diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-01:24.ssh.asc')
| -rw-r--r-- | share/security/advisories/FreeBSD-SA-01:24.ssh.asc | 260 |
1 files changed, 0 insertions, 260 deletions
diff --git a/share/security/advisories/FreeBSD-SA-01:24.ssh.asc b/share/security/advisories/FreeBSD-SA-01:24.ssh.asc deleted file mode 100644 index f06f162894..0000000000 --- a/share/security/advisories/FreeBSD-SA-01:24.ssh.asc +++ /dev/null @@ -1,260 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- - -============================================================================= -FreeBSD-SA-01:24 Security Advisory - FreeBSD, Inc. - -Topic: SSH1 implementations may allow remote system, data compromise - -Category: core/ports -Module: openssh, ssh -Announced: 2001-02-12 -Credits: Michal Zalewski <lcamtuf@razor.bindview.com> (Vulnerability 1) - Core-SDI (http://www.core-sdi.com) (Vulnerability 2) -Affects: FreeBSD 4.x, 4.2-STABLE prior to the correction date - Ports collection prior to the correction date. -Corrected: OpenSSH [FreeBSD 4.x base system]: - 2000-12-05 (Vulnerability 1) - 2001-02-11 (Vulnerability 2) - OpenSSH [ports]: - 2001-02-09 (Vulnerability 1) - 2001-02-11 (Vulnerability 2) - ssh [ports]: - 2001-02-09 (Vulnerability 1) - 2001-02-09 (Vulnerability 2) -Vendor status: Patches released. -FreeBSD only: NO - -I. Background - -OpenSSH is an implementation of the SSH1 and SSH2 secure shell -protocols for providing encrypted and authenticated network access, -which is available free for unrestricted use. - -An SSH1 client/server (ssh) from ssh.com is included in the ports -collection. This software is not available free of charge for all -uses, and the FreeBSD Security Officer does not recommend its use. - -II. Problem Description - -There are two flaws in the SSH1 protocol as implemented by OpenSSH and -ssh. - -Vulnerability 1: - - An integer overflow may allow arbitrary remote users to obtain root - permissions on the server running sshd. This is due to a coding - mistake in code intended to work around a protocol flaw in the SSH1 - protocol. This vulnerability was corrected in OpenSSH 2.3.0, which - was committed to FreeBSD 4.2-STABLE on 2000-12-05. - -Vulnerability 2; - - Remote attackers who can observe the encrypted contents of a user's - SSH1 session, and who have the ability to mount large numbers of - connections fo the SSH1 server may be able to break the transient - server key used by the server to negotiate encryption parameters for - the session, and from there can decrypt the entire contents of the - snooped connection. The transient key has a lifetime of only one - hour by default, but all snooped SSH1 sessions captured within this - timeframe may be broken if the attack is successful. - - This attack is mitigated by the requirement to initiate large - numbers of SSH1 protocol connections to the server during the - lifetime of the key. On average a sustained connection rate of - around 400 connections and SSH1 protocol handshakes must be carried - out per second to have a high chance of succeeding within the 1 hour - lifetime of the server key. OpenSSH contains rate-limiting code - which will limit the number of outstanding connections to a fraction - of this number in the default configuration, and computational and - network limitations may reduce this number still further. - Therefore, though the potential impact of this flaw is great, it is - made very difficult to exploit in practice. However, note that even - though the chances of success are reduced, the vulnerability is not - eliminated. - -OpenSSH is installed if you chose to install the 'crypto' distribution -at install-time or when compiling from source, and is installed and -enabled by default as of FreeBSD 4.1.1-RELEASE. By default SSH1 -protocol support is enabled. - -If SSH1 protocol support has been disabled in OpenSSH, it is not -vulnerable to these attacks. They do not affect implementations of -the SSH2 protocol, such as OpenSSH run in SSH2-only mode. - -Versions of the OpenSSH port prior to openssh-2.2.0_2, and versions -of the ssh port prior to ssh-1.2.27_3 are vulnerable to these attacks. - -III. Impact - -Arbitrary remote users may be able to execute arbitrary code as root -on an SSH1 server accepting connections via the SSH1 protocol. - -Remote users who can snoop the encrypted contents of SSH1 sessions -belonging to other users, and who can mount a very high rate of -connections to the server may be able to mount an attack leading to -the ability to decrypt these sessions. This attack may disclose -account password details as well as other sensitive data. - -IV. Workaround - -If you are running sshd, disable the use of the SSH1 protocol in -OpenSSH. SSH1 contains inherent protocol deficiencies and is not -recommended for use in high-security environments. Note that some -third-party SSH clients are not capable of using the SSH2 protocol, -however the OpenSSH client (version 2.1 and later) included in FreeBSD -is SSH2-capable. - -To disable SSH1, add the following line to the /etc/ssh/sshd_config -file (/usr/local/etc/sshd_config for the OpenSSH port): - -Protocol 2 - -and remove any other "Protocol" directives from that file. - -Execute the following command as root: - -# kill -HUP `cat /var/run/sshd.pid` - -This will cause the parent process to reread its configuration file, -and should not interfere with existing SSH sessions. - -V. Solution - -- --[OpenSSH - base system]----- - -One of the following: - -1) Upgrade to FreeBSD 4.2-STABLE after the correction date. Note that -these versions of FreeBSD contain a newer version of OpenSSH (version -2.3.0) than was in 4.2-RELEASE (version 2.2.0). - -2) Download the patch and detached PGP signature from the following -location: - -The following patch applies to FreeBSD 4.2-RELEASE. - -# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-release.patch -# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-release.patch.asc - -The folllowing patch applies to FreeBSD 4.2-STABLE which is running -OpenSSH 2.3.0 (4.2-STABLE dated after 2000-12-05) - -# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-stable.patch -# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-stable.patch.asc - -Verify the detached signature using your PGP utility. - -Issue the following commands as root: - -# cd /usr/src/crypto/openssh -# patch -p < /path/to/patch -# cd /usr/src/secure/lib/libssh -# make all -# cd /usr/src/secure/usr.bin/ssh-agent -# make all install -# cd /usr/src/secure/usr.sbin/sshd -# make all install - -Finally, if sshd is already running then kill and restart the sshd -daemon: perform the following command as root: - -# kill -KILL `cat /var/run/sshd.pid` && /usr/sbin/sshd - -This will not affect sessions in progress. - -- --[OpenSSH - port]----- - -Use one of the following options to upgrade the OpenSSH software, then -kill and restart the sshd daemon if it is already running. This will -not affect sessions in progress. - -To kill and restart the sshd daemon, perform the following command as -root: - -# kill -KILL `cat /var/run/sshd.pid` && /usr/local/sbin/sshd - -1) Upgrade your entire ports collection and rebuild the OpenSSH port. - -2) Deinstall the old package and install a new package dated after the -correction date, obtained from: - -[i386] -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/openssh-2.2.0_2.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-2.2.0_2.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-2.2.0_2.tgz - -NOTE: It may be several days before updated packages are available. - -[alpha] -Packages are not automatically generated for the alpha architecture at -this time due to lack of build resources. - -3) download a new port skeleton for the OpenSSH port from: - -http://www.freebsd.org/ports/ - -and use it to rebuild the port. - -4) Use the portcheckout utility to automate option (3) above. The -portcheckout port is available in /usr/ports/devel/portcheckout or the -package can be obtained from: - -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz - -- --[ssh - port]----- - -Use one of the following options to upgrade the ssh software, then -kill and restart the sshd daemon if it is already running. This will -not affect sessions in progress. - -To kill and restart the sshd daemon, perform the following command as -root: - -# kill -KILL `cat /var/run/sshd.pid` && /usr/local/sbin/sshd - -1) Upgrade your entire ports collection and rebuild the ssh port. - -2) Deinstall the old package and install a new package dated after the -correction date, obtained from: - -[i386] -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/ssh-1.2.27_3.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ssh-1.2.27_3.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/ssh-1.2.27_3.tgz - -NOTE: It may be several days before updated packages are available. - -[alpha] -Packages are not automatically generated for the alpha architecture at -this time due to lack of build resources. - -3) download a new port skeleton for the OpenSSH port from: - -http://www.freebsd.org/ports/ - -and use it to rebuild the port. - -4) Use the portcheckout utility to automate option (3) above. The -portcheckout port is available in /usr/ports/devel/portcheckout or the -package can be obtained from: - -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.0.4 (FreeBSD) -Comment: For info see http://www.gnupg.org - -iQCVAwUBOoiAylUuHi5z0oilAQEoVgP/Qc5UXjRnR3byHZfQyM4VyuwCWAWeAaD7 -HPjlhLTiOb0HUqsVhiraIX5Mgi5ReySj2wREd4EKW9pEKiXfcXCWItivG8PrV/P8 -NHEo5B393r1G8ovtkt3fu0bQ7RhOrxOeHRn5mxbmk8pIrRg7oxeZ02ygJiCV8LqT -hoOxMmU4FYQ= -=REEI ------END PGP SIGNATURE----- |