Serious flaws have been detected in OpenSSH on the OpenBSD operating system, the open-source tool used as a secure alternative to Telnet and FTP and security experts are recommending IT administrators upgrade to OpenSSH version 3.4 immediately.

The CERT Coordination Center issued an alert spelling out the bugs in the open source software, which affects OpenSSH versions 2.3.1p1 through 3.3.

OpenSSH, which is included in Linux and Unix OS distributions, is a free version of the SSH (define) tool. It is a popular replacement for Telnet, Rlogin, Rsh, and Ftp protocols.

CERT said two related vulnerabilities were found in the challenge response handling code that could allow remote intruders to execute arbitrary code as the user running sshd (often root). The flaws could also cause a denial-of-service (define) condition.

The first vulnerability affects OpenSSH versions 2.9.9 through 3.3 that have the challenge response option enabled and that use SKEY or BSD_AUTH authentication, the security group said. The second flaw affects PAM modules using interactive keyboard authentication, regardless of the challenge response option setting, it warned.

Another bug is a buffer overflow involving the number of responses received during challenge response authentication. "Regardless of the setting of the challenge response configuration option, systems using PAM modules that use interactive keyboard authentication (PAMAuthenticationViaKbdInt), may be vulnerable to the remote execution of code," CERT said..

A separate warning was also issued by the Internet Security Systems (ISS), which recommended IT administrators using the free OpenSSH tool upgrade to version 3.4 immediately or, as a temporary workaround, disable unused OpenSSH authentication mechanisms.

The ISS recommended the implementation of Internet Scanner X-Press Update 6.13, which includes an OpenSshRunning check to detect potentially vulnerable installations of the tool. The check can be downloaded here. The security firm also urged system administrators to disable unused OpenSSH authentication mechanisms by disabling the Challenge-Response authentication parameter within the OpenSSH daemon configuration file.

"This filename and path is typically: /etc/ssh/sshd_config. To disable this parameter, locate the corresponding line and change it to ChallengeResponseAuthentication no," ISS said. It noted the "sshd" process must be restarted for the change to take effect.

The firm said administrators should upgrade to OpenSSH version 3.4 immediately. "This (upgrade) implements privilege separation, contains a patch to block this vulnerability, and contains many additional pro- active security fixes," it added.