[VIM] OpenSSH vulnerability affected/solution questions
security curmudgeon
jericho at attrition.org
Mon May 14 21:22:20 UTC 2007
Sorting through the OpenSSH vulnerabilities for the past few years, there
is a lot of confusion about versions affected and solutions. OpenSSH's
security page [1] is not very complete and hasn't been updated since
2005/07/14 either. If anyone has a contact there let me know and i'll send
all of this over when finished. Writing this for myself as much as anyone
else. =) If anyone can fill in blanks or provide more information, that
would be groovy.
- jericho
[1] http://www.openssh.org/security.html
---
OpenSSH Privilege Separation LoginGraceTime DoS
CVE-2004-2069 / OSVDB 16567
3.6.1p2 and 3.7.1p2 were tested and confirmed. a patch was offered by
Darren Tucker, but there was no mention if it was added to the mainstream
releases:
http://marc.info/?l=openssh-unix-dev&m=107529205602320&w=2
--
OpenSSH scp/rcp Traversal Arbitrary File Overwrite
CVE-2004-0175 / OSVDB 9550
most references deal with scp, the Mandriva advisory also mentions rcp in
the rsh package. the mandriva advisory is asking for authentication now,
so they changed their advisory scheme (again?). odds are these are two
separate issues, but not sure until i can read the advisory.
http://frontal1.mandriva.com/security/advisories?name=MDKSA-2005:100
anyway, ISS says 3.0p1 - 3.4 is affected, but upgrade to 3.8.1p1 to fix,
suggesting 3.4 - 3.8.0 would be vuln? or perhaps the entry was created
later and that was the current version, as CVE's wording suggests 3.4p1
fixes. I don't see any ack from OpenSSH or where the fix was announced,
other than vendor specific distributions (RedHat, Juniper, et al)
--
OpenSSH Default Configuration Anon SSH Service Port Bounce Issue
CVE-2004-1653 / OSVDB 9562
Original disclosure (mail list) does not mention a version and original
advisory link is dead. One of our manglers indicated 3.9 was vuln, and 4.0
was a fix but he did not include any reference (thus, the entry was not
made public) to where he found that information.
--
OpenSSH scp Command Line Filename Processing Command Injection
CVE-2006-0225 / OSVDB 22692
vendor ack from changelog:
Changelog:
20060131
- djm at cvs.openbsd.org 2006/01/31 10:19:02
[misc.c misc.h scp.c sftp.c]
fix local arbitrary command execution vulnerability on local/local and
remote/remote copies (CVE-2006-0225, bz #1094), patch by
t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@
solution: up to 4.3p1
--
OpenSSH with OpenPAM Connection Saturation Forked Process Saturation DoS
CVE-2006-0883 / OSVDB 23797
CVE can add reference: http://bugzilla.mindrot.org/show_bug.cgi?id=839
>From that, affected version: 3.8.1p1
The changelog at the bottom of this bug report:
20040711
- (dtucker) [auth-pam.c] Check for zero from waitpid() too, which allows
the monitor to properly clean up the PAM thread (Debian bug #252676).
But this does not appear in the OpenSSH 4.6p1 Changelog file since it
starts at 20050908. Checking the OpenSSH 3.9p1 Changelog shows this entry,
so upgrading to 3.9p1 is the vendor verified fix.
--
OpenSSH packet.c Invalid Protocol Sequence Remote DoS
CVE-2006-4925 / OSVDB 29494
No obvious references to affected version. The Debian bugzilla shows a dev
patching --- openssh-4.3p2/packet.c 2005-11-05 04:15:00.000000000 +0000
implying that 4.3p2 is vuln. goes on to say 4.3_p2-r3 in portage has the
fix. i don't know if the Debian portage reflects the mainstream versions
or not? Tavis replies that 4.3_p2-r5 was committed and fixes.
i don't see reference to this in the OpenSSH Portable changelog.
--
OpenSSH Username Password Complexity Timing Attack
CVE-2006-5229 / OSVDB 32721
CVE sums up this very well: OpenSSH portable 4.1 on SUSE Linux, and
possibly other platforms and versions, and possibly under limited
configurations, allows remote attackers to determine valid usernames via
timing discrepancies in which responses take longer for valid usernames
than invalid ones, as demonstrated by sshtime. NOTE: as of 20061014, it
appears that this issue is dependent on the use of manually-set passwords
that causes delays when processing /etc/shadow due to an increased number
of rounds.
So 4.1 Portable is affected, but the last post in the thread suggests this
appears only on SUSE since a key part of this is wether YAST set the
password for example. Not sure if this is something farther reaching, or
if SUSE would have to issue a platform specific patch and mainstream would
ignore this.
--
OpenSSH S/KEY Authentication Account Enumeration
CVE-2007-2243 / OSVDB 34600
Original disclosure says 4.6 affected, recent issue so no word from
OpenSSH that I can see yet. OpenBSD security page shows three entries on
Apr 27, this disclosure on Apr 20.
--
OpenSSH w/ OPIE Authentication Account Enumeration
OSVDB 34601
In a follow-up to the S/KEY issue, someone mentioned that OPIE exhibits
the same behavior. There were relatively few details and it does not
specify a version affected or show an example.
More information about the VIM
mailing list