[VIM] OpenSSH vulnerability affected/solution questions

security curmudgeon jericho at attrition.org
Mon May 14 21:22:20 UTC 2007 

Sorting through the OpenSSH vulnerabilities for the past few years, there 
is a lot of confusion about versions affected and solutions. OpenSSH's 
security page [1] is not very complete and hasn't been updated since 
2005/07/14 either. If anyone has a contact there let me know and i'll send 
all of this over when finished. Writing this for myself as much as anyone 
else. =) If anyone can fill in blanks or provide more information, that 
would be groovy.

- jericho

[1] http://www.openssh.org/security.html

---

OpenSSH Privilege Separation LoginGraceTime DoS
CVE-2004-2069 / OSVDB 16567

3.6.1p2 and 3.7.1p2 were tested and confirmed. a patch was offered by 
Darren Tucker, but there was no mention if it was added to the mainstream 
releases:

http://marc.info/?l=openssh-unix-dev&m=107529205602320&w=2

--

OpenSSH scp/rcp Traversal Arbitrary File Overwrite
CVE-2004-0175 / OSVDB 9550

most references deal with scp, the Mandriva advisory also mentions rcp in 
the rsh package. the mandriva advisory is asking for authentication now, 
so they changed their advisory scheme (again?). odds are these are two 
separate issues, but not sure until i can read the advisory.

http://frontal1.mandriva.com/security/advisories?name=MDKSA-2005:100

anyway, ISS says 3.0p1 - 3.4 is affected, but upgrade to 3.8.1p1 to fix, 
suggesting 3.4 - 3.8.0 would be vuln? or perhaps the entry was created 
later and that was the current version, as CVE's wording suggests 3.4p1 
fixes. I don't see any ack from OpenSSH or where the fix was announced, 
other than vendor specific distributions (RedHat, Juniper, et al)

--

OpenSSH Default Configuration Anon SSH Service Port Bounce Issue
CVE-2004-1653 / OSVDB 9562

Original disclosure (mail list) does not mention a version and original 
advisory link is dead. One of our manglers indicated 3.9 was vuln, and 4.0 
was a fix but he did not include any reference (thus, the entry was not 
made public) to where he found that information.

--

OpenSSH scp Command Line Filename Processing Command Injection
CVE-2006-0225 / OSVDB 22692

vendor ack from changelog:
Changelog:
20060131
    - djm at cvs.openbsd.org 2006/01/31 10:19:02
      [misc.c misc.h scp.c sftp.c]
      fix local arbitrary command execution vulnerability on local/local and
      remote/remote copies (CVE-2006-0225, bz #1094), patch by
      t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@

solution: up to 4.3p1

--

OpenSSH with OpenPAM Connection Saturation Forked Process Saturation DoS
CVE-2006-0883 / OSVDB 23797

CVE can add reference: http://bugzilla.mindrot.org/show_bug.cgi?id=839

>From that, affected version: 3.8.1p1

The changelog at the bottom of this bug report:
20040711
  - (dtucker) [auth-pam.c] Check for zero from waitpid() too, which allows
    the monitor to properly clean up the PAM thread (Debian bug #252676).

But this does not appear in the OpenSSH 4.6p1 Changelog file since it 
starts at 20050908. Checking the OpenSSH 3.9p1 Changelog shows this entry, 
so upgrading to 3.9p1 is the vendor verified fix.

--

OpenSSH packet.c Invalid Protocol Sequence Remote DoS
CVE-2006-4925 / OSVDB 29494

No obvious references to affected version. The Debian bugzilla shows a dev 
patching --- openssh-4.3p2/packet.c  2005-11-05 04:15:00.000000000 +0000

implying that 4.3p2 is vuln. goes on to say 4.3_p2-r3 in portage has the 
fix. i don't know if the Debian portage reflects the mainstream versions 
or not? Tavis replies that 4.3_p2-r5 was committed and fixes.

i don't see reference to this in the OpenSSH Portable changelog.

--

OpenSSH Username Password Complexity Timing Attack
CVE-2006-5229 / OSVDB 32721

CVE sums up this very well: OpenSSH portable 4.1 on SUSE Linux, and 
possibly other platforms and versions, and possibly under limited 
configurations, allows remote attackers to determine valid usernames via 
timing discrepancies in which responses take longer for valid usernames 
than invalid ones, as demonstrated by sshtime. NOTE: as of 20061014, it 
appears that this issue is dependent on the use of manually-set passwords 
that causes delays when processing /etc/shadow due to an increased number 
of rounds.

So 4.1 Portable is affected, but the last post in the thread suggests this 
appears only on SUSE since a key part of this is wether YAST set the 
password for example. Not sure if this is something farther reaching, or 
if SUSE would have to issue a platform specific patch and mainstream would 
ignore this.

--

OpenSSH S/KEY Authentication Account Enumeration
CVE-2007-2243 / OSVDB 34600

Original disclosure says 4.6 affected, recent issue so no word from 
OpenSSH that I can see yet. OpenBSD security page shows three entries on 
Apr 27, this disclosure on Apr 20.

--

OpenSSH w/ OPIE Authentication Account Enumeration
OSVDB 34601

In a follow-up to the S/KEY issue, someone mentioned that OPIE exhibits 
the same behavior. There were relatively few details and it does not 
specify a version affected or show an example.

More information about the VIM mailing list