ISS has published a security advisory regarding OpenSSH. While ISS cannot fully substantiate the claim, they are erring on the side of caution.
Synopsis:
ISS X-Force has discovered a flaw in the OpenSSH server
developed by the OpenBSD Project. OpenSSH is a freely
available open source Secure Shell daemon which allows
encrypted communications over networks. A flaw exists in
the way OpenSSH handles buffer manipulation when dealing
with very large packets resulting in a buffer overflow
condition.
Impact:
When an unusually large packet is encountered, the OpenSSH
daemon incorrectly cleans up its globally allocated buffers.
This leads to heap
corruption, however the possibility for remote code execution
is yet unproven. There are unconfirmed rumors that there is
an exploit in the wild for this vulnerability.
OpenSSH is the default remote login solution distributed
with most Unix- like operating systems. OpenSSH is also
relied upon to provide secure
communications between network administrators and network
appliances, routers, and switches. Given the wide distribution
of OpenSSH across
multiple operating systems and architectures, it is possible
that this vulnerability is exploitable in at least some cases.
Affected Versions:
OpenSSH versions up to and including 3.6.1, as well as the
portable version of OpenSSH
Description:
When very large amounts of traffic are encountered, OpenSSH
notes an error and proceeds to cleanup several network input
buffers. Due to an integer addition which occurs in
buffer_append_space(), one of the buffer sizes is incorrectly
set at the point of cleanup. This causes NULL bytes to
be written outside the bounds of the buffer when it is freed.
It is necessary to send large amounts of traffic to affected
OpenSSH servers in order to trigger this vulnerability. At
least 10mb of traffic must
be sent to recent versions of OpenSSH, and in older versions
it is necessary to exhaust memory and cause heap allocation
to fail. Note that due to
zlib support within OpenSSH, this 10mb worth of traffic can
be compressed into a single packet.
This vulnerability can be used to cause memory corruption in
an unprivileged OpenSSH process. However, the nature of this
memory corruption is very specific and limited. It is only
possible to write NULL bytes outside the bounds of a heap
buffer, and it is currently unknown if this vulnerability
can be exploited to cause arbitrary code execution.
Details of this vulnerability have been discussed in public
forums and there are rumors of compromises in the wild. These
rumors are unsubstantiated as of the publication time of this
advisory. Privilege separation, present by default in OpenSSH
since version 3.3, may offer some degree of protection against
compromise.
Recommendations:
For Manual Protection, the vendor has offered the following
recommendations:
The vulnerabilities described in this advisory are fixed in
OpenSSH 3.7 and 3.7p1. Updated versions and patches can be
downloaded from ftp.openbsd.org or any of its mirrors. Mirrors
are listed on the OpenSSH Web site. See http://www.openssh.org/
for more details.
Vendor-specific patches are expected in the near future.
X-Force recommends that customers who have externally exposed
OpenSSH servers immediately download patches from one of the
OpenSSH
distribution sites.
Credit:
This vulnerability was discovered and researched by Mark Dowd
of the ISS X-Force.
Synopsis:
ISS X-Force has discovered a flaw in the OpenSSH server
developed by the OpenBSD Project. OpenSSH is a freely
available open source Secure Shell daemon which allows
encrypted communications over networks. A flaw exists in
the way OpenSSH handles buffer manipulation when dealing
with very large packets resulting in a buffer overflow
condition.
Impact:
When an unusually large packet is encountered, the OpenSSH
daemon incorrectly cleans up its globally allocated buffers.
This leads to heap
corruption, however the possibility for remote code execution
is yet unproven. There are unconfirmed rumors that there is
an exploit in the wild for this vulnerability.
OpenSSH is the default remote login solution distributed
with most Unix- like operating systems. OpenSSH is also
relied upon to provide secure
communications between network administrators and network
appliances, routers, and switches. Given the wide distribution
of OpenSSH across
multiple operating systems and architectures, it is possible
that this vulnerability is exploitable in at least some cases.
Affected Versions:
OpenSSH versions up to and including 3.6.1, as well as the
portable version of OpenSSH
Description:
When very large amounts of traffic are encountered, OpenSSH
notes an error and proceeds to cleanup several network input
buffers. Due to an integer addition which occurs in
buffer_append_space(), one of the buffer sizes is incorrectly
set at the point of cleanup. This causes NULL bytes to
be written outside the bounds of the buffer when it is freed.
It is necessary to send large amounts of traffic to affected
OpenSSH servers in order to trigger this vulnerability. At
least 10mb of traffic must
be sent to recent versions of OpenSSH, and in older versions
it is necessary to exhaust memory and cause heap allocation
to fail. Note that due to
zlib support within OpenSSH, this 10mb worth of traffic can
be compressed into a single packet.
This vulnerability can be used to cause memory corruption in
an unprivileged OpenSSH process. However, the nature of this
memory corruption is very specific and limited. It is only
possible to write NULL bytes outside the bounds of a heap
buffer, and it is currently unknown if this vulnerability
can be exploited to cause arbitrary code execution.
Details of this vulnerability have been discussed in public
forums and there are rumors of compromises in the wild. These
rumors are unsubstantiated as of the publication time of this
advisory. Privilege separation, present by default in OpenSSH
since version 3.3, may offer some degree of protection against
compromise.
Recommendations:
For Manual Protection, the vendor has offered the following
recommendations:
The vulnerabilities described in this advisory are fixed in
OpenSSH 3.7 and 3.7p1. Updated versions and patches can be
downloaded from ftp.openbsd.org or any of its mirrors. Mirrors
are listed on the OpenSSH Web site. See http://www.openssh.org/
for more details.
Vendor-specific patches are expected in the near future.
X-Force recommends that customers who have externally exposed
OpenSSH servers immediately download patches from one of the
OpenSSH
distribution sites.
Credit:
This vulnerability was discovered and researched by Mark Dowd
of the ISS X-Force.
