Home / News & Blogs

OpenSSH security hole unearthed

Vivienne Fisher | June 27, 2002 12:00 AM PDT

Summary

A popular open-source program for encrypted communications has a serious flaw that could let Internet attackers slip into servers running the software, according to its creators and a security firm.

Topics

Daemon, Attacker, Flaw, Vulnerability, OpenSSH, Security, Vivienne Fisher
A popular open-source program for encrypted communications has a serious flaw that could let Internet attackers slip into servers running the software, said its creators and a security firm this week.

The program, Open Secure Shell (OpenSSH), is included in many widely used operating system distributions, such as OpenBSD 3.0, OpenBSD 3.1, and FreeBSD-Current, all open-source variants of the Unix OS. Such operating systems appear on networking equipment and security appliances, among other things.

The flaw affects versions 3.0 to 3.2.3 of the software, said Grant Slender, principal consultant for Australasia at network protection firm Internet Security Systems, which first discovered the vulnerability.

Slender said the flaw involves OpenSSH's inadequate handling of "buffer overflow"--when a message sent to a program is much longer than the program is designed to expect. Attackers exploit such holes by flooding programs with more characters than they can accommodate and running the excess characters as executable code.

Because of the flaw, "it is possible for a remote (off-site) attacker to send a specially crafted (message) that triggers an overflow," according to the Internet Security Systems advisory. "This can result in a remote denial of service attack on the OpenSSH daemon." A denial of service attack overloads a server with requests for information, tying up the machine indefinitely.

The advisory also says hackers exploiting the hole would enter a server at the highest level of access. "The OpenSSH daemon runs with superuser privilege, so remote attackers can gain superuser access by exploiting this vulnerability."

"It is possible for a remote attacker to send a specially-crafted reply that triggers an overflow," according to the ISS security advisory. "This can result in a remote denial-of-service attack on the OpenSSH daemon or a complete remote compromise. The OpenSSH daemon runs with superuser privilege, so remote attackers can gain superuser access by exploiting this vulnerability."

Slender said ISS had notified OpenSSH's senior developer, who had created a patch. "In this case, we did contact the senior developer and, with his coordination, we worked toward making sure the (programming) community was ready to have the vulnerability announced."

ISS is advising systems administrators to disable unused OpenSSH authentication mechanisms.

It's also possible for administrators to remove the vulnerability by disabling the challenge-response authentication parameter within the OpenSSH daemon configuration file, according to the advisory. Slender also said users should upgrade.

Information about the vulnerability has been posted on security mailing lists such as BugTraq and Debian.

Staff writer Vivienne Fisher reported from Sydney. News.com's Robert Lemos contributed to this report.

Are you more likely to use commercial SSH or FTP software in light of the current flaw? TalkBack below or e-mail us with your thoughts.

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity