Date: Mon, 12 Feb 2001 16:38:34 -0800
From: FreeBSD Security Advisories <security-advisories@FreeBSD.org.>
To: [email protected]Subject: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh
-----BEGIN PGP SIGNED MESSAGE-----
FreeBSD-SA-01:24 Security Advisory
FreeBSD, Inc.
Topic: SSH1 implementations may allow remote system, data compromise
Category: core/ports
Module: openssh, ssh
Announced: 2001-02-12
Credits: Michal Zalewski <lcamtuf@razor.bindview.com.> (Vulnerability 1)
Core-SDI (http://www.core-sdi.com) (Vulnerability 2)
Affects: FreeBSD 4.x, 4.2-STABLE prior to the correction date
Ports collection prior to the correction date.
Corrected: OpenSSH [FreeBSD 4.x base system]:
2000-12-05 (Vulnerability 1)
2001-02-11 (Vulnerability 2)
OpenSSH [ports]:
2001-02-09 (Vulnerability 1)
2001-02-11 (Vulnerability 2)
ssh [ports]:
2001-02-09 (Vulnerability 1)
2001-02-09 (Vulnerability 2)
Vendor status: Patches released.
FreeBSD only: NO
I. Background
OpenSSH is an implementation of the SSH1 and SSH2 secure shell
protocols for providing encrypted and authenticated network access,
which is available free for unrestricted use.
An SSH1 client/server (ssh) from ssh.com is included in the ports
collection. This software is not available free of charge for all
uses, and the FreeBSD Security Officer does not recommend its use.
II. Problem Description
There are two flaws in the SSH1 protocol as implemented by OpenSSH and
ssh.
Vulnerability 1:
An integer overflow may allow arbitrary remote users to obtain root
permissions on the server running sshd. This is due to a coding
mistake in code intended to work around a protocol flaw in the SSH1
protocol. This vulnerability was corrected in OpenSSH 2.3.0, which
was committed to FreeBSD 4.2-STABLE on 2000-12-05.
Vulnerability 2;
Remote attackers who can observe the encrypted contents of a user's
SSH1 session, and who have the ability to mount large numbers of
connections fo the SSH1 server may be able to break the transient
server key used by the server to negotiate encryption parameters for
the session, and from there can decrypt the entire contents of the
snooped connection. The transient key has a lifetime of only one
hour by default, but all snooped SSH1 sessions captured within this
timeframe may be broken if the attack is successful.
This attack is mitigated by the requirement to initiate large
numbers of SSH1 protocol connections to the server during the
lifetime of the key. On average a sustained connection rate of
around 400 connections and SSH1 protocol handshakes must be carried
out per second to have a high chance of succeeding within the 1 hour
lifetime of the server key. OpenSSH contains rate-limiting code
which will limit the number of outstanding connections to a fraction
of this number in the default configuration, and computational and
network limitations may reduce this number still further.
Therefore, though the potential impact of this flaw is great, it is
made very difficult to exploit in practice. However, note that even
though the chances of success are reduced, the vulnerability is not
eliminated.
OpenSSH is installed if you chose to install the 'crypto' distribution
at install-time or when compiling from source, and is installed and
enabled by default as of FreeBSD 4.1.1-RELEASE. By default SSH1
protocol support is enabled.
If SSH1 protocol support has been disabled in OpenSSH, it is not
vulnerable to these attacks. They do not affect implementations of
the SSH2 protocol, such as OpenSSH run in SSH2-only mode.
Versions of the OpenSSH port prior to openssh-2.2.0_2, and versions
of the ssh port prior to ssh-1.2.27_3 are vulnerable to these attacks.
III. Impact
Arbitrary remote users may be able to execute arbitrary code as root
on an SSH1 server accepting connections via the SSH1 protocol.
Remote users who can snoop the encrypted contents of SSH1 sessions
belonging to other users, and who can mount a very high rate of
connections to the server may be able to mount an attack leading to
the ability to decrypt these sessions. This attack may disclose
account password details as well as other sensitive data.
IV. Workaround
If you are running sshd, disable the use of the SSH1 protocol in
OpenSSH. SSH1 contains inherent protocol deficiencies and is not
recommended for use in high-security environments. Note that some
third-party SSH clients are not capable of using the SSH2 protocol,
however the OpenSSH client (version 2.1 and later) included in FreeBSD
is SSH2-capable.
To disable SSH1, add the following line to the /etc/ssh/sshd_config
file (/usr/local/etc/sshd_config for the OpenSSH port):
Protocol 2
and remove any other "Protocol" directives from that file.
Execute the following command as root:
# kill -HUP `cat /var/run/sshd.pid`
This will cause the parent process to reread its configuration file,
and should not interfere with existing SSH sessions.
V. Solution
- --[OpenSSH - base system]-----
One of the following:
1) Upgrade to FreeBSD 4.2-STABLE after the correction date. Note that
these versions of FreeBSD contain a newer version of OpenSSH (version
2.3.0) than was in 4.2-RELEASE (version 2.2.0).
2) Download the patch and detached PGP signature from the following
location:
The following patch applies to FreeBSD 4.2-RELEASE.
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-release.patch
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-release.patch.asc
The folllowing patch applies to FreeBSD 4.2-STABLE which is running
OpenSSH 2.3.0 (4.2-STABLE dated after 2000-12-05)
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-stable.patch
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-stable.patch.asc
Verify the detached signature using your PGP utility.
Issue the following commands as root:
# cd /usr/src/crypto/openssh
# patch -p < /path/to/patch
# cd /usr/src/secure/lib/libssh
# make all
# cd /usr/src/secure/usr.bin/ssh-agent
# make all install
# cd /usr/src/secure/usr.sbin/sshd
# make all install
Finally, if sshd is already running then kill and restart the sshd
daemon: perform the following command as root:
# kill -KILL `cat /var/run/sshd.pid` && /usr/sbin/sshd
This will not affect sessions in progress.
- --[OpenSSH - port]-----
Use one of the following options to upgrade the OpenSSH software, then
kill and restart the sshd daemon if it is already running. This will
not affect sessions in progress.
To kill and restart the sshd daemon, perform the following command as
root:
# kill -KILL `cat /var/run/sshd.pid` && /usr/local/sbin/sshd
1) Upgrade your entire ports collection and rebuild the OpenSSH port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/openssh-2.2.0_2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-2.2.0_2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-2.2.0_2.tgz
NOTE: It may be several days before updated packages are available.
[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
3) download a new port skeleton for the OpenSSH port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz
- --[ssh - port]-----
Use one of the following options to upgrade the ssh software, then
kill and restart the sshd daemon if it is already running. This will
not affect sessions in progress.
To kill and restart the sshd daemon, perform the following command as
root:
# kill -KILL `cat /var/run/sshd.pid` && /usr/local/sbin/sshd
1) Upgrade your entire ports collection and rebuild the ssh port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/ssh-1.2.27_3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ssh-1.2.27_3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/ssh-1.2.27_3.tgz
NOTE: It may be several days before updated packages are available.
[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
3) download a new port skeleton for the OpenSSH port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBOoiAylUuHi5z0oilAQEoVgP/Qc5UXjRnR3byHZfQyM4VyuwCWAWeAaD7
HPjlhLTiOb0HUqsVhiraIX5Mgi5ReySj2wREd4EKW9pEKiXfcXCWItivG8PrV/P8
NHEo5B393r1G8ovtkt3fu0bQ7RhOrxOeHRn5mxbmk8pIrRg7oxeZ02ygJiCV8LqT
hoOxMmU4FYQ=
=REEI
-----END PGP SIGNATURE-----
