Stay Secure with the Latest Linux Advisories

security advisorySuSEremote access

SuSE: 2003:039 Critical Alert: OpenSSH Remote Access Exploit

A programming error has been found in code responsible for buffer management.. ______________________________________________________________________________ SuSE Security Announcement Package: openssh (second release) Announcement-ID: SuSE-SA:2003:039 Date: Thursday, Sep 18 2003 20:00 MEST Affected products: 7.2, 7.3, 8.0, 8.1, 8.2 SuSE Linux Database Server, SuSE eMail Server III, 3.1 SuSE Linux Enterprise Server 7, 8 SuSE Linux Firewall on CD/Admin host SuSE Linux Connectivity Server SuSE Linux Office Server SuSE Linux Standard Server 8 Vulnerability Type: potential remote privilege escalation Severity (1-10): 8 SuSE default package: yes Cross References: openssh CERTVU#333628 cert CVE CAN-2003-0693 CVE CAN-2003-0695 CVE CAN-2003-0682 Content of this advisory: 1) security vulnerability resolved: openssh problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - mysql 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The openssh package is the most widely used implementation of the secure shell protocol family (ssh). It provides a set of network connectivity tools for remote (shell) login, designed to substitute the traditional BSD-style r-protocols (rsh, rlogin). openssh has various authentification mechanisms andmany other features such as TCP connection and X11 display forwarding over the fully encrypted network connection as well as file transfer facilities. This is a new release of SuSE Security Announcement (openssh), ID SuSE-SA:2003:038. A set of new bugs were addressed by the openssh development team. These bugs are fixed in the new 3.7.1 upstream release of the openssh package; we have added the necessary changes to our packages preserving the package version to avoid the risk of incompatible behaviour of the software. Specifics about the errors found: (Topic for SuSE Security Announcement SuSE-SA:2003:038:) A programming error has been found in code responsible for buffer management. If exploited by a (remote) attacker, the error may lead to unauthorized access to the system, allowing the execution of arbitrary commands. The error is known as the buffer_append_space()-bug and is assigned the Common Vulnerabilities and Exposures (CVE) name CAN-2003-0693. The error was cause for the upstream release openssh-3.7. (Topic for SuSE Security Announcement SuSE-SA:2003:039 (this announcement):) Programming errors of a similar kind as described above have been found in other portions of the code, with similar effects. These errors are known as "buffer.c/channels.c bug", the CVE name for these errors is CAN-2003-0695. This set of errors was cause for the upstream release openssh-3.7.1. In addition to the fixes for the buffer.c/channels.c bugs we have added some changes that have been assembled by Solar Designer during his review of the source code. These fixes are considered a precautious measure and are not believed to have a significant effect on the security of the openssh code. At the time of writing this announcement, we believe that at least one set of errors as described above is exploitable by a remote attacker. As a reminder, at the time of writing the SuSE Security Announcement SuSE-SA:2003:038 it was unclear if the bug addressed with the announcement (buffer_append_space()-bug) is exploitable. An increasing amount of TCP connection attempts to port 22 as observed in the internet during the past days may indicate that there exists an exploit for the error in the public. Please note that we have disabled the Privilege Separation feature in the ssh daemon (sshd) with this update. The PrivSep feature is designed to have parts of the ssh daemon's work running under lowered privileges, thereby limiting the effect of a possible vulnerability in the code. The PrivSep feature is turned on/off by the UsePrivilegeSeparation keyword in sshd's configuration file /etc/ssh/sshd_config. The feature is held responsible for malfunctions in PAM (Pluggable Authentification Modules). The update mechanism will not overwrite configuration files that have been altered after the package installation. SPECIAL INSTALL INSTRUCTIONS: ============================= After the update has been successfully applied, the ssh daemon (sshd) must be restarted for update package to become effective. To restart the ssh daemon after the update, please run the following command as root: rcsshd restart Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. Intel i386 Platform: SuSE-8.2: e030b0803481d0f29f576e3b4726284f patch rpm(s): d022894363b99e6bd03e9b2109c2244c source rpm(s): 3f7f5ed43c7d795c63fe06148874944a SuSE-8.1: 91cdd33a4149756b8f6371aa3177a5f4 patch rpm(s): 3b7c44819c8fed5e33514481d99d4ab7 source rpm(s): 6c3694fc75bcf185035547b85abbc491 SuSE-8.0: c61781b97767188cc3a39795535307ff patch rpm(s): c222aef79a8fef6d44d8d61fc075efc5 source rpm(s): bc327a4150058c9d1216cb96712973a5 SuSE-7.3: c9928c04b03cb292aa96ad6890a5ee38 source rpm(s): 28aa82be9233e3ba93b94eb138c9ea04 SuSE-7.2: b369724a788a2c6bd70a448a49530f69 source rpm(s): 98b8b7281fe04aab8c8838adcf195697 Sparc Platform: SuSE-7.3: 97cb0218e9354b8cc062e44a0d6fb19f source rpm(s): 8cddb96e633864469d7ba08d3cf7436a PPC Power PC Platform: SuSE-7.3: 37b1e82a3971f5c4c427ce37227b11e0 source rpm(s): 7a19424887772b86d14bacbf5add9628 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - A buffer overflow vulnerability has been found in the mysql package, an Open Source relational database system. The error may allow a remote attacker to execute arbitrary code with the privileges of the database process. We are in the process of building and testing the update packages and will release them with a SuSE Security Announcement as soon as possible. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographicallysigned) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key This email address is being protected from spambots. You need JavaScript enabled to view it. ), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig to verify the signature of the package, where is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter installthe key " This email address is being protected from spambots. You need JavaScript enabled to view it. " upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at . - SuSE runs two security mailing lists to which any interested party may subscribe: This email address is being protected from spambots. You need JavaScript enabled to view it. - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to . This email address is being protected from spambots. You need JavaScript enabled to view it. - SuSE's announce-only mailing list. Only SuSE's security announcements are sent to this list. To subscribe, send an email to . For general information or the frequently asked questions (faq) send mail to: or respectively. ==================================================================== SuSE's security contact is or . The public key is listed below. ==================================================================== . Urgent advisory regarding critical OpenSSH exploit leading to remote access risk on SuSE systems. Immediate actions recommended.. openssh Update, Remote Access Risk, Buffer Management, SuSE Alert. . Severity: Critical. LinuxSecurity.com Team

Sep 18, 2003 •Critical SuSE