BSDnewsletter.com

   Front | Info | Lists | Newsfeeds | Study Guide | What is BSD? RSS  

OpenSSH fixes security hole

By Jeremy C. Reed

OpenSSH 3.4 fixes input validation errors that can result in an integer overflow and privilege escalation. This bug is in versions of OpenSSH's sshd between 2.3.1 and 3.3.

When the exploit was first announced, the actual problem was not defined and the actual fix was not provided. OpenSSH server admins were encouraged to use the new privilege separation. This wouldn't stop the problem, but would make the system less vulnerable due to chrooted environment and unprivileged user. This was so vendors and admins could update their OpenSSH and enable privilege separation before exploits would be written. (Privilege separation was enabled by default in the June OpenSSH 3.3 release.)

The real problem was announced a couple days later. Two related vulnerabilities in the challenge response handling code in OpenSSH versions 2.3.1p1 through 3.3 may allow a remote intruder to execute arbitrary code as the user running sshd (often root).One vulnerability invloves PAM modules using interactive keyboard authentication. And the other issue is in the SKEY or BSD_AUTH authentication.

Workarounds include disabling ChallengeResponseAuthentication and PAMAuthenticationViaKbdInt in sshd_config. (In older OpenSSH configs, you can also disable KbdInteractiveAuthentication.) Another workaround is to disable Protocol 2. (Protocol 1 and old sshd servers don't have these particular issues.)

More information can be found in the OpenSSH Security Advisory at http://www.openssh.org/txt/preauth.adv and the ISS Advisory.

Discussion

Discuss this article below.


Name:

Email:

Subject:

Message:

Stop Spam Abuse: What operating system's CVS history begins in March 1993?


BSD Links

· Advocacy
· Drivers
· Events
· Flavours
· FAQs
· Guides
· Programming
· Security
· Software
· User Groups

September 16, 2013 11:24:30

Front | Information | Lists | Newsfeeds | Study Guide