|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:12 Security Advisory FreeBSD, Inc. Topic: OpenSSH buffer management error Category: core, ports Module: openssh, ports_openssh, openssh-portable Announced: 2003-09-16 Credits: The OpenSSH Project <openssh@openssh.org> Affects: All FreeBSD releases after 4.0-RELEASE FreeBSD 4-STABLE prior to the correction date openssh port prior to openssh-3.6.1_1 openssh-portable port prior to openssh-portable-3.6.1p2_1 Corrected: 2003-09-16 16:24:02 UTC (RELENG_4) 2003-09-16 16:27:57 UTC (RELENG_5_1) 2003-09-16 17:34:32 UTC (RELENG_5_0) 2003-09-16 16:24:02 UTC (RELENG_4_8) 2003-09-16 16:45:16 UTC (RELENG_4_7) 2003-09-16 17:44:15 UTC (RELENG_4_6) 2003-09-16 17:45:23 UTC (RELENG_4_5) 2003-09-16 17:46:02 UTC (RELENG_4_4) 2003-09-16 17:46:37 UTC (RELENG_4_3) 2003-09-16 12:43:09 UTC (ports/security/openssh) 2003-09-16 12:43:10 UTC (ports/security/openssh-portable) CVE: CAN-2003-0693 FreeBSD only: NO I. Background OpenSSH is a free version of the SSH protocol suite of network connectivity tools. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods. `ssh' is the client application, while `sshd' is the server. II. Problem Description When a packet is received that is larger than the space remaining in the currently allocated buffer, OpenSSH's buffer management attempts to reallocate a larger buffer. During this process, the recorded size of the buffer is increased. The new size is then range checked. If the range check fails, then fatal() is called to cleanup and exit. In some cases, the cleanup code will attempt to zero and free the buffer that just had its recorded size (but not actual allocation) increased. As a result, memory outside of the allocated buffer will be overwritten with NUL bytes. III. Impact A remote attacker can cause OpenSSH to crash. The bug is not believed to be exploitable for code execution on FreeBSD. IV. Workaround Do one of the following: 1) Disable the base system sshd by executing the following command as root: # kill `cat /var/run/sshd.pid` Be sure that sshd is not restarted when the system is restarted by adding the following line to the end of /etc/rc.conf: sshd_enable="NO" AND Deinstall the openssh or openssh-portable ports if you have one of them installed. V. Solution Do one of the following: [For OpenSSH included in the base system] 1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1, RELENG_4_8, or RELENG_4_7 security branch dated after the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or 4.7-RELEASE-p15, respectively). 2) FreeBSD systems prior to the correction date: The following patches have been verified to apply to FreeBSD 4.x and FreeBSD 5.x systems prior to the correction date. Download the appropriate patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. [FreeBSD 4.3 through 4.5] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc [FreeBSD 4.6 and later, FreeBSD 5.0 and later] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc Execute the following commands as root: # cd /usr/src # patch < /path/to/sshd.patch # cd /usr/src/secure/lib/libssh # make depend && make all install # cd /usr/src/secure/usr.sbin/sshd # make depend && make all install # cd /usr/src/secure/usr.bin/ssh # make depend && make all install Be sure to restart `sshd' after updating. # kill `cat /var/run/sshd.pid` # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags}) [For the OpenSSH ports] One of the following: 1) Upgrade your entire ports collection and rebuild the OpenSSH port. 2) Deinstall the old package and install a new package obtained from the following directory: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ [other platforms] Packages are not automatically generated for other platforms at this time due to lack of build resources. 3) Download a new port skeleton for the openssh or openssh-portable port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz Be sure to restart `sshd' after updating. # kill `cat /var/run/sshd.pid` # test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD base system and ports collection. Branch Revision Path - ------------------------------------------------------------------------- [Base system] RELENG_4 src/crypto/openssh/buffer.c 1.1.1.1.2.5 src/crypto/openssh/version.h 1.1.1.1.2.11 RELENG_5_1 src/UPDATING 1.251.2.4 src/crypto/openssh/buffer.c 1.1.1.6.4.1 src/crypto/openssh/version.h 1.20.2.1 src/sys/conf/newvers.sh 1.50.2.5 RELENG_5_0 src/UPDATING 1.229.2.18 src/crypto/openssh/buffer.c 1.1.1.6.2.1 src/crypto/openssh/version.h 1.18.2.1 src/sys/conf/newvers.sh 1.48.2.13 RELENG_4_8 src/UPDATING 1.73.2.80.2.7 src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.1 src/crypto/openssh/version.h 1.1.1.1.2.10.2.1 src/sys/conf/newvers.sh 1.44.2.29.2.6 RELENG_4_7 src/UPDATING 1.73.2.74.2.18 src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.1 src/crypto/openssh/version.h 1.1.1.1.2.9.2.1 src/sys/conf/newvers.sh 1.44.2.26.2.17 RELENG_4_6 src/UPDATING 1.73.2.68.2.46 src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.2 src/crypto/openssh/version.h 1.1.1.1.2.8.2.2 src/sys/conf/newvers.sh 1.44.2.23.2.35 RELENG_4_5 src/UPDATING 1.73.2.50.2.47 src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.1 src/crypto/openssh/version.h 1.1.1.1.2.7.2.2 src/sys/conf/newvers.sh 1.44.2.20.2.31 RELENG_4_4 src/UPDATING 1.73.2.43.2.48 src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.1 src/crypto/openssh/version.h 1.1.1.1.2.5.2.3 src/sys/conf/newvers.sh 1.44.2.17.2.39 RELENG_4_3 src/UPDATING 1.73.2.28.2.35 src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.1 src/crypto/openssh/version.h 1.1.1.1.2.4.2.3 src/sys/conf/newvers.sh 1.44.2.14.2.25 [Ports] ports/security/openssh-portable/Makefile 1.73 ports/security/openssh-portable/files/patch-buffer.c 1.1 ports/security/openssh/Makefile 1.120 ports/security/openssh/files/patch-buffer.c 1.1 - ------------------------------------------------------------------------- Branch Version string - ------------------------------------------------------------------------- HEAD OpenSSH_3.6.1p1 FreeBSD-20030916 RELENG_4 OpenSSH_3.5p1 FreeBSD-20030916 RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030916 RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030916 RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030916 RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030916 RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030916 RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030916 RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20030916 - ------------------------------------------------------------------------- To view the version string of the OpenSSH server, execute the following command: % /usr/sbin/sshd -\? The version string is also displayed when a client connects to the server. To view the version string of the OpenSSH client, execute the following command: % /usr/bin/ssh -V VII. References <URL:http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html> The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0693 to this issue. <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/Z1MtFdaIBMps37IRApcyAKCIjophc4e8UGhAlTTiNCunVJSlfgCffMgQ PW0VvEnS7MMUYyekHuz49ro= =vcm1 -----END PGP SIGNATURE-----