the buffer is increased. The new size is then range checked. If
the range check fails, then fatal() is called to cleanup and exit.
In some cases, the cleanup code will attempt to zero and free the
buffer that just had its recorded size (but not actual allocation)
increased. As a result, memory outside of the allocated buffer will
be overwritten with NUL bytes.
III. Impact
A remote attacker can cause OpenSSH to crash. The bug is not believed
to be exploitable for code execution on FreeBSD.
IV. Workaround
Do one of the following:
1) Disable the base system sshd by executing the following command as
root:
# kill `cat /var/run/sshd.pid`
Be sure that sshd is not restarted when the system is restarted
by adding the following line to the end of /etc/rc.conf:
sshd_enable="NO"
AND
Deinstall the openssh or openssh-portable ports if you have one of
them installed.
V. Solution
Do one of the following:
[For OpenSSH included in the base system]
1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1,
RELENG_4_8, or RELENG_4_7 security branch dated after
the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or
4.7-RELEASE-p15, respectively).
2) FreeBSD systems prior to the correction date:
The following patches have been verified to apply to FreeBSD 4.x and
FreeBSD 5.x systems prior to the correction date.
Download the appropriate patch and detached PGP signature from the following
locations, and verify the signature using your PGP utility.
[FreeBSD 4.3 through 4.5]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc
[FreeBSD 4.6 and later, FreeBSD 5.0 and later]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc
Execute the following commands as root:
# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all install
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install
Be sure to restart `sshd' after updating.
# kill `cat /var/run/sshd.pid`
# (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})
[For the OpenSSH ports]
One of the following:
1) Upgrade your entire ports collection and rebuild the OpenSSH port.
2) Deinstall the old package and install a new package obtained from
the following directory:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/
[other platforms]
Packages are not automatically generated for other platforms at this
time due to lack of build resources.
3) Download a new port skeleton for the openssh or openssh-portable
port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz
Be sure to restart `sshd' after updating.
# kill `cat /var/run/sshd.pid`
# test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in the FreeBSD base system and ports collection.
Branch Revision
Path
- - -------------------------------------------------------------------------
[Base system]
RELENG_4
src/crypto/openssh/buffer.c 1.1.1.1.2.5
src/crypto/openssh/version.h 1.1.1.1.2.11
RELENG_5_1
src/UPDATING 1.251.2.4
src/crypto/openssh/buffer.c 1.1.1.6.4.1
src/crypto/openssh/version.h 1.20.2.1
src/sys/conf/newvers.sh 1.50.2.5
RELENG_5_0
src/UPDATING 1.229.2.18
src/crypto/openssh/buffer.c 1.1.1.6.2.1
src/crypto/openssh/version.h 1.18.2.1
src/sys/conf/newvers.sh 1.48.2.13
RELENG_4_8
src/UPDATING 1.73.2.80.2.7
src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.1
src/crypto/openssh/version.h 1.1.1.1.2.10.2.1
src/sys/conf/newvers.sh 1.44.2.29.2.6
RELENG_4_7
src/UPDATING 1.73.2.74.2.18
src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.1
src/crypto/openssh/version.h 1.1.1.1.2.9.2.1
src/sys/conf/newvers.sh 1.44.2.26.2.17
RELENG_4_6
src/UPDATING 1.73.2.68.2.46
src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.2
src/crypto/openssh/version.h 1.1.1.1.2.8.2.2
src/sys/conf/newvers.sh 1.44.2.23.2.35
RELENG_4_5
src/UPDATING 1.73.2.50.2.47
src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.1
src/crypto/openssh/version.h 1.1.1.1.2.7.2.2
src/sys/conf/newvers.sh 1.44.2.20.2.31
RELENG_4_4
src/UPDATING 1.73.2.43.2.48
src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.1
src/crypto/openssh/version.h 1.1.1.1.2.5.2.3
src/sys/conf/newvers.sh 1.44.2.17.2.39
RELENG_4_3
src/UPDATING 1.73.2.28.2.35
src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.1
src/crypto/openssh/version.h 1.1.1.1.2.4.2.3
src/sys/conf/newvers.sh 1.44.2.14.2.25
[Ports]
ports/security/openssh-portable/Makefile 1.73
ports/security/openssh-portable/files/patch-buffer.c 1.1
ports/security/openssh/Makefile 1.120
ports/security/openssh/files/patch-buffer.c 1.1
- - -------------------------------------------------------------------------
Branch Version string
- - -------------------------------------------------------------------------
HEAD OpenSSH_3.6.1p1 FreeBSD-20030916
RELENG_4 OpenSSH_3.5p1 FreeBSD-20030916
RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030916
RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030916
RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030916
RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030916
RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030916
RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030916
RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20030916
- - -------------------------------------------------------------------------
To view the version string of the OpenSSH server, execute the
following command:
% /usr/sbin/sshd -\?
The version string is also displayed when a client connects to the
server.
To view the version string of the OpenSSH client, execute the
following command:
% /usr/bin/ssh -V
VII. References
<URL:http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html>
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0693 to this issue.
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/Z1MtFdaIBMps37IRApcyAKCIjophc4e8UGhAlTTiNCunVJSlfgCffMgQ
PW0VvEnS7MMUYyekHuz49ro=
=vcm1
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBP2ezBCh9+71yA2DNAQFgagP/SlgGxzCpPvKNiidErLU/l6nSLxqG1dM+
cEpCCswxdHqnM7REoaxq5/kGH0JQJIHnBLOAv/meUvLca/Tdnr0UoL1JxzxJS8Un
OeLuR3VWFZAW6HFTR9/SEh8F6XDIOC3fHjuvbgiHq3k7jrp6ywNPKRQtSjvLmcNP
wCGtLWBZvXE=
=ZBJG
-----END PGP SIGNATURE-----