SuSE: 'ssh' remote compromise

    Date16 Feb 2001
    Posted ByLinuxSecurity Advisories
    Possible remote root compromise exists with previous versions of ssh. Other issues exist.
                            SuSE Security Announcement
            Package:                ssh
            Announcement-ID:        SuSE-SA:2001:04
            Date:                   Friday, February 16th, 2000 18:00 MET
            Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0
            Vulnerability Type:     possible remote root compromise
            Severity (1-10):        9
            SuSE default package:   yes, no (openssh is default after SuSE-6.3)
            Other affected systems: Unix systems with sshd running
        Content of this advisory:
            1) security vulnerability resolved: ssh
               problem description, discussion, solution and upgrade information
            2) pending vulnerabilities, solutions, workarounds
            3) standard appendix (further information)
    1)  problem description, brief discussion, solution, upgrade information
        SuSE distributions contain the ssh package in the version 1.2.27. No
        later version is provided because of licensing issues. SuSE maintains
        the 1.2.27 version in a patched package. Three new patches have been added
        that workaround three independent security problems in the ssh package:
        a) SSHD-1 Logging Vulnerability (discovered and published by Jose Nazario,
           Crimelabs). Attackers can remotely brute-force passwords without
           getting noticed or logged. In the ssh package from the SuSE
           distribution, root login is allowed, as well as password
           authentication. Even though brute-forcing a password may take an
           enormous amount of time and resources, the issue is to be taken
        b) SSH1 session key recovery vulnerability (by (Ariel Waissbein, Agustin
           Azubel) - CORE SDI, Argentina, and David Bleichenbacher). Captured
           encrypted ssh traffic can be decrypted with some effort by obtaining
           the session key for the ssh session. The added patch in our package
           causes the ssh daemon to generate a new server key pair upon failure
           of an RSA operation (please note that the patch supplied with Iván
           Arce on bugtraq on Wed, 7 Feb 2001 has been corrected later on!).
        c) In 1998, the ssh-1 protocol was found to be vulnerable to an
           attack where arbitrary sequences could be inserted into the ssh-1
           protocol layer. The attack was called "crc32 compensation attack", and
           a fix was introduced (crc compensation attack detector in the ssh -v
           output) into the later versions of ssh. Michal Zalewski discovered
           that the fix in its most widely used implementation is defective. An
           integer overflow allows an attacker to overwrite arbitrary memory in
           the sshd process' address space, which potentionally results in a
           remote root compromise.
        There are easy resorts that can be offered:
        a) switch to openssh (please use the openssh packages on from
        the same update directories as the ssh package update URLs below indicate).
        openssh is a different implementation of the ssh protocol that is
        compatible to the protocol versions 1 and 2.
        Openssh Version 2.3.0 does not suffer from the problems listed above.
        Versions before 2.3.0 are vulnerable to other problems, so please
        use the updates from the update directory on the ftp server.
        See section 2) of this announcement for the md5sums of the packages.
        b) upgrade your ssh package from the locations described below.
        Download the update package from locations desribed below and install
        the package with the command `rpm -Uhv file.rpm'. The md5sum for each
        file is in the line below. You can verify the integrity of the rpm
        files using the command
            `rpm --checksig --nogpg file.rpm',
        independently from the md5 signatures below.
        If you run a sshd (secure shell daemon) server on your system, then the
        daemon process must be restarted for the update package to become active
        after installation of the update rpm.
        You can do this easily with the command (ran as root):
            kill -15 `cat /var/run/`
        After this, you can start the daemon using the command
            rcsshd start
        It should be possible now to log on again to your server as usual. Please
        consult the syslogs in /var/log if this is not the case.
        Warning: killing all instances of sshd on a system might render the system
                 inaccessible from remote, especially if secure shell is your only
                 method to access the system. Be careful to not lock yourself out.
        Note: The packages on our German ftp server have been built again to
              correct one of the patches. The package for the 6.1-i386 distribution
              has finished building a few minutes ago and uses the same name as the
              build from Wednesday. Use the --force commandline option for the rpm
              command if you have used the package that was published before the
              release date of this announcement.
        i386 Intel Platform:
        source rpm:
        source rpm:
        source rpm:
        source rpm:
        source rpm:
        source rpm:
        Sparc Platform:
        source rpm:
        AXP Alpha Platform:
        source rpm:
        source rpm:
        source rpm:
        PPC Power PC Platform:
        source rpm:
        source rpm:
    2)  Pending vulnerabilities in SuSE Distributions and Workarounds:
      - The openssh package URLs and md5sums: 3687c385e3e8f6e845c17518c12dd61b 3cf3a1f652d92d66e70bfc9c40c0eb38 ce12abcff3dec118ceabe62e6cd1e090 3a7cf864f695a9f3ec2dd0bf6cc7e161 3219bf7853c2c27056ec502b5fd3345c 82a18d49a9a98942417258ffcd7a4800 3219bf7853c2c27056ec502b5fd3345c 82a18d49a9a98942417258ffcd7a4800 b924315c09cb990009b24d3c1093e142 6339a4f2a4982ba2e6b943a182d02420 61da28e2695d8f4a4b1c6300d867e6b6 9e8e5af8b890f2a18e244da1c94be796 72f7c339991e54a476585012423dda62 749ccc55396944ad43c1977e55903958 e08ec87634dfd0dd76d18886d04ebd4b 95820e1934a5586c8d73719957972d7c 8ed7a34fec7bcc6c658809effe20fd82 c551925107c7000fa32556dbe4a4fad4
      - Linux kernel upgrade.
        Several security flaws have been found in the linux-2.2.x kernel versions.
        The only suitable workaround is to upgrade to a newer kernel version.
        SuSE provides kernels that have been expanded with several dozen device
        drivers that are not included in the standard main stream kernel.
        While working on the kernel update packages for our distributions, more
        security problems were discovered. Currently, several persons audit code
        in the kernel, so that more problems are expected to be discovered in the
        very near future.
        Since kernel updates are very time-consuming on behalf of the system
        administrator, we decided to not publish a new kernel package
        each week. Instead, the new kernel packages with all known security bugs
        fixed will be published by the midth/end of next week.
        In the meanwhile, administrators who require immediate updates, please go
        to (or one of its mirrors, respectively) and get Alan Cox'
        prepatches for the 2.2.19 version of the Linux kernel. The directory
        usually is /pub/linux/kernel/people/alan/2.2.19pre, his latest patch is
        pre-patch-2.2.19-13.gz. This patch fixes all currently publically known
        security problems in the Linux v2.2 kernel. For those who are not
        experienced in patching and installing kernels, we recommend to wait
        for the release of the SuSE Linux kernel update packages.
      - From SuSE-SA:2001:03 (bind8): The sparc update packages were pending
        because of build bottlenecks. The URLs to the update packages and the
        md5sums are as follows:
        source rpm:
      - bind: The bind package version 4.x has been found vulnerable to multiple
        security problems that were discussed and published in public security
        forums. See
        for more information. SuSE provides update packages for the bind nameserver
        in version 4 for all distributions and architectures.
        We also hereby announce that the bind package (bind-4.x; the bind
        nameserver in version 8 is contained in the bind8 package) will be
        discontinued in future versions of the SuSE Linux Distribution. We
        recommend to migrate to bind in the 8.x or 9.x series.
        There will be a seperate security announcement for the bind (4.x) package
        by Monday, February 19th 2001. In the meanwhile, get the md5sums from the
        URL . It is signed.
      - More announcements are following this one. (mysql, tmpfile races, ...)
        Please read (this) section 2) in the announcements carefully.
    3)  standard appendix:
        SuSE runs two security mailing lists to which any interested party may
        This email address is being protected from spambots. You need JavaScript enabled to view it.
            -   general/linux/SuSE security discussion.
                All SuSE security announcements are sent to this list.
                To subscribe, send an email to
                    <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
        This email address is being protected from spambots. You need JavaScript enabled to view it.
            -   SuSE's announce-only mailing list.
                Only SuSE's security annoucements are sent to this list.
                To subscribe, send an email to
                    <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
        For general information or the frequently asked questions (faq)
        send mail to:
            <This email address is being protected from spambots. You need JavaScript enabled to view it.> or
            <This email address is being protected from spambots. You need JavaScript enabled to view it.> respectively.
        SuSE's security contact is <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
        The information in this advisory may be distributed or reproduced,
        provided that the advisory is not modified in any way.
        SuSE GmbH makes no warranties of any kind whatsoever with respect
        to the information contained in this security advisory.
    Type Bits/KeyID    Date       User ID
    pub  2048/3D25D3D9 1999/03/06 SuSE Security Team <This email address is being protected from spambots. You need JavaScript enabled to view it.>
    Version: 2.6.3i
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the LinuxSecurity Privacy news articles?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"90","title":"Love them!","votes":"34","type":"x","order":"1","pct":91.89,"resources":[]},{"id":"91","title":"I'm indifferent","votes":"2","type":"x","order":"2","pct":5.41,"resources":[]},{"id":"92","title":"Not interested in this topic","votes":"1","type":"x","order":"3","pct":2.7,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.