12044: OpenSSH/SKEY/BSD_AUTH Authentication Overflow Vulnerability

OpenSSH/SKEY/BSD_AUTH Authentication Overflow Vulnerability

General Info

	TC:	12044
	Description:	OpenSSH is a popular free version of the SSH protocol. There is a problem in the challenge response during authentication. The problem is present when OpenSSH is compiled with BSD_AUTH or SKEY support. You are vulnerable if ChallengeResponseAuthentication is enabled. Using privilege separation ( a special mode where the main part of OpenSSH is running is a process and the part requiring root privileges is running in a separate process ) minimizes the consequences of an attack. This problem can be exploited to run arbitrary code. The fact that authentication is not required makes the vulnerability very serious.
	TC Impact:	Gather Info
	Service:	ssh

Specific Operations and Actions:

	Vulnerability Publication:	June 26, 2002
	Advisory Copyright:	Mark Dowd
	Summary:	It is possible to run arbitrary code on your host running OpenSSH.
	Risk:	High
	CVSS 2.0 metrics:	Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
	CVSS 2.0 Base Score:	10

	Vulnerability Impact:	Gain Root

	Host Impact:	Your host can be fully compromised.
	Nature of Remediation:	Update the software.

	Step required to fix the reported vulnerability:
	*** Solution type: Upgrade Software *** These vulnerabilities are eliminated by upgrading to OpenSSH version 3.4. OpenSSH version 3.4 will correct several other software defects with potential security implications not described in this advisory. See references for more information.

Glossary and References :

	References:
	* BUGTRAQ: 20020626 OpenSSH Security Advisory (adv.iss) http://marc.theaimsgroup.com/?l=bugtraq&m=102514371522793&w=2 * BUGTRAQ: 20020626 Revised OpenSSH Security Advisory (adv.iss) http://marc.theaimsgroup.com/?l=bugtraq&m=102514631524575&w=2 * BUGTRAQ: 20020627 How to reproduce OpenSSH Overflow. http://marc.theaimsgroup.com/?l=bugtraq&m=102521542826833&w=2 * NETBSD: 2002-005 http://mail-index.netbsd.org/tech-security/2002/06/27/0009.html * CERT-VN: VU#369347 http://www.kb.cert.org/vuls/id/369347 * CERT: CA-2002-18 http://www.cert.org/advisories/CA-2002-18.html * DEBIAN: DSA-134 http://www.debian.org/security/2002/dsa-134 * HP: HPSBUX0206-195 http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0206-195 * CALDERA: CSSA-2002-030.0 ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txt * BUGTRAQ: 20020626 [OpenPKG-SA-2002.005] OpenPKG Security Advisory (openssh) http://archives.neohapsis.com/archives/bugtraq/2002-06/0335.html * CONECTIVA: CLA-2002:502 http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502 * ENGARDE: ESA-20020702-016 http://www.linuxsecurity.com/advisories/other_advisory-2177.html * MANDRAKE: MDKSA-2002:040 http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:040 * BID: 5093 http://www.securityfocus.com/bid/5093 * XF: openssh-challenge-response-bo(9169) http://www.iss.net/security_center/static/9169.php * OSVDB: 6245 http://www.osvdb.org/6245 * BUGTRAQ: 20020628 Sun statement on the OpenSSH Remote Challenge Vulnerability http://marc.theaimsgroup.com/?l=bugtraq&m=102532054613894&w=2 * REDHAT: RHSA-2002:131 http://www.redhat.com/support/errata/RHSA-2002-131.html * SUSE: SuSE-SA:2002:024 http://www.novell.com/linux/security/advisories/2002_024_openssh_txt.html * REDHAT: RHSA-2002:127 http://www.redhat.com/support/errata/RHSA-2002-127.html * OSVDB: 839 http://www.osvdb.org/839

	CVE Link:	CVE-2002-0639 CVE-2002-0640

	Glossary:	Arbitrary Command Execution Buffer Overflow Denial of Service SSH

© 2003-2010 NexantiS Corporation (www.securescout.com)
SecureScout is a trademark of NexantiS
All Rights Reserved
All products names referenced herein are trademarks of their respective companies

SecureScout products are certified:
CVE Compatible
SANS TOP 20 Compatible
CVSS Compatible (Common Vulnerability Scoring System)