From security-advisories@FreeBSD.org Tue Feb 13 18:34:26 2001 From: FreeBSD Security Advisories To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 12 Feb 2001 16:38:34 -0800 Subject: [BUGTRAQ] FreeBSD Security Advisory FreeBSD-SA-01:24.ssh -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:24 Security Advisory FreeBSD, Inc. Topic: SSH1 implementations may allow remote system, data compromise Category: core/ports Module: openssh, ssh Announced: 2001-02-12 Credits: Michal Zalewski (Vulnerability 1) Core-SDI (http://www.core-sdi.com) (Vulnerability 2) Affects: FreeBSD 4.x, 4.2-STABLE prior to the correction date Ports collection prior to the correction date. Corrected: OpenSSH [FreeBSD 4.x base system]: 2000-12-05 (Vulnerability 1) 2001-02-11 (Vulnerability 2) OpenSSH [ports]: 2001-02-09 (Vulnerability 1) 2001-02-11 (Vulnerability 2) ssh [ports]: 2001-02-09 (Vulnerability 1) 2001-02-09 (Vulnerability 2) Vendor status: Patches released. FreeBSD only: NO I. Background OpenSSH is an implementation of the SSH1 and SSH2 secure shell protocols for providing encrypted and authenticated network access, which is available free for unrestricted use. An SSH1 client/server (ssh) from ssh.com is included in the ports collection. This software is not available free of charge for all uses, and the FreeBSD Security Officer does not recommend its use. II. Problem Description There are two flaws in the SSH1 protocol as implemented by OpenSSH and ssh. Vulnerability 1: An integer overflow may allow arbitrary remote users to obtain root permissions on the server running sshd. This is due to a coding mistake in code intended to work around a protocol flaw in the SSH1 protocol. This vulnerability was corrected in OpenSSH 2.3.0, which was committed to FreeBSD 4.2-STABLE on 2000-12-05. Vulnerability 2; Remote attackers who can observe the encrypted contents of a user's SSH1 session, and who have the ability to mount large numbers of connections fo the SSH1 server may be able to break the transient server key used by the server to negotiate encryption parameters for the session, and from there can decrypt the entire contents of the snooped connection. The transient key has a lifetime of only one hour by default, but all snooped SSH1 sessions captured within this timeframe may be broken if the attack is successful. This attack is mitigated by the requirement to initiate large numbers of SSH1 protocol connections to the server during the lifetime of the key. On average a sustained connection rate of around 400 connections and SSH1 protocol handshakes must be carried out per second to have a high chance of succeeding within the 1 hour lifetime of the server key. OpenSSH contains rate-limiting code which will limit the number of outstanding connections to a fraction of this number in the default configuration, and computational and network limitations may reduce this number still further. Therefore, though the potential impact of this flaw is great, it is made very difficult to exploit in practice. However, note that even though the chances of success are reduced, the vulnerability is not eliminated. OpenSSH is installed if you chose to install the 'crypto' distribution at install-time or when compiling from source, and is installed and enabled by default as of FreeBSD 4.1.1-RELEASE. By default SSH1 protocol support is enabled. If SSH1 protocol support has been disabled in OpenSSH, it is not vulnerable to these attacks. They do not affect implementations of the SSH2 protocol, such as OpenSSH run in SSH2-only mode. Versions of the OpenSSH port prior to openssh-2.2.0_2, and versions of the ssh port prior to ssh-1.2.27_3 are vulnerable to these attacks. III. Impact Arbitrary remote users may be able to execute arbitrary code as root on an SSH1 server accepting connections via the SSH1 protocol. Remote users who can snoop the encrypted contents of SSH1 sessions belonging to other users, and who can mount a very high rate of connections to the server may be able to mount an attack leading to the ability to decrypt these sessions. This attack may disclose account password details as well as other sensitive data. IV. Workaround If you are running sshd, disable the use of the SSH1 protocol in OpenSSH. SSH1 contains inherent protocol deficiencies and is not recommended for use in high-security environments. Note that some third-party SSH clients are not capable of using the SSH2 protocol, however the OpenSSH client (version 2.1 and later) included in FreeBSD is SSH2-capable. To disable SSH1, add the following line to the /etc/ssh/sshd_config file (/usr/local/etc/sshd_config for the OpenSSH port): Protocol 2 and remove any other "Protocol" directives from that file. Execute the following command as root: # kill -HUP `cat /var/run/sshd.pid` This will cause the parent process to reread its configuration file, and should not interfere with existing SSH sessions. V. Solution - --[OpenSSH - base system]----- One of the following: 1) Upgrade to FreeBSD 4.2-STABLE after the correction date. Note that these versions of FreeBSD contain a newer version of OpenSSH (version 2.3.0) than was in 4.2-RELEASE (version 2.2.0). 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.2-RELEASE. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-release.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-release.patch.asc The folllowing patch applies to FreeBSD 4.2-STABLE which is running OpenSSH 2.3.0 (4.2-STABLE dated after 2000-12-05) # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-stable.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-stable.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src/crypto/openssh # patch -p < /path/to/patch # cd /usr/src/secure/lib/libssh # make all # cd /usr/src/secure/usr.bin/ssh-agent # make all install # cd /usr/src/secure/usr.sbin/sshd # make all install Finally, if sshd is already running then kill and restart the sshd daemon: perform the following command as root: # kill -KILL `cat /var/run/sshd.pid` && /usr/sbin/sshd This will not affect sessions in progress. - --[OpenSSH - port]----- Use one of the following options to upgrade the OpenSSH software, then kill and restart the sshd daemon if it is already running. This will not affect sessions in progress. To kill and restart the sshd daemon, perform the following command as root: # kill -KILL `cat /var/run/sshd.pid` && /usr/local/sbin/sshd 1) Upgrade your entire ports collection and rebuild the OpenSSH port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/openssh-2.2.0_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-2.2.0_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-2.2.0_2.tgz NOTE: It may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the OpenSSH port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz - --[ssh - port]----- Use one of the following options to upgrade the ssh software, then kill and restart the sshd daemon if it is already running. This will not affect sessions in progress. To kill and restart the sshd daemon, perform the following command as root: # kill -KILL `cat /var/run/sshd.pid` && /usr/local/sbin/sshd 1) Upgrade your entire ports collection and rebuild the ssh port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/ssh-1.2.27_3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ssh-1.2.27_3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/ssh-1.2.27_3.tgz NOTE: It may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the OpenSSH port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoiAylUuHi5z0oilAQEoVgP/Qc5UXjRnR3byHZfQyM4VyuwCWAWeAaD7 HPjlhLTiOb0HUqsVhiraIX5Mgi5ReySj2wREd4EKW9pEKiXfcXCWItivG8PrV/P8 NHEo5B393r1G8ovtkt3fu0bQ7RhOrxOeHRn5mxbmk8pIrRg7oxeZ02ygJiCV8LqT hoOxMmU4FYQ= =REEI -----END PGP SIGNATURE-----