News Stay informed about the latest enterprise technology news and product updates.

New buffer overflow threatens OpenSSH systems

A buffer overflow vulnerability has been discovered in OpenSSH that could lead to system crashes. Experts said exploits are being traded in the wild but, as of now, code execution is not possible by exploiting this flaw.

A buffer overflow vulnerability has been found in OpenSSH that could threatens systems running the ubiquitous network protocol.

OpenSSH is an open-source secure shell daemon that encrypts network packets. Red Hat Linux, SuSE Linux, FreeBSD, OpenBSD and Mandrake Linux, as well as many Unix and other systems, integrate OpenSSH into the base OS as a remote login solution.

Several security mailing lists are reporting that exploit code is being traded in the wild. As of today, it is unknown whether an exploit could either crash or enable remote code execution. Experts urge administrators to treat this serious vulnerability as if there were a working exploit, and they suggest that users upgrade vulnerable systems to OpenSSH 3.7 and 3.7p1, which are available for download from Vendor-specific fixes are imminent.

OpenSSH is developed by the OpenBSD Project, which offers a free Unix-like operating system. OpenSSH versions up to and including 3.6.1, as well as the portable version of OpenSSH, are affected by the flaw.

Atlanta-based Internet Security Systems Inc. discovered the flaw. Researchers there said that when an unusually large packet (at least 10 MB of traffic) is sent to OpenSSH, its buffer management tries to reallocate a larger buffer. In some cases, the cleanup process leads to heap corruption and crashes that process.

"This is a difficult vulnerability to exploit," said Dan Ingevaldson, team leader for ISS' XForce security team. "But it's only difficult once. Once someone exploits it, it becomes public domain."

An alert from FreeBSD explains: "In some cases, the cleanup code will attempt to zero and free the buffer that just had its recorded size (but not actual allocation) increased. As a result, memory outside of the allocated buffer will be overwritten with NUL bytes."

FreeBSD recommends several workarounds, including disabling the base system sshd and ensuring sshd is not restarted when a system is restarted. Also, FreeBSD recommends uninstalling the OpenSSH or OpenSSH portable ports if they are installed.

"This is a serious vulnerability. OpenSSH is the most common SSH server out there," Ingevaldson said. "SSH is part of the fabric of Unix [and Linux] systems. Administrators use it to connect to a lot of appliance, virus gateways and IDS systems. This is a significant deal."

FOR MORE INFORMATION: news exclusive: "2.6 kernel cures some security shortcomings" news exclusive: "Linux security: The seven deadly sins"

Best Web Links on security

Ask the experts

FEEDBACK: Has this security incident shaken your faith in OpenSSH?
Send your feedback to the news team.

Dig Deeper on Linux servers

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.