Subject: NetBSD Security Advisory 2002-004: Off-by-one error in openssh session
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: current-users
Date: 03/12/2002 14:04:43
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-004
=================================
Topic: Off-by-one error in openssh session
Version: NetBSD-current: source prior to March 7, 2002
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: not included in base system
pkgsrc: packages prior to 3.0.2.1nb2
Severity: local exploit (against sshd) by an authenticated user
remote exploit (against ssh) by a malicious SSH server
Fixed: NetBSD-current: March 7, 2002
NetBSD-1.5 branch: March 7, 2002 (1.5.3 will include the fix)
pkgsrc: openssh-3.0.2.1nb2 corrects this issue
Abstract
========
OpenSSH prior to version 3.1 has an off-by-one error in the channel code.
This bug can be exploited locally by an authenticated user
logging into a vulnerable OpenSSH server or remotely by a malicious
SSH server attacking a vulnerable OpenSSH client.
Technical Details
=================
http://www.pine.nl/advisories/pine-cert-20020301.html
Solutions and Workarounds
=========================
To identify if your binary is vulnerable, you can use "ssh -V" and "sshd -V"
command.
On NetBSD-current, the following version string identifies the fixed version.
If you see version string prior to this date, the binary is vulnerable.
sshd version OpenSSH_3.1 NetBSD_Secure_Shell-20020308
On NetBSD 1.5 branch, the following string identifies the fixed version.
If you see version string prior to this date, the binary is vulnerable.
sshd version OpenSSH_3.0.2 NetBSD_Secure_Shell-20020307
With pkgsrc, use pkg_info(1) to identify the version. The following version
is not vulnerable. Versions prior to this is vulnerable.
openssh-3.0.2.1nb2
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-03-06
should be upgraded to NetBSD-current dated 2002-03-07 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
crypto/dist/ssh
usr.bin/ssh
To update from CVS, re-build, and re-install the ssh suite:
# cd src
# cvs update -d -P crypto/dist/ssh usr.bin/ssh
# cd usr.bin/ssh
# make cleandir dependall
# make install
Be sure to restart a running instance of ssh daemon (/usr/sbin/sshd).
* NetBSD 1.5, 1.5.1, 1.5.2:
Systems running NetBSD 1.5, 1.5.1 or 1.5.2 sources dated from
before 2002-03-06 should be upgraded from NetBSD 1.5.*
sources dated 2002-03-07 or later.
NetBSD 1.5.3 will include the fix.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
crypto/dist/ssh
usr.bin/ssh
To update from CVS, re-build, and re-install the ssh suite:
# cd src
# cvs update -d -P crypto/dist/ssh usr.bin/ssh
# cd usr.bin/ssh
# make cleandir dependall
# make install
Be sure to restart a running instance of ssh daemon (/usr/sbin/sshd).
Alternatively, you can install openssh newer than openssh-3.1.0.1
from pkgsrc and use them instead. Be certain to remove the old executables
in /usr/bin and /usr/sbin if you choose this method, so that the /usr/pkg/
binaries will be used.
* pkgsrc
OpenSSH pkgsrc prior to openssh-3.0.2.1nb2 must be upgraded to
openssh-3.0.2.1nb2 or later.
Thanks To
=========
Markus Friedl
Jun-ichiro itojun Hagino for patches, and preparing advisory text.
Revision History
================
2002-03-11 Initial release
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-004.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-004.txt,v 1.5 2002/03/12 16:49:16 david Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPI4yHD5Ru2/4N2IFAQGe1QQAnXK2dgX8RAf3RuxO090wbx/DYgXvPl8A
gCihoWP8qpP+/UXEmkNSm8KpprB7/A2lXwCY1ZBw/6PjxOKP1Jm85QM2CbAF+yt5
kop+zeRHsPnvd4olB3btDlZvs26lYwufvdEtU/wDWg0NT5bv9XFiq6j1l5w08TdM
YD3VVryEGkk=
=WoBo
-----END PGP SIGNATURE-----