login
Search
A buffer overlow has been discovered in OpenSSH by which in a worse case scenario remote users can gain privileged access to a server. Fortunately the bug is not present in a default install, and therefore it likely does not affect the vast majority of users. According to the OpenSSH security advisory: "All Versions of OpenSSH compiled with AFS/Kerberos support and ticket/token passing enabled contain a buffer overflow. Ticket/Token passing is disabled by default and available only in protocol version 1."
If you have compiled in AFS/Kerberos support and have ticket/token passing enabled:
To fix OpenSSH, apply this patch, and replace radic.c with this file.
Updated: Updated advisory follows.
From: Niels Provos
Subject: OpenSSH Security Advisory (adv.token)
Date: Sat, 20 Apr 2002 23:49:34 -0400
A buffer overflow exists in OpenSSH's sshd if sshd has been compiled
with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing
has been enabled in the sshd_config file. Ticket and token passing
is not enabled by default.
1. Systems affected:
All Versions of OpenSSH compiled with AFS/Kerberos support
and ticket/token passing enabled contain a buffer overflow.
Ticket/Token passing is disabled by default and available
only in protocol version 1.
2. Impact:
Remote users may gain privileged access for OpenSSH < 2.9.9
Local users may gain privileged access for OpenSSH < 3.3
No privileged access is possible for OpenSSH with
UsePrivsep enabled.
3. Solution:
Apply the following patch and replace radix.c with
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18
4. Credits:
kurt AT seifried.org for notifying the OpenSSH team.
http://mantra.freeweb.hu/
This is the 2nd revision of the Advisory.
Buffer overflow in OpenSSH's sshd if AFS has been configured on the
system or if KerberosTgtPassing or AFSTokenPassing has been enabled
in the sshd_config file. Ticket and token passing is not enabled
by default.
1. Systems affected:
All Versions of OpenSSH with AFS/Kerberos token passing
compiled in and enabled (either in the system or in
sshd_config) contain a buffer overflow.
Token passing is disabled by default and only available in
protocol version 1.
2. Impact:
Remote users can get privileged access for OpenSSH < 2.9.9
Local users can get privileged access for OpenSSH < 3.2.1
No privileged access is possible for OpenSSH with
UsePrivilegeSeparation enabled.
3. Solution:
Apply the matching patch:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.1-adv.token.patch
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.1p1-adv.token.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/024_sshafs.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/019_sshafs.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/001_sshafs.patch
4. Credits:
Marcell Fodor
No Problem For Most Of Us
>Ticket/Token passing is disabled by default and available
> only in protocol version 1.
So, almost all sane people (those using only version 2 ssh) aren't affected at all ;)
--
I used to have a sig until the great Kahuna of FOOness
told me to dump it and use /dev/urandom instead.