Buffer Management Vulnerability in OpenSSH

[101200] 主题： Buffer Management Vulnerability in OpenSSH

	作者： hace. (hace.)
	标题： Buffer Management Vulnerability in OpenSSH[转载]
	来自： 202.112..
	发贴时间： 2003年09月17日 11:39:29
	长度： 10986字

	发信人：hace.bbs@hace.dhs.org (半边海)，信区：cn.bbs.comp.security 标题：Buffer Management Vulnerability in OpenSSH 发信站：BBS_半边海站转信站：LeafOK!news.zixia.net!news2.happynet.org!hace CERT?Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH Original release date: September 16, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running versions of OpenSSH prior to 3.7 * Systems that use or derive code from vulnerable versions of OpenSSH Overview There is a remotely exploitable vulnerability in a general buffer management function in versions of OpenSSH prior to 3.7. This may allow a remote attacker to corrupt heap memory which could cause a denial-of-service condition. It may also be possible for an attacker to execute arbitrary code. I. Description A vulnerability exists in the buffer management code of OpenSSH. This vulnerability affects versions prior to 3.7. The error occurs when a buffer is allocated for a large packet. When the buffer is cleared, an improperly sized chunk of memory is filled with zeros. This leads to heap corruption, which could cause a denial-of-service condition. This vulnerability may also allow an attacker to execute arbitrary code. This vulnerability is described in an advisory from OpenSSH http://www.openssh.com/txt/buffer.adv and in FreeBSD-SA-03:12: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03 :12.openssh.asc Other systems that use or derive code from OpenSSH may be affected. This includes network equipment and embedded systems. We have monitored incident reports that may be related to this vulnerability. Vulnerability Note VU#333628 lists the vendors we contacted about this vulnerability. The vulnerability note is available from http://www.kb.cert.org/vuls/id/333628 This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) number: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693 II. Impact While the full impact of this vulnerability is unclear, the most likely result is heap corruption, which could lead to a denial of service. If it is possible for an attacker to execute arbitrary code, then they may be able to so with the privileges of the user running the sshd process, typically root. This impact may be limited on systems using the privilege separation (privsep) feature available in OpenSSH. III. Solution Upgrade to OpenSSH version 3.7 This vulnerability is resolved in OpenSSH version 3.7, which is available from the OpenSSH web site at http://www.openssh.com/ Apply a patch from your vendor A patch for this vulnerability is included in the OpenSSH advisory at http://www.openssh.com/txt/buffer.adv This patch may be manually applied to correct this vulnerability in affected versions of OpenSSH. If your vendor has provided a patch or upgrade, you may want to apply it rather than using the patch from OpenSSH. Find information about vendor patches in Appendix A. We will update this document as vendors provide additional information. Use privilege separation to minimize impact System administrators running OpenSSH versions 3.2 or higher may be able to reduce the impact of this vulnerability by enabling the "UsePrivilegeSeparation" configuration option in their sshd configuration file. Typically, this is accomplished by creating a privsep user, setting up a restricted (chroot) environment, and adding the following line to /etc/ssh/sshd_config: UsePrivilegeSeparation yes This workaround does not prevent this vulnerability from being exploited, however due to the privilege separation mechanism, the intruder may be limited to a constrained chroot environment with restricted privileges. This workaround will not prevent this vulnerability from creating a denial-of-service condition. Not all operating system vendors have implemented the privilege separation code, and on some operating systems it may limit the functionality of OpenSSH. System administrators are encouraged to carefully review the implications of using the workaround in their environment and use a more comprehensive solution if one is available. The use of privilege separation to limit the impact of future vulnerabilities is encouraged. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in the revision history. Additional vendors who have not provided direct statements, but who have made public statements or informed us of their status are listed in VU#333628. If a vendor is not listed below or in VU#333628, we have not received their comments. Bitvise Our software shares no codebase with the OpenSSH implementation, therefore we believe that, in our products, this problem does not exist. Cray, Inc. Cray Inc. supports OpenSSH through its Cray Open Software (COS) package. Cray is vulnerable to this buffer management error and is in the process of compiling OpenSSH 3.7. The new version will be made available in the next COS release. Debian A fix for the buffer management vulnerability is available for the ssh package at http://www.debian.org/security/2003/dsa-382 A fix for the ssh-krb5 (ssh with kerberos support) package is available at http://www.debian.org/security/2003/dsa-383 Mandrake Software Mandrake Linux is affected and MDKSA-2003:090 will be released today with patched versions of OpenSSH to resolve this issue. PuTTY PuTTY is not based on the OpenSSH code base, so it should not be vulnerable to any OpenSSH-specific attacks. _________________________________________________________________ The CERT/CC thanks Markus Friedl of the OpenSSH project for his technical assistance in producing this advisory. _________________________________________________________________ Authors: Jason A. Rafail and Art Manion ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-24.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History September 16, 2003: Initial release References 1. http://www.cert.org/nav/index.html 2. http://www.cert.org/nav/index_main.html 3. http://www.cert.org/contents/contents.html 4. http://search.cert.org/ 5. http://www.cert.org/contact_cert/ 6. http://www.cert.org/faq/cert_faq.html 7. http://www.cert.org/nav/index_red.html 8. http://www.cert.org/nav/index_green.html 9. http://www.cert.org/nav/index_purple.html 10. http://www.cert.org/nav/index_gold.html 11. http://www.cert.org/advisories 12. http://www.kb.cert.org/vuls/ 13. http://www.cert.org/incident_notes/ 14. http://www.cert.org/current/current_activity.html 15. http://www.cert.org/summaries 16. http://www.cert.org/tech_tips 17. http://www.cert.org/kb/aircert/ 18. http://www.cert.org/jobs 19. http://www.cert.org/stats 20. http://www.kb.cert.org/vuls/html/disclosure 21. http://www.cert.org/kb 22. http://www.cert.org/training 23. http://www.cert.org/training 24. http://www.cert.org/other_sources 25. http://www.cert.org/channels 26. http://www.isalliance.org/ 27. http://www.openssh.com/txt/buffer.adv 28. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.openssh.a sc 29. http://www.kb.cert.org/vuls/id/333628 30. http://www.kb.cert.org/vuls/id/333628 31. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693 32. http://www.openssh.com/ 33. http://www.openssh.com/txt/buffer.adv 34. http://www.cert.org/advisories/CA-2003-24.html#vendors 35. http://www.kb.cert.org/vuls/id/333628#systems 36. http://www.kb.cert.org/vuls/id/333628#systems 37. http://www.debian.org/security/2003/dsa-382 38. http://www.debian.org/security/2003/dsa-383 39. mailto:cert@cert.org?subject=CA-2003-24%20Feedback%20VU%23333628 40. http://www.cert.org/advisories/CA-2003-24.html 41. mailto:cert@cert.org 42. http://www.cert.org/CERT_PGP.key 43. http://www.cert.org/ 44. mailto:majordomo@cert.org 45. http://www.cert.org/legal_stuff.html -- / /__ __ __ __ / / / ) / /__) / / \_/\ \__ \__ ※ 来源:・BBS 半边海站 hace.dhs.org・
	========== * * * * * ==========

上级目录