| VID |
14010 |
| Severity |
40 |
| Port |
22 |
| Protocol |
TCP |
| Class |
Ssh |
| Detailed Description |
The version of OpenSSH is vulnerable to a Challenge-Response buffer overflow attack.
The OpenSSH team has reported that vulnerabilities exist in OpenSSH which is older than 3.4. The vulnerabilities are remotely exploitable and may allow for unauthenticated attackers to obtain root privileges.
The conditions are related to the OpenSSH SSH2 challenge-response mechanism. They are present when the OpenSSH server is configured at compile-time to support BSD_AUTH or SKEY. OpenBSD 3.0 and later ship with OpenSSH built to support BSD_AUTH. Systems are vulnerable when either of the following configuration options are enabled:
PAMAuthenticationViaKbdInt
ChallengeResponseAuthentication
It is possible for attackers to exploit the vulnerabilities by constructing a malicious response. As this occurs before the authentication process completes, it may be exploited by remote attackers without valid credentials. Successful exploitation may result in the execution of shellcode or a denial of service.
Note: Proof of concept code has been made public. Users are advised to upgrade immediately. |
| Recommendation |
OpenSSH 3.4 has been released. Upgrade to this version to eliminate the vulnerability.
If this is not possible, administrators should upgrade to version 3.3 and enable the privilege separation feature. To enable the privilege separation option:
Set the option UsePrivilegeSeparation to "yes" in your /etc/ssh/sshd_config file |
| Related URL |
CVE-2002-0639,CVE-2002-0640 (CVE) |
| Related URL |
5093 (SecurityFocus) |
| Related URL |
9169 (ISS) |
|
