CVE-2002-0639
CVSS10.0
发布时间 :2002-07-03 00:00:00
修订时间 :2016-10-17 22:20:55
NMCOS    

[原文]Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote attackers to execute arbitrary code during challenge response authentication (ChallengeResponseAuthentication) when OpenSSH is using SKEY or BSD_AUTH authentication.


[CNNVD]OpenSSH挑战响应(Challenge-Response)机制交互键盘PAM验证远程缓冲区溢出漏洞(CNNVD-200207-005)

        
        OpenSSH是一种开放源码的SSH协议的实现,初始版本用于OpenBSD平台,现在已经被移植到多种Unix/Linux类操作系统下。
        OpenSSH 2.3.1p1到3.3版本中的挑战响应(Challenge-Response)代码处理存在漏洞,远程攻击者可以利用这漏洞以sshd进程的权限(通常是root)在系统上执行任意指令。
        漏洞是在挑战响应验证阶段处理接收到的应答时存在缓冲区溢出,不管系统中挑战响应验证选项是否配置,系统如果使用了通过交互键盘PAM验证PAMAuthenticationViaKbdInt)的PAM模块,就存在此漏洞,远程攻击者可以利用此漏洞在系统上以sshd进程的权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:openbsd:openssh:3.0p1OpenBSD OpenSSH 3.0 p1
cpe:/a:openbsd:openssh:3.1p1OpenBSD OpenSSH 3.1 p1
cpe:/a:openbsd:openssh:3.0.1OpenBSD OpenSSH 3.0.1
cpe:/a:openbsd:openssh:2.5.2OpenBSD OpenSSH 2.5.2
cpe:/a:openbsd:openssh:3.0.1p1OpenBSD OpenSSH 3.0.1 p1
cpe:/a:openbsd:openssh:2.9p1OpenBSD OpenSSH 2.9 p1
cpe:/a:openbsd:openssh:2.9p2OpenBSD OpenSSH 2.9 p2
cpe:/a:openbsd:openssh:2.5.1OpenBSD OpenSSH 2.5.1
cpe:/a:openbsd:openssh:1.2.2OpenBSD OpenSSH 1.2.2
cpe:/a:openbsd:openssh:2.9OpenBSD OpenSSH 2.9
cpe:/a:openbsd:openssh:2.5OpenBSD OpenSSH 2.5
cpe:/a:openbsd:openssh:2.1OpenBSD OpenSSH 2.1
cpe:/a:openbsd:openssh:3.0OpenBSD OpenSSH 3.0
cpe:/a:openbsd:openssh:3.3OpenBSD OpenSSH 3.3
cpe:/a:openbsd:openssh:2.2OpenBSD OpenSSH 2.2
cpe:/a:openbsd:openssh:2.9.9OpenBSD OpenSSH 2.9.9
cpe:/a:openbsd:openssh:3.1OpenBSD OpenSSH 3.1
cpe:/a:openbsd:openssh:2.3OpenBSD OpenSSH 2.3
cpe:/a:openbsd:openssh:3.2OpenBSD OpenSSH 3.2
cpe:/a:openbsd:openssh:1.2.3OpenBSD OpenSSH 1.2.3
cpe:/a:openbsd:openssh:3.2.3p1OpenBSD OpenSSH 3.2.3 p1
cpe:/a:openbsd:openssh:3.2.2p1OpenBSD OpenSSH 3.2.2 p1
cpe:/a:openbsd:openssh:2.1.1OpenBSD OpenSSH 2.1.1
cpe:/a:openbsd:openssh:3.0.2p1OpenBSD OpenSSH 3.0.2p1
cpe:/a:openbsd:openssh:3.0.2OpenBSD OpenSSH 3.0.2
cpe:/a:openbsd:openssh:3.3p1OpenBSD OpenSSH 3.3 p1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0639
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0639
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-005
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txt
(UNKNOWN)  CALDERA  CSSA-2002-030.0
http://archives.neohapsis.com/archives/bugtraq/2002-06/0335.html
(UNKNOWN)  BUGTRAQ  20020626 [OpenPKG-SA-2002.005] OpenPKG Security Advisory (openssh)
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502
(UNKNOWN)  CONECTIVA  CLA-2002:502
http://marc.info/?l=bugtraq&m=102514371522793&w=2
(UNKNOWN)  BUGTRAQ  20020626 OpenSSH Security Advisory (adv.iss)
http://marc.info/?l=bugtraq&m=102514631524575&w=2
(UNKNOWN)  BUGTRAQ  20020626 Revised OpenSSH Security Advisory (adv.iss)
http://marc.info/?l=bugtraq&m=102521542826833&w=2
(UNKNOWN)  BUGTRAQ  20020627 How to reproduce OpenSSH Overflow.
http://www.cert.org/advisories/CA-2002-18.html
(UNKNOWN)  CERT  CA-2002-18
http://www.debian.org/security/2002/dsa-134
(UNKNOWN)  DEBIAN  DSA-134
http://www.iss.net/security_center/static/9169.php
(UNKNOWN)  XF  openssh-challenge-response-bo(9169)
http://www.kb.cert.org/vuls/id/369347
(UNKNOWN)  CERT-VN  VU#369347
http://www.linuxsecurity.com/advisories/other_advisory-2177.html
(UNKNOWN)  ENGARDE  ESA-20020702-016
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:040
(UNKNOWN)  MANDRAKE  MDKSA-2002:040
http://www.securityfocus.com/bid/5093
(UNKNOWN)  BID  5093
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0206-195
(UNKNOWN)  HP  HPSBUX0206-195

- 漏洞信息

OpenSSH挑战响应(Challenge-Response)机制交互键盘PAM验证远程缓冲区溢出漏洞
危急 边界条件错误
2002-07-03 00:00:00 2006-03-28 00:00:00
远程  
        
        OpenSSH是一种开放源码的SSH协议的实现,初始版本用于OpenBSD平台,现在已经被移植到多种Unix/Linux类操作系统下。
        OpenSSH 2.3.1p1到3.3版本中的挑战响应(Challenge-Response)代码处理存在漏洞,远程攻击者可以利用这漏洞以sshd进程的权限(通常是root)在系统上执行任意指令。
        漏洞是在挑战响应验证阶段处理接收到的应答时存在缓冲区溢出,不管系统中挑战响应验证选项是否配置,系统如果使用了通过交互键盘PAM验证PAMAuthenticationViaKbdInt)的PAM模块,就存在此漏洞,远程攻击者可以利用此漏洞在系统上以sshd进程的权限执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 1)关闭SSH协议版本2:
        由于这两个漏洞只存在与SSH协议版本2中,所以关闭SSH协议版本2的使用就可以防止这两个漏洞被利用,可以通过修改/etc/ssh/sshd_config配置文件完成:
        Protocol 1
        * 2)关闭挑战响应(Challenge-Response)验证选项:
        2.9版本以上的OpenSSH,系统管理员可以通过在SSHD配置文件中设置"ChallengeResponseAuthentication"为"no",在/etc/ssh/sshd_config中修改为如下一行:
        ChallengeResponseAuthentication no
        这可以防止如果使用SKEY或者BSD_AUTH验证的情况下漏洞不被利用,不过不能防止通过交互键盘PAM验证(PAMAuthenticationViaKbdInt)模式引起的漏洞。
        * 3)关闭通过交互键盘PAM验证模式:
        2.9版本以上的OpenSSH,系统管理员可以通过在SSHD配置文件中设置"PAMAuthenticationViaKbdInt"为"no",在/etc/ssh/sshd_config中修改为如下一行:
        PAMAuthenticationViaKbdInt no
        此选项默认设置为"no",这可以防止如果使用通过交互键盘PAM验证的情况下漏洞不被利用,不过不能防止使用SKEY或者BSD_AUTH验证模式引起的漏洞。
        * 4)在旧版本OpenSSH中关闭两个选项:
        在OpenSSH 2.3.1p1和2.9之间的版本,系统管理员可以设置如下选项来防止这两个漏洞被利用:
        KbdInteractiveAuthentication no
        ChallengeResponseAuthentication no
        * 5)使用权限分离最小化漏洞影响:
        OpenSSH 3.2或者3.3版本可以使用"UsePrivilegeSeparation"选项进行权限分离,可以通过在/etc/ssh/sshd_config中增加如下一行完成:
        UsePrivilegeSeparation yes
        此解决方案不能防止漏洞被利用,只是由于权利分离机制,攻击者即使成功利用这两个漏洞而获得shell,也是处于chroot受限制的环境中,此解决方案也不能防止攻击者进行拒绝服务攻击。建议管理员升级程序或者采用补丁进行修补。
        厂商补丁:
        Caldera
        -------
        Caldera已经为此发布了一个安全公告(CSSA-2002-030.0):
        CSSA-2002-030.0:Linux: OpenSSH Vulnerabilities in Challenge Response Handling
        链接:
        http://www.caldera.com/support/security/advisories/CSSA-2002-030.0.txt

        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2002:502)以及相应补丁:
        CLA-2002:502:openssh
        链接:
        http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502

        补丁下载:
        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openssh-3.4p1-1U60_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-3.4p1-1U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-askpass-3.4p1-1U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-askpass-gnome-3.4p1-1U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-clients-3.4p1-1U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-server-3.4p1-1U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openssh-3.4p1-1U70_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-3.4p1-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-askpass-3.4p1-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-askpass-gnome-3.4p1-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-clients-3.4p1-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-server-3.4p1-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/SRPMS/openssh-3.4p1-1U8_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-3.4p1-1U8_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-askpass-3.4p1-1U8_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-askpass-gnome-3.4p1-1U8_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-clients-3.4p1-1U8_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-server-3.4p1-1U8_1cl.i386.rpm
        Conectiva Linux version 6.0及以上版本的用户可以使用apt进行RPM包的更新:
        - 把以下的文本行加入到/etc/apt/sources.list文件中:
        
        rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
        (如果你不是使用6.0版本,用合适的版本号代替上面的6.0)
        - 执行: apt-get update
        - 更新以后,再执行: apt-get upgrade
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-134-4)以及相应补丁:
        DSA-134-4:OpenSSH Remote Challenge Vulnerability
        链接:
        http://www.debian.org/security/2002/dsa-134

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/o/openssh/openssh_3.4p1.orig.tar.gz

        Size/MD5 checksum: 837668 459c1d0262e939d6432f193c7a4ba8a8
        
        http://security.debian.org/pool/updates/main/o/openssh/openssh_3.4p1-0.0potato1.dsc

        Size/MD5 checksum: 871 dd0f18d576520cb7110f5791bce67708
        
        http://security.debian.org/pool/updates/main/o/openssh/openssh_3.4p1-0.0potato1.diff.gz

        Size/MD5 checksum: 33706 ff798880b0835dcc77e42a2b9a075148
        
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz

        Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc
        
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1.diff.gz

        Size/MD5 checksum: 37925 718ffc86669ae06b22d77c659400f4e8
        
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1.dsc

        Size/MD5 checksum: 784 b197de235e0d10f7bb66b4751808a033
        Architecture independent packages:
        
        http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-0.potato.1_all.deb

        Size/MD5 checksum: 976 6b39f5a320b1c8bdbba05e2c8b041b70
        alpha architecture (DEC Alpha)
        

- 漏洞信息

6245
OpenSSH SKEY/BSD_AUTH Challenge-Response Remote Overflow
Local Access Required, Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in OpenSSH with SSHv2 challenge-response authentication. OpenSSH fails to correctly check integer boundaries in the challenge-response authentication when OpenSSH is using SKEY or BSD_AUTH authentication, resulting in an integer overflow. With a specially crafted request, an attacker can cause the sshd daemon to execute arbitrary code on this host, resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2002-06-26 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 3.3 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch, by disabling challenge-response authentication, or by disabling the use of SSHv2 (not recommended).

- 相关参考

- 漏洞作者

- 漏洞信息

OpenSSH Challenge-Response Buffer Overflow Vulnerabilities
Boundary Condition Error 5093
Yes No
2002-06-24 12:00:00 2007-11-05 02:45:00
Credited to Mark Dowd of the ISS X-Force. Credit is also given to Global InterSec LLC for discovering an additional issue.

- 受影响的程序版本

Sun Solaris 9
OpenSSH OpenSSH 3.3 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
OpenSSH OpenSSH 3.3
+ Openwall Openwall GNU/*/Linux (Owl)-current
OpenSSH OpenSSH 3.2.3 p1
OpenSSH OpenSSH 3.2.2 p1
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.0.4
+ Apple Mac OS X 10.0.3
+ Apple Mac OS X 10.0.2
+ Apple Mac OS X 10.0.1
+ Apple Mac OS X 10.0
OpenSSH OpenSSH 3.2
+ OpenBSD OpenBSD 3.1
OpenSSH OpenSSH 3.1 p1
+ Juniper Networks NetScreen-IDP 10 3.0 r2
+ Juniper Networks NetScreen-IDP 10 3.0 r1
+ Juniper Networks NetScreen-IDP 10 3.0
+ Juniper Networks NetScreen-IDP 100 3.0 r2
+ Juniper Networks NetScreen-IDP 100 3.0 r1
+ Juniper Networks NetScreen-IDP 100 3.0
+ Juniper Networks NetScreen-IDP 1000 3.0 r2
+ Juniper Networks NetScreen-IDP 1000 3.0 r1
+ Juniper Networks NetScreen-IDP 1000 3.0
+ Juniper Networks NetScreen-IDP 500 3.0 r2
+ Juniper Networks NetScreen-IDP 500 3.0 r1
+ Juniper Networks NetScreen-IDP 500 3.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.3
+ RedHat Linux 7.2
+ RedHat Linux 7.1
+ RedHat Linux for iSeries 7.1
+ RedHat Linux for pSeries 7.1
+ Slackware Linux 8.1
+ Sun Linux 5.0.7
+ Sun Solaris 9
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
OpenSSH OpenSSH 3.1
OpenSSH OpenSSH 3.0.2 p1
+ Guardian Digital Engarde Secure Linux 1.0.1
+ HP VirtualVault 4.6
OpenSSH OpenSSH 3.0.2
- Debian Linux 3.0
+ FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
+ FreeBSD FreeBSD 4.5 -RELEASE
+ OpenPKG OpenPKG 1.0
+ Openwall Openwall GNU/*/Linux 0.1 -stable
+ S.u.S.E. Linux 8.0
OpenSSH OpenSSH 3.0.1 p1
OpenSSH OpenSSH 3.0.1
OpenSSH OpenSSH 3.0 p1
OpenSSH OpenSSH 3.0
OpenSSH OpenSSH 2.9.9
+ NetBSD NetBSD 1.5.2
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.2
OpenSSH OpenSSH 2.9 p2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
- Conectiva Linux 5.0
- Conectiva Linux graficas
- Conectiva Linux ecommerce
+ FreeBSD FreeBSD 4.4 -RELENG
+ HP Secure OS software for Linux 1.0
+ Immunix Immunix OS 7.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2
+ RedHat Linux 7.1
+ RedHat Linux 7.0
- S.u.S.E. Linux 7.3 sparc
- S.u.S.E. Linux 7.3 ppc
- S.u.S.E. Linux 7.3 i386
- S.u.S.E. Linux 7.2 i386
- S.u.S.E. Linux 7.1 x86
- S.u.S.E. Linux 7.1 sparc
- S.u.S.E. Linux 7.1 ppc
- S.u.S.E. Linux 7.1 alpha
+ Sun Cobalt RaQ 550
OpenSSH OpenSSH 2.9 p1
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- IBM AIX 4.3
OpenSSH OpenSSH 2.9
+ FreeBSD FreeBSD 4.6 -RELEASE
+ FreeBSD FreeBSD 4.6
+ FreeBSD FreeBSD 4.5 -RELEASE
+ FreeBSD FreeBSD 4.5
OpenSSH OpenSSH 2.5.2
- Caldera OpenUnix 8.0
- Caldera UnixWare 7.1.1
- Wirex Immunix OS 6.2
OpenSSH OpenSSH 2.5.1
+ NetBSD NetBSD 1.5.1
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Firewall on CD
+ S.u.S.E. SuSE eMail Server III
- SCO Open Server 5.0.6 a
- SCO Open Server 5.0.6
- SCO Open Server 5.0.5
- SCO Open Server 5.0.4
- SCO Open Server 5.0.3
- SCO Open Server 5.0.2
- SCO Open Server 5.0.1
- SCO Open Server 5.0
+ SuSE SUSE Linux Enterprise Server 7
OpenSSH OpenSSH 2.5
OpenSSH OpenSSH 2.3
- S.u.S.E. Linux 7.0 sparc
- S.u.S.E. Linux 7.0 ppc
- S.u.S.E. Linux 7.0 i386
- S.u.S.E. Linux 7.0 alpha
- S.u.S.E. Linux 6.4 ppc
- S.u.S.E. Linux 6.4 i386
- S.u.S.E. Linux 6.4 alpha
OpenSSH OpenSSH 2.2
+ Conectiva Linux 6.0
+ NetBSD NetBSD 1.5
OpenSSH OpenSSH 2.1.1
+ Conectiva Linux 5.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
OpenSSH OpenSSH 2.1
OpenSSH OpenSSH 1.2.3
+ Blue Coat Systems Security Gateway OS 2.1.5001 SP1
OpenSSH OpenSSH 1.2.2
OpenBSD OpenBSD 3.1
OpenBSD OpenBSD 3.0
IBM Linux Affinity Toolkit
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- IBM AIX 4.3
- IBM AIX 5.1
HP HP-UX Secure Shell A.03.10
+ HP HP-UX 11.11
+ HP HP-UX 11.0
OpenSSH OpenSSH 3.4 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux Enterprise Edition 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ FreeBSD FreeBSD 5.0
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ IBM AIX 5.1 L
+ IBM AIX 4.3.3
+ Immunix Immunix OS 7+
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ Slackware Linux 8.1
OpenSSH OpenSSH 3.4
HP HP-UX Secure Shell A.03.10.002

- 不受影响的程序版本

OpenSSH OpenSSH 3.4 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux Enterprise Edition 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ FreeBSD FreeBSD 5.0
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ IBM AIX 5.1 L
+ IBM AIX 4.3.3
+ Immunix Immunix OS 7+
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ Slackware Linux 8.1
OpenSSH OpenSSH 3.4
HP HP-UX Secure Shell A.03.10.002

- 漏洞讨论

The OpenSSH team has reported two vulnerabilities in OpenSSH that are remotely exploitable and may allow for unauthenticated attackers to obtain root privileges.

The conditions are related to the OpenSSH SSH2 challenge-response mechanism. They occur when the OpenSSH server is configured at compile time to support BSD_AUTH or SKEY. OpenBSD 3.0 and later ship with OpenSSH built to support BSD_AUTH. Systems are vulnerable when either of the following configuration options are enabled:

PAMAuthenticationViaKbdInt
ChallengeResponseAuthentication

Attackers can exploit the vulnerabilities by crafting a malicious response. Since this occurs before the authentication process completes, remote attackers without valid credentials may exploit this. Successful exploits may result in the execution of shellcode or a denial of service.

OpenSSH 3.4 addresses the problem. Upgrading to this version will eliminate the vulnerabilities. Administrators who cannot install OpenSSH 3.4 should upgrade to version 3.3 and enable the privilege-separation feature.

Proof-of-concept code has been made public. Users are advised to upgrade immediately.

**UPDATE: One of these issues is trivially exploitable and is still present in OpenSSH 3.5p1 and 3.4p1. Although these reports have not been confirmed, administrators are advised to implement the OpenSSH privilege-separation feature as a workaround. BSD administrators are also advised to upgrade to the newest kernel versions because recently patched vulnerabilities may allow root compromise despite the use of the privilege-separation feature.

- 漏洞利用

Joe Testa <jtesta@rapid7.com> has provided information on how a server segmentation fault may be produced with the use of a modified, malicious SSH client. Details are available in the referenced Bugtraq message post.

Christophe Devine <devine@iie.cnam.fr> has published a proof-of-concept exploit (as a patch to the OpenSSH client).

GOBBLES has also released proof-of-concept code.

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

OpenSSH 3.4 has been released. Although it should contain the fix, administrators are still advised to enable privilege separation as a preventative measure.

The OpenSSH development team has stated that OpenSSH 3.2 (and later) servers configured to use the new privilege separation feature are not exploitable. Privilege separation was introduced in OpenSSH 3.2. Administrators of systems using earlier versions are *strongly* urged to upgrade to OpenSSH 3.2 or later and enable privilege separation. Privilege separation is enabled by default in OpenSSH 3.3.

Please see the references for more information.


IBM Linux Affinity Toolkit

HP HP-UX Secure Shell A.03.10

OpenSSH OpenSSH 1.2.2

OpenSSH OpenSSH 1.2.3

OpenSSH OpenSSH 2.1

OpenSSH OpenSSH 2.1.1

OpenSSH OpenSSH 2.2

OpenSSH OpenSSH 2.3

OpenSSH OpenSSH 2.5

OpenSSH OpenSSH 2.5.1

OpenSSH OpenSSH 2.5.2

OpenSSH OpenSSH 2.9

OpenSSH OpenSSH 2.9 p1

OpenSSH OpenSSH 2.9 p2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站