12045: OpenSSH/PAM Challenge Response Buffer Overflow Vulnerability

OpenSSH/PAM Challenge Response Buffer Overflow Vulnerability

General Info

	TC:	12045
	Description:	OpenSSH is a popular FREE version of the SSH protocol. There is a problem in the challenge response during authentication. OpenSSH contains a buffer overflow condition related to the number of responses received during challenge response authentication. Whatever the setting of the challenge response configuration option is and providing the target is using PAM modules(PAMAuthenticationViaKbdInt), with interactive keyboard authentication, an attacker can remotely execute code as the user is running sshd (often root). The flaws could also cause a denial-of-service condition. The seriousness of these vulnerabilities comes from the fact that it is not necessary for the attacker to authenticate to exploit the vulnerability.
	TC Impact:	Gather Info
	Service:	ssh

Specific Operations and Actions:

	Vulnerability Publication:	June 26, 2002
	Advisory Copyright:	Mark Dowd
	Summary:	It is possible to run arbitrary code on your host running OpenSSH.
	Risk:	High
	CVSS 2.0 metrics:	Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
	CVSS 2.0 Base Score:	10

	Vulnerability Impact:	Gain Root

	Host Impact:	Your host can be fully compromised.
	Nature of Remediation:	Update the software.

	Step required to fix the reported vulnerability:
	*** Solution type: Upgrade Software *** Upgrade to OpenSSH version 3.4 These vulnerabilities are eliminated by upgrading to OpenSSH version 3.4. OpenSSH version 3.4 will correct several other software defects with potential security implications not described in this advisory. See references for more details.

Glossary and References :

	References:
	* BUGTRAQ: 20020626 Revised OpenSSH Security Advisory (adv.iss) http://marc.theaimsgroup.com/?l=bugtraq&m=102514631524575&w=2 * BUGTRAQ: 20020626 OpenSSH Security Advisory (adv.iss) http://marc.theaimsgroup.com/?l=bugtraq&m=102514371522793&w=2 * BUGTRAQ: 20020627 How to reproduce OpenSSH Overflow. http://marc.theaimsgroup.com/?l=bugtraq&m=102521542826833&w=2 * BUGTRAQ: 20020628 Sun statement on the OpenSSH Remote Challenge Vulnerability http://marc.theaimsgroup.com/?l=bugtraq&m=102532054613894&w=2 * CERT-VN: VU#369347 http://www.kb.cert.org/vuls/id/369347 * CERT: CA-2002-18 http://www.cert.org/advisories/CA-2002-18.html * DEBIAN: DSA-134 http://www.debian.org/security/2002/dsa-134 * HP: HPSBUX0206-195 http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0206-195 * BID: 5093 http://www.securityfocus.com/bid/5093 * REDHAT: RHSA-2002:131 http://www.redhat.com/support/errata/RHSA-2002-131.html * CALDERA: CSSA-2002-030.0 ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txt * SUSE: SuSE-SA:2002:024 http://www.novell.com/linux/security/advisories/2002_024_openssh_txt.html * REDHAT: RHSA-2002:127 http://www.redhat.com/support/errata/RHSA-2002-127.html * OSVDB: 839 http://www.osvdb.org/839 * MISC: Privilege Separated OpenSSH http://www.citi.umich.edu/u/provos/ssh/privsep.html * MISC: Vendor's advisory http://www.openssh.org/txt/preauth.adv

	CVE Link:	CVE-2002-0640

	Glossary:	Arbitrary Command Execution Buffer Overflow SSH

© 2003-2010 NexantiS Corporation (www.securescout.com)
SecureScout is a trademark of NexantiS
All Rights Reserved
All products names referenced herein are trademarks of their respective companies

SecureScout products are certified:
CVE Compatible
SANS TOP 20 Compatible
CVSS Compatible (Common Vulnerability Scoring System)