Date: Wed, 17 Sep 2003 15:37:56 -0700 (PDT)
From: FreeBSD Security Advisories <security-advisories@freebsd.org.>
To: Bugtraq <bugtraq@securityfocus.com.>
Subject: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh [REVISED]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FreeBSD-SA-03:12 Security Advisory
FreeBSD, Inc.
Topic: OpenSSH buffer management error
Category: core, ports
Module: openssh, ports_openssh, openssh-portable
Announced: 2003-09-16
Credits: The OpenSSH Project <openssh@openssh.org.>
Affects: All FreeBSD releases after 4.0-RELEASE
FreeBSD 4-STABLE prior to the correction date
openssh port prior to openssh-3.6.1_3
openssh-portable port prior to openssh-portable-3.6.1p2_3
Corrected: 2003-09-17 16:24:02 UTC (RELENG_4, 4.9-PRERELEASE)
2003-09-17 14:46:58 UTC (RELENG_5_1, 5.1-RELEASE-p4)
2003-09-17 14:50:14 UTC (RELENG_5_0, 5.0-RELEASE-p13)
2003-09-17 14:51:09 UTC (RELENG_4_8, 4.8-RELEASE-p6)
2003-09-17 14:51:37 UTC (RELENG_4_7, 4.7-RELEASE-p16)
2003-09-17 14:52:08 UTC (RELENG_4_6, 4.6-RELEASE-p19)
2003-09-17 14:52:42 UTC (RELENG_4_5, 4.5-RELEASE-p31)
2003-09-17 14:57:32 UTC (RELENG_4_4, 4.4-RELEASE-p41)
2003-09-17 14:58:56 UTC (RELENG_4_3, 4.3-RELEASE-p37)
2003-09-17 16:07:48 UTC (ports/security/openssh)
2003-09-17 16:07:48 UTC (ports/security/openssh-portable)
CVE: CAN-2003-0693, CAN-2003-0695, CAN-2003-0682
FreeBSD only: NO
0. Revision History
v1.0 2003-09-16 Initial release
v1.1 2003-09-17 Typo in instructions for restarting sshd
Additional buffer management errors corrected
I. Background
OpenSSH is a free version of the SSH protocol suite of network
connectivity tools. OpenSSH encrypts all traffic (including
passwords) to effectively eliminate eavesdropping, connection
hijacking, and other network-level attacks. Additionally, OpenSSH
provides a myriad of secure tunneling capabilities, as well as a
variety of authentication methods. `ssh' is the client application,
while `sshd' is the server.
II. Problem Description
Several operations within OpenSSH require dynamic memory allocation
or reallocation. Examples are: the receipt of a packet larger
than available space in a currently allocated buffer; creation of
additional channels beyond the currently allocated maximum; and
allocation of new sockets beyond the currently allocated maximum.
Many of these operations can fail either due to `out of memory' or
due to explicit checks for ridiculously sized requests. However, the
failure occurs after the allocation size has already been updated, so
that the bookkeeping data structures are in an inconsistent state (the
recorded size is larger than the actual allocation). Furthermore,
the detection of these failures causes OpenSSH to invoke several
`fatal_cleanup' handlers, some of which may then attempt to use these
inconsistent data structures. For example, a handler may zero and
free a buffer in this state, and as a result memory outside of the
allocated area will be overwritten with NUL bytes.
III. Impact
A remote attacker can cause OpenSSH to crash. The bug is not believed
to be exploitable for code execution on FreeBSD.
IV. Workaround
Do one of the following:
1) Disable the base system sshd by executing the following command as
root:
# kill `cat /var/run/sshd.pid`
Be sure that sshd is not restarted when the system is restarted
by adding the following line to the end of /etc/rc.conf:
sshd_enable="NO"
AND
Deinstall the openssh or openssh-portable ports if you have one of
them installed.
V. Solution
Do one of the following:
[For OpenSSH included in the base system]
1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1,
RELENG_4_8, or RELENG_4_7 security branch dated after
the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or
4.7-RELEASE-p15, respectively).
2) FreeBSD systems prior to the correction date:
The following patches have been verified to apply to FreeBSD 4.x and
FreeBSD 5.x systems prior to the correction date.
Download the appropriate patch and detached PGP signature from the following
locations, and verify the signature using your PGP utility.
[FreeBSD 4.3 and 4.4]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer44.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer44.patch.asc
[FreeBSD 4.5]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc
[FreeBSD 4.6 and later, FreeBSD 5.0 and later]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc
Execute the following commands as root:
# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all install
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install
Be sure to restart `sshd' after updating.
# kill `cat /var/run/sshd.pid`
# /usr/sbin/sshd
[For the OpenSSH ports]
One of the following:
1) Upgrade your entire ports collection and rebuild the OpenSSH port.
2) Deinstall the old package and install a new package obtained from
the following directory:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/
[other platforms]
Packages are not automatically generated for other platforms at this
time due to lack of build resources.
3) Download a new port skeleton for the openssh or openssh-portable
port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz
Be sure to restart `sshd' after updating.
# kill `cat /var/run/sshd.pid`
# test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in the FreeBSD base system and ports collection.
Branch Revision
Path
- -------------------------------------------------------------------------
[Base system]
RELENG_4
src/crypto/openssh/buffer.c 1.1.1.1.2.7
src/crypto/openssh/channels.c 1.1.1.1.2.10
src/crypto/openssh/deattack.c 1.1.1.1.2.5
src/crypto/openssh/misc.c 1.1.1.1.2.3
src/crypto/openssh/session.c 1.4.2.18
src/crypto/openssh/ssh-agent.c 1.2.2.11
src/crypto/openssh/version.h 1.1.1.1.2.12
RELENG_5_1
src/UPDATING 1.251.2.5
src/crypto/openssh/buffer.c 1.1.1.6.4.2
src/crypto/openssh/channels.c 1.15.2.1
src/crypto/openssh/deattack.c 1.1.1.5.4.1
src/crypto/openssh/misc.c 1.1.1.4.2.1
src/crypto/openssh/session.c 1.40.2.1
src/crypto/openssh/ssh-agent.c 1.18.2.1
src/crypto/openssh/version.h 1.20.2.2
src/sys/conf/newvers.sh 1.50.2.6
RELENG_5_0
src/UPDATING 1.229.2.19
src/crypto/openssh/buffer.c 1.1.1.6.2.2
src/crypto/openssh/channels.c 1.13.2.1
src/crypto/openssh/deattack.c 1.1.1.5.2.1
src/crypto/openssh/misc.c 1.1.1.3.2.1
src/crypto/openssh/session.c 1.38.2.1
src/crypto/openssh/ssh-agent.c 1.16.2.1
src/crypto/openssh/version.h 1.18.2.2
src/sys/conf/newvers.sh 1.48.2.14
RELENG_4_8
src/UPDATING 1.73.2.80.2.8
src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.2
src/crypto/openssh/channels.c 1.1.1.1.2.8.2.1
src/crypto/openssh/deattack.c 1.1.1.1.2.4.4.1
src/crypto/openssh/misc.c 1.1.1.1.2.2.4.1
src/crypto/openssh/session.c 1.4.2.17.2.1
src/crypto/openssh/ssh-agent.c 1.2.2.10.2.1
src/crypto/openssh/version.h 1.1.1.1.2.10.2.2
src/sys/conf/newvers.sh 1.44.2.29.2.7
RELENG_4_7
src/UPDATING 1.73.2.74.2.19
src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.2
src/crypto/openssh/channels.c 1.1.1.1.2.7.2.1
src/crypto/openssh/deattack.c 1.1.1.1.2.4.2.1
src/crypto/openssh/misc.c 1.1.1.1.2.2.2.1
src/crypto/openssh/session.c 1.4.2.16.2.1
src/crypto/openssh/ssh-agent.c 1.2.2.8.2.1
src/crypto/openssh/version.h 1.1.1.1.2.9.2.2
src/sys/conf/newvers.sh 1.44.2.26.2.18
RELENG_4_6
src/UPDATING 1.73.2.68.2.47
src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.3
src/crypto/openssh/channels.c 1.1.1.1.2.6.2.2
src/crypto/openssh/deattack.c 1.1.1.1.2.3.4.2
src/crypto/openssh/misc.c 1.1.1.1.2.1.4.2
src/crypto/openssh/session.c 1.4.2.12.2.2
src/crypto/openssh/ssh-agent.c 1.2.2.7.4.2
src/crypto/openssh/version.h 1.1.1.1.2.8.2.3
src/sys/conf/newvers.sh 1.44.2.23.2.36
RELENG_4_5
src/UPDATING 1.73.2.50.2.48
src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.2
src/crypto/openssh/channels.c 1.1.1.1.2.5.2.2
src/crypto/openssh/deattack.c 1.1.1.1.2.3.2.1
src/crypto/openssh/scp.c 1.1.1.1.2.4.2.1
src/crypto/openssh/session.c 1.4.2.11.2.1
src/crypto/openssh/ssh-agent.c 1.2.2.7.2.1
src/crypto/openssh/version.h 1.1.1.1.2.7.2.3
src/sys/conf/newvers.sh 1.44.2.20.2.32
RELENG_4_4
src/UPDATING 1.73.2.43.2.49
src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.2
src/crypto/openssh/channels.c 1.1.1.1.2.4.4.2
src/crypto/openssh/deattack.c 1.1.1.1.2.2.4.1
src/crypto/openssh/scp.c 1.1.1.1.2.3.4.1
src/crypto/openssh/session.c 1.4.2.8.4.2
src/crypto/openssh/ssh-agent.c 1.2.2.6.4.1
src/crypto/openssh/version.h 1.1.1.1.2.5.2.4
src/sys/conf/newvers.sh 1.44.2.17.2.40
RELENG_4_3
src/UPDATING 1.73.2.28.2.36
src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.2
src/crypto/openssh/channels.c 1.1.1.1.2.4.2.2
src/crypto/openssh/deattack.c 1.1.1.1.2.2.2.1
src/crypto/openssh/scp.c 1.1.1.1.2.3.2.1
src/crypto/openssh/session.c 1.4.2.8.2.2
src/crypto/openssh/ssh-agent.c 1.2.2.6.2.1
src/crypto/openssh/version.h 1.1.1.1.2.4.2.4
src/sys/conf/newvers.sh 1.44.2.14.2.26
[Ports]
ports/security/openssh-portable/Makefile 1.75
ports/security/openssh-portable/files/patch-buffer.c 1.2
ports/security/openssh-portable/files/patch-deattack.c 1.1
ports/security/openssh-portable/files/patch-misc.c 1.3
ports/security/openssh-portable/files/patch-session.c 1.16
ports/security/openssh-portable/files/patch-ssh-agent.c 1.1
ports/security/openssh/Makefile 1.122
ports/security/openssh/files/patch-buffer.c 1.2
ports/security/openssh/files/patch-deattack.c 1.1
ports/security/openssh/files/patch-misc.c 1.3
ports/security/openssh/files/patch-session.c 1.15
ports/security/openssh/files/patch-ssh-agent.c 1.1
- -------------------------------------------------------------------------
Branch Version string
- -------------------------------------------------------------------------
HEAD OpenSSH_3.6.1p1 FreeBSD-20030917
RELENG_4 OpenSSH_3.5p1 FreeBSD-20030917
RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030917
RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030917
RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030917
RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030917
RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030917
RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030917
RELENG_4_3 OpenSSH_2.3.0 [email protected] 20030917
- -------------------------------------------------------------------------
To view the version string of the OpenSSH server, execute the
following command:
% /usr/sbin/sshd -\?
The version string is also displayed when a client connects to the
server.
To view the version string of the OpenSSH client, execute the
following command:
% /usr/bin/ssh -V
VII. References
<URL:http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0695>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0682>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/aKuVFdaIBMps37IRAj/nAJ9x7UQj1Mp0vTAZBHnjGsp/9LQLlQCfVybJ
AVHLwTVUmQXV9S2naBBX14I=
=JhlR
-----END PGP SIGNATURE-----