[Full-Disclosure] FreeBSD Security Advisory FreeBSD-SA-03:12.openssh

From: FreeBSD Security Advisories (security-advisories_at_freebsd.org)
Date: 09/16/03

  • Next message: Ray Slakinski: "[Full-Disclosure] OpenSSH exploit"
    To: FreeBSD Security Advisories <security-advisories@freebsd.org>
    Date: Tue, 16 Sep 2003 11:17:01 -0700 (PDT)
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    =============================================================================
    FreeBSD-SA-03:12 Security Advisory
                                                                    FreeBSD, Inc.

    Topic: OpenSSH buffer management error

    Category: core, ports
    Module: openssh, ports_openssh, openssh-portable
    Announced: 2003-09-16
    Credits: The OpenSSH Project <openssh@openssh.org>
    Affects: All FreeBSD releases after 4.0-RELEASE
                    FreeBSD 4-STABLE prior to the correction date
                    openssh port prior to openssh-3.6.1_1
                    openssh-portable port prior to openssh-portable-3.6.1p2_1
    Corrected: 2003-09-16 16:24:02 UTC (RELENG_4)
                    2003-09-16 16:27:57 UTC (RELENG_5_1)
                    2003-09-16 17:34:32 UTC (RELENG_5_0)
                    2003-09-16 16:24:02 UTC (RELENG_4_8)
                    2003-09-16 16:45:16 UTC (RELENG_4_7)
                    2003-09-16 17:44:15 UTC (RELENG_4_6)
                    2003-09-16 17:45:23 UTC (RELENG_4_5)
                    2003-09-16 17:46:02 UTC (RELENG_4_4)
                    2003-09-16 17:46:37 UTC (RELENG_4_3)
                    2003-09-16 12:43:09 UTC (ports/security/openssh)
                    2003-09-16 12:43:10 UTC (ports/security/openssh-portable)
    CVE: CAN-2003-0693
    FreeBSD only: NO

    I. Background

    OpenSSH is a free version of the SSH protocol suite of network
    connectivity tools. OpenSSH encrypts all traffic (including
    passwords) to effectively eliminate eavesdropping, connection
    hijacking, and other network-level attacks. Additionally, OpenSSH
    provides a myriad of secure tunneling capabilities, as well as a
    variety of authentication methods. `ssh' is the client application,
    while `sshd' is the server.

    II. Problem Description

    When a packet is received that is larger than the space remaining in
    the currently allocated buffer, OpenSSH's buffer management attempts
    to reallocate a larger buffer. During this process, the recorded size
    of the buffer is increased. The new size is then range checked. If
    the range check fails, then fatal() is called to cleanup and exit.
    In some cases, the cleanup code will attempt to zero and free the
    buffer that just had its recorded size (but not actual allocation)
    increased. As a result, memory outside of the allocated buffer will
    be overwritten with NUL bytes.

    III. Impact

    A remote attacker can cause OpenSSH to crash. The bug is not believed
    to be exploitable for code execution on FreeBSD.

    IV. Workaround

    Do one of the following:

    1) Disable the base system sshd by executing the following command as
       root:

       # kill `cat /var/run/sshd.pid`

       Be sure that sshd is not restarted when the system is restarted
       by adding the following line to the end of /etc/rc.conf:

       sshd_enable="NO"

       AND

       Deinstall the openssh or openssh-portable ports if you have one of
       them installed.

    V. Solution

    Do one of the following:

    [For OpenSSH included in the base system]

    1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1,
       RELENG_4_8, or RELENG_4_7 security branch dated after
       the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or
       4.7-RELEASE-p15, respectively).

    2) FreeBSD systems prior to the correction date:

    The following patches have been verified to apply to FreeBSD 4.x and
    FreeBSD 5.x systems prior to the correction date.

    Download the appropriate patch and detached PGP signature from the following
    locations, and verify the signature using your PGP utility.

    [FreeBSD 4.3 through 4.5]
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc

    [FreeBSD 4.6 and later, FreeBSD 5.0 and later]
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc

    Execute the following commands as root:

    # cd /usr/src
    # patch < /path/to/sshd.patch
    # cd /usr/src/secure/lib/libssh
    # make depend && make all install
    # cd /usr/src/secure/usr.sbin/sshd
    # make depend && make all install
    # cd /usr/src/secure/usr.bin/ssh
    # make depend && make all install

    Be sure to restart `sshd' after updating.

    # kill `cat /var/run/sshd.pid`
    # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})

    [For the OpenSSH ports]

    One of the following:

    1) Upgrade your entire ports collection and rebuild the OpenSSH port.

    2) Deinstall the old package and install a new package obtained from
    the following directory:

    [i386]
    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/

    [other platforms]
    Packages are not automatically generated for other platforms at this
    time due to lack of build resources.

    3) Download a new port skeleton for the openssh or openssh-portable
    port from:

    http://www.freebsd.org/ports/

    and use it to rebuild the port.

    4) Use the portcheckout utility to automate option (3) above. The
    portcheckout port is available in /usr/ports/devel/portcheckout or the
    package can be obtained from:

    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz
    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz

    Be sure to restart `sshd' after updating.

    # kill `cat /var/run/sshd.pid`
    # test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start

    VI. Correction details

    The following list contains the revision numbers of each file that was
    corrected in the FreeBSD base system and ports collection.

    Branch Revision
      Path
    - -------------------------------------------------------------------------
    [Base system]
    RELENG_4
      src/crypto/openssh/buffer.c 1.1.1.1.2.5
      src/crypto/openssh/version.h 1.1.1.1.2.11
    RELENG_5_1
      src/UPDATING 1.251.2.4
      src/crypto/openssh/buffer.c 1.1.1.6.4.1
      src/crypto/openssh/version.h 1.20.2.1
      src/sys/conf/newvers.sh 1.50.2.5
    RELENG_5_0
      src/UPDATING 1.229.2.18
      src/crypto/openssh/buffer.c 1.1.1.6.2.1
      src/crypto/openssh/version.h 1.18.2.1
      src/sys/conf/newvers.sh 1.48.2.13
    RELENG_4_8
      src/UPDATING 1.73.2.80.2.7
      src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.1
      src/crypto/openssh/version.h 1.1.1.1.2.10.2.1
      src/sys/conf/newvers.sh 1.44.2.29.2.6
    RELENG_4_7
      src/UPDATING 1.73.2.74.2.18
      src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.1
      src/crypto/openssh/version.h 1.1.1.1.2.9.2.1
      src/sys/conf/newvers.sh 1.44.2.26.2.17
    RELENG_4_6
      src/UPDATING 1.73.2.68.2.46
      src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.2
      src/crypto/openssh/version.h 1.1.1.1.2.8.2.2
      src/sys/conf/newvers.sh 1.44.2.23.2.35
    RELENG_4_5
      src/UPDATING 1.73.2.50.2.47
      src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.1
      src/crypto/openssh/version.h 1.1.1.1.2.7.2.2
      src/sys/conf/newvers.sh 1.44.2.20.2.31
    RELENG_4_4
      src/UPDATING 1.73.2.43.2.48
      src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.1
      src/crypto/openssh/version.h 1.1.1.1.2.5.2.3
      src/sys/conf/newvers.sh 1.44.2.17.2.39
    RELENG_4_3
      src/UPDATING 1.73.2.28.2.35
      src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.1
      src/crypto/openssh/version.h 1.1.1.1.2.4.2.3
      src/sys/conf/newvers.sh 1.44.2.14.2.25
    [Ports]
      ports/security/openssh-portable/Makefile 1.73
      ports/security/openssh-portable/files/patch-buffer.c 1.1
      ports/security/openssh/Makefile 1.120
      ports/security/openssh/files/patch-buffer.c 1.1
    - -------------------------------------------------------------------------

    Branch Version string
    - -------------------------------------------------------------------------
    HEAD OpenSSH_3.6.1p1 FreeBSD-20030916
    RELENG_4 OpenSSH_3.5p1 FreeBSD-20030916
    RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030916
    RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030916
    RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030916
    RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030916
    RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030916
    RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030916
    RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20030916
    - -------------------------------------------------------------------------

    To view the version string of the OpenSSH server, execute the
    following command:

      % /usr/sbin/sshd -\?

    The version string is also displayed when a client connects to the
    server.

    To view the version string of the OpenSSH client, execute the
    following command:

      % /usr/bin/ssh -V

    VII. References

    <URL:http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html>

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2003-0693 to this issue.
    <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.3 (FreeBSD)

    iD8DBQE/Z1MtFdaIBMps37IRApcyAKCIjophc4e8UGhAlTTiNCunVJSlfgCffMgQ
    PW0VvEnS7MMUYyekHuz49ro=
    =vcm1
    -----END PGP SIGNATURE-----
    _______________________________________________
    freebsd-security-notifications@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
    To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org"

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Ray Slakinski: "[Full-Disclosure] OpenSSH exploit"

    Relevant Pages

    • FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
      ... Category: core, ports ... OpenSSH is a free version of the SSH protocol suite of network ... to be exploitable for code execution on FreeBSD. ... Disable the base system sshd by executing the following command as ...
      (Bugtraq)
    • [Full-Disclosure] FreeBSD Security Advisory FreeBSD-SA-03:12.openssh [REVISED]
      ... Category: core, ports ... OpenSSH is a free version of the SSH protocol suite of network ... while `sshd' is the server. ... to be exploitable for code execution on FreeBSD. ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] MacOSX -FreeBSD
      ... BUT because OSX is partially FreeBSD based ... Category: core, ports ... OpenSSH is a free version of the SSH protocol suite of network ... overflow vulnerability ...
      (Full-Disclosure)
    • Re: New to FreeBSD - Some questions
      ... q) Is it possible to run a FreeBSD system without much building? ... you can run both the operating system and the ports from prebuilt binaries. ... q) I would assume UFS with J+SU is "fast enough" for a laptop? ... I installed the base system into Virtualbox and everything works quite ...
      (freebsd-questions)
    • Re: FreeBSD problems and preliminary ways to solve
      ... that they begin migration from FreeBSD to Debian/Ubuntu. ... inadequate package manager and huge monolithic base system ... I'll accept that the package management could be better and the base ... ports' maintainers to do this - the FreeBSD project just hosts the ...
      (freebsd-arch)