Article

New buffer overflow threatens OpenSSH systems

Michael S. Mimoso, Editorial Director

A buffer overflow vulnerability has been found in OpenSSH that could threatens systems running the ubiquitous network protocol.

OpenSSH is an open-source secure shell daemon that encrypts network packets. Red Hat Linux, SuSE Linux, FreeBSD, OpenBSD and Mandrake Linux, as well as many Unix and other systems, integrate OpenSSH into the base OS as a remote login solution.

Several security mailing lists are reporting that exploit code is being traded in the wild. As of today, it is unknown whether an exploit could either crash or enable remote code execution. Experts urge administrators to treat this serious vulnerability as if there were a working exploit, and they suggest that users upgrade vulnerable systems to OpenSSH 3.7 and 3.7p1, which are available for download from ftp.openbsd.org. Vendor-specific fixes are imminent.

OpenSSH is developed by the OpenBSD Project, which offers a free Unix-like operating system. OpenSSH versions up to and including 3.6.1, as well as the portable version of OpenSSH, are affected by the flaw.

Atlanta-based Internet Security Systems Inc. discovered the flaw. Researchers there said that when an unusually large packet (at least 10 MB of traffic) is sent to OpenSSH, its buffer management tries to reallocate a larger buffer. In some cases, the cleanup process leads to heap corruption and crashes that process.

"This is a difficult vulnerability to exploit," said Dan Ingevaldson, team leader for ISS' XForce

Requires Free Membership to View

security team. "But it's only difficult once. Once someone exploits it, it becomes public domain."

An alert from FreeBSD explains: "In some cases, the cleanup code will attempt to zero and free the buffer that just had its recorded size (but not actual allocation) increased. As a result, memory outside of the allocated buffer will be overwritten with NUL bytes."

FreeBSD recommends several workarounds, including disabling the base system sshd and ensuring sshd is not restarted when a system is restarted. Also, FreeBSD recommends uninstalling the OpenSSH or OpenSSH portable ports if they are installed.

"This is a serious vulnerability. OpenSSH is the most common SSH server out there," Ingevaldson said. "SSH is part of the fabric of Unix [and Linux] systems. Administrators use it to connect to a lot of appliance, virus gateways and IDS systems. This is a significant deal."

FOR MORE INFORMATION:

SearchEnterpriseLinux.com news exclusive: "2.6 kernel cures some security shortcomings"

SearchEnterpriseLinux.com news exclusive: "Linux security: The seven deadly sins"

Best Web Links on security

Ask the experts

FEEDBACK: Has this security incident shaken your faith in OpenSSH?
Send your feedback to the SearchEnterpriseLinux.com news team.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: