[justmy2cents]

Advisories
Internet Security Systems Security Advisory
June 26, 2002

OpenSSH Remote Challenge Vulnerability

Synopsis:

ISS X-Force has discovered a serious vulnerability in the default
installation of OpenSSH on the OpenBSD operating system. OpenSSH is a
free version of the SSH (Secure Shell) communications suite and is used
as a secure replacement for protocols such as Telnet, Rlogin, Rsh, and
Ftp. OpenSSH employs end-to-end encryption (including all passwords) and
is resistant to network monitoring, eavesdropping, and connection
hijacking attacks. X-Force is aware of active exploit development for
this vulnerability.

Impact:

OpenBSD, FreeBSD-Current, and other OpenSSH implementations may be
vulnerable to a remote, superuser compromise.

Affected Versions:

OpenBSD 3.0
OpenBSD 3.1
FreeBSD-Current
OpenSSH 3.0-3.2.3

OpenSSH version 3.3 implements "privilege separation" which mitigates
the risk of a superuser compromise. Prior to the release of this
advisory, ISS and OpenBSD encouraged all OpenSSH users to upgrade to
version 3.3. Versions of FreeBSD-Current built between March 18, 2002
and June 23, 2002 are vulnerable to remote superuser compromise.
Privilege separation was implemented in FreeBSD-Current on June 23,
2002.

Note: OpenSSH is included in many operating system distributions,
networking equipment, and security appliances. Refer to the following
address for information about vendors that implement OpenSSH:
<a href="http://www.openssh.com/users.html" target="_blank">http://www.openssh.com/users.html</a>
<img border="0" title="" alt="[Eek!]" src="eek.gif" />

This mechanism, part of the SSH2 protocol, verifies a user's identity by generating a challenge and forcing the user to supply a number of responses.

However this mechanism is flawed in OpenSSH version 3.3 - it's possible for a remote attacker to send a specially-crafted reply that triggers an overflow.

According to ISS, this can result in a remote denial of service attack on the OpenSSH daemon or a complete remote compromise. The OpenSSH daemon runs with superuser privilege, so remote attackers can gain superuser access.

Worse still, the vulnerability is being <img border="0" title="" alt="[Eek!]" src="eek.gif" /> "actively exploited". <img border="0" title="" alt="[Eek!]" src="eek.gif" />

ISS recommends upgrade to OpenSSH version 3.4 immediately. As a workaround, BOFHs might also consider disabling unused OpenSSH authentication mechanisms.

<small>[ 06-26-2002, 06:26 PM: Message edited by: justmy2cents ]</small>

[Maneki Neko]

Yeah, until Apple gets around to updating OpenSSH (or you feel like downloading/building it), you can use the workarounds, as described here:

<a href="http://www.openssh.com/txt/preauth.adv" target="_blank">http://www.openssh.com/txt/preauth.adv</a>

[utidjian]

What about the Apache security hole?