[ale] FW: Revised OpenSSH Security Advisory

Christopher Fowler cfowler at outpostsentinel.com
Wed Jun 26 16:08:53 EDT 2002 

The propblem is that my 3.1 is deeply engrained in my system if I can
avoid a full upgrade and just apply a patch I will.  I just need to know
what patch to apply.

Chris

On Wed, 2002-06-26 at 15:54, James P. Kinney III wrote:
> Do the upgrade. It will get you some other useful features like
> compression.
> 
> On Wed, 2002-06-26 at 15:46, Christopher Fowler wrote:
> > I'm using 3.1p1  Can I just apply the patch below or do I need to do a
> > full upgrade?
> > 
> > Chris
> > 
> > On Wed, 2002-06-26 at 15:35, Jim Popovitch wrote:
> > > PLEASE READ!  There are several things you need to do to secure your SSH
> > > implementation.  This is the SECOND Advisory.
> > > 
> > > -----Original Message-----
> > > Sent: Wednesday, June 26, 2002 3:08 PM
> > > To: openssh-unix-announce at mindrot.org
> > > 
> > > This is the 2nd revision of the Advisory.
> > > 
> > > 1. Versions affected:
> > > 
> > >         Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3
> > >         contain an input validation error that can result in an
> > >         integer overflow and privilege escalation.
> > > 
> > >         All versions between 2.3.1 and 3.3 contain a bug in the
> > >         PAMAuthenticationViaKbdInt code.
> > > 
> > >         All versions between 2.9.9 and 3.3 contain a bug in the
> > >         ChallengeResponseAuthentication code.
> > > 
> > >         OpenSSH 3.4 and later are not affected.
> > > 
> > >         OpenSSH 3.2 and later prevent privilege escalation if
> > >         UsePrivilegeSeparation is enabled in sshd_config.  OpenSSH
> > >         3.3 enables UsePrivilegeSeparation by default.
> > > 
> > >         Although some earlier versions are not affected upgrading
> > >         to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds
> > >         checks for a class of potential bugs.
> > > 
> > > 2. Impact:
> > > 
> > >         This bug can be exploited remotely if
> > > 		ChallengeResponseAuthentication
> > > 	is enabled in sshd_config.
> > > 
> > >         Affected are at least systems supporting s/key over
> > >         SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD
> > >         as well as other systems supporting s/key with SSH).
> > >         Exploitablitly of systems using
> > > 		PAMAuthenticationViaKbdInt
> > > 	has not been verified.
> > > 
> > > 3. Short-Term Solution:
> > > 
> > >         Disable ChallengeResponseAuthentication in sshd_config.
> > > 
> > > 	and
> > > 
> > > 	Disable PAMAuthenticationViaKbdInt in sshd_config.
> > > 
> > > 	Alternatively you can prevent privilege escalation
> > > 	if you enable UsePrivilegeSeparation in sshd_config.
> > > 
> > > 4. Solution:
> > > 
> > > 	Upgrade to OpenSSH 3.4 or apply the following patches.
> > > 
> > > 5. Credits:
> > > 
> > > 	ISS.
> > > 
> > > Appendix:
> > > 
> > > A:
> > > 
> > > Index: auth2-chall.c
> > > ===================================================================
> > > RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v
> > > retrieving revision 1.18
> > > diff -u -r1.18 auth2-chall.c
> > > --- auth2-chall.c	19 Jun 2002 00:27:55 -0000	1.18
> > > +++ auth2-chall.c	26 Jun 2002 09:37:03 -0000
> > > @@ -256,6 +256,8 @@
> > > 
> > >  	authctxt->postponed = 0;	/* reset */
> > >  	nresp = packet_get_int();
> > > +	if (nresp > 100)
> > > +		fatal("input_userauth_info_response: nresp too big %u", nresp);
> > >  	if (nresp > 0) {
> > >  		response = xmalloc(nresp * sizeof(char*));
> > >  		for (i = 0; i < nresp; i++)
> > > 
> > > B:
> > > 
> > > Index: auth2-pam.c
> > > ===================================================================
> > > RCS file: /var/cvs/openssh/auth2-pam.c,v
> > > retrieving revision 1.12
> > > diff -u -r1.12 auth2-pam.c
> > > --- auth2-pam.c	22 Jan 2002 12:43:13 -0000	1.12
> > > +++ auth2-pam.c	26 Jun 2002 10:12:31 -0000
> > > @@ -140,6 +140,15 @@
> > >  	nresp = packet_get_int();	/* Number of responses. */
> > >  	debug("got %d responses", nresp);
> > > 
> > > +
> > > +	if (nresp != context_pam2.num_expected)
> > > +		fatal("%s: Received incorrect number of responses "
> > > +		    "(expected %u, received %u)", __func__, nresp,
> > > +		    context_pam2.num_expected);
> > > +
> > > +	if (nresp > 100)
> > > +		fatal("%s: too many replies", __func__);
> > > +
> > >  	for (i = 0; i < nresp; i++) {
> > >  		int j = context_pam2.prompts[i];
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > ---
> > > This message has been sent through the ALE general discussion list.
> > > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> > > sent to listmaster at ale dot org.
> > > 
> > > 
> > > 
> > 
> > 
> > 
> > ---
> > This message has been sent through the ALE general discussion list.
> > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> > sent to listmaster at ale dot org.
> -- 
> James P. Kinney III   \Changing the mobile computing world/
> President and CEO      \          one Linux user         /
> Local Net Solutions,LLC \           at a time.          /
> 770-493-8244             \.___________________________./
> 
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 
> 
> 
> 
> 
> 



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list