The CERT Coordination Center has issued a security alert for a buffer
management vulnerability in versions of the OpenBSD Project’s popular OpenSSH network connectivity tool.
The security hole, which affects all versions of OpenSSH prior to 3.7,
could cause a denial-of-service condition and may also allow an attacker to
execute arbitrary code, CERT/CC warned. Systems that use or derive code
from vulnerable versions of OpenSSH are also vulnerable.
According to the advisory, the vulnerability
exists in the buffer management code of OpenSSH. “The error occurs when a
buffer is allocated for a large packet. When the buffer is cleared, an
improperly sized chunk of memory is filled with zeros,” CERT/CC
explained.
OpenSSH, which is included in Linux and Unix OS distributions, is a free
version of the SSH
rlogin, rsh, and ftp protocols.
While the full impact of the OpenSSH vulnerability remains unclear,
CERT/CC cautioned that the most likely result would be “heap corruption,”
which could lead to a denial-of-service
“If it is possible for an attacker to execute arbitrary code, then they
may be able to so with the privileges of the user running the sshd process,
typically root. This impact may be limited on systems using the privilege
separation (privsep) feature available in OpenSSH,” it added.
Sysadmins are urged to upgrade to OpenSSH 3.7 or apply available vendor
patches. OpenSSH has also issued a fix (available here).
As a temporary workaround, IT admins running vulnerable OpenSSH versions
may be able to reduce the impact of the security hole by enabling the
“UsePrivilegeSeparation” configuration option in their sshd
configuration file. However, CERT/CC warned that the workaround does not
prevent exploitation of the vulnerability.
“System administrators are encouraged to carefully review the
implications of using the workaround in their environment and use a more
comprehensive solution if one is available. The use of privilege separation
to limit the impact of future vulnerabilities is encouraged,” the Center
added.