SuSE Security Announcement: openssh (second release) (SuSE-SA:2003:039)
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: openssh (second release)
Announcement-ID: SuSE-SA:2003:039
Date: Thursday, Sep 18 2003 20:00 MEST
Affected products: 7.2, 7.3, 8.0, 8.1, 8.2
SuSE Linux Database Server,
SuSE eMail Server III, 3.1
SuSE Linux Enterprise Server 7, 8
SuSE Linux Firewall on CD/Admin host
SuSE Linux Connectivity Server
SuSE Linux Office Server
SuSE Linux Standard Server 8
Vulnerability Type: potential remote privilege escalation
Severity (1-10): 8
SuSE default package: yes
Cross References: http://www.openssh.com/txt/buffer.adv
CERTVU#333628 http://www.kb.cert.org/vuls/id/333628
CVE CAN-2003-0693
CVE CAN-2003-0695
CVE CAN-2003-0682
Content of this advisory:
1) security vulnerability resolved: openssh
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds:
- mysql
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The openssh package is the most widely used implementation of the secure
shell protocol family (ssh). It provides a set of network connectivity
tools for remote (shell) login, designed to substitute the traditional
BSD-style r-protocols (rsh, rlogin). openssh has various authentification
mechanisms and many other features such as TCP connection and X11 display
forwarding over the fully encrypted network connection as well as file
transfer facilities.
This is a new release of SuSE Security Announcement (openssh),
ID SuSE-SA:2003:038. A set of new bugs were addressed by the openssh
development team. These bugs are fixed in the new 3.7.1 upstream release
of the openssh package; we have added the necessary changes to our
packages preserving the package version to avoid the risk of incompatible
behaviour of the software.
Specifics about the errors found:
(Topic for SuSE Security Announcement SuSE-SA:2003:038:)
A programming error has been found in code responsible for buffer
management. If exploited by a (remote) attacker, the error may lead to
unauthorized access to the system, allowing the execution of arbitrary
commands. The error is known as the buffer_append_space()-bug and is
assigned the Common Vulnerabilities and Exposures (CVE) name CAN-2003-0693.
The error was cause for the upstream release openssh-3.7.
(Topic for SuSE Security Announcement SuSE-SA:2003:039 (this announcement):)
Programming errors of a similar kind as described above have been found in
other portions of the code, with similar effects. These errors are known
as "buffer.c/channels.c bug", the CVE name for these errors is CAN-2003-0695.
This set of errors was cause for the upstream release openssh-3.7.1.
In addition to the fixes for the buffer.c/channels.c bugs we have added
some changes that have been assembled by Solar Designer during his review
of the source code. These fixes are considered a precautious measure and
are not believed to have a significant effect on the security of the
openssh code.
At the time of writing this announcement, we believe that at least one set
of errors as described above is exploitable by a remote attacker. As a
reminder, at the time of writing the SuSE Security Announcement
SuSE-SA:2003:038 it was unclear if the bug addressed with the announcement
(buffer_append_space()-bug) is exploitable. An increasing amount of TCP
connection attempts to port 22 as observed in the internet during the
past days may indicate that there exists an exploit for the error in the
public.
Please note that we have disabled the Privilege Separation feature in
the ssh daemon (sshd) with this update. The PrivSep feature is designed
to have parts of the ssh daemon's work running under lowered privileges,
thereby limiting the effect of a possible vulnerability in the code. The
PrivSep feature is turned on/off by the UsePrivilegeSeparation keyword
in sshd's configuration file /etc/ssh/sshd_config. The feature is held
responsible for malfunctions in PAM (Pluggable Authentification Modules).
The update mechanism will not overwrite configuration files that have
been altered after the package installation.
SPECIAL INSTALL INSTRUCTIONS:
==============================
After the update has been successfully applied, the ssh daemon (sshd)
must be restarted for update package to become effective. To restart the
ssh daemon after the update, please run the following command as root:
rcsshd restart
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
Intel i386 Platform:
SuSE-8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssh-3.5p1-107.i586.rpm
e030b0803481d0f29f576e3b4726284f
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssh-3.5p1-107.i586.patch.rpm
d022894363b99e6bd03e9b2109c2244c
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/openssh-3.5p1-107.src.rpm
3f7f5ed43c7d795c63fe06148874944a
SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssh-3.4p1-215.i586.rpm
91cdd33a4149756b8f6371aa3177a5f4
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssh-3.4p1-215.i586.patch.rpm
3b7c44819c8fed5e33514481d99d4ab7
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/openssh-3.4p1-215.src.rpm
6c3694fc75bcf185035547b85abbc491
SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/openssh-3.4p1-215.i386.rpm
c61781b97767188cc3a39795535307ff
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/openssh-3.4p1-215.i386.patch.rpm
c222aef79a8fef6d44d8d61fc075efc5
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/openssh-3.4p1-215.src.rpm
bc327a4150058c9d1216cb96712973a5
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec1/openssh-2.9.9p2-156.i386.rpm
c9928c04b03cb292aa96ad6890a5ee38
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/openssh-2.9.9p2-156.src.rpm
28aa82be9233e3ba93b94eb138c9ea04
SuSE-7.2:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/openssh-2.9.9p2-156.i386.rpm
b369724a788a2c6bd70a448a49530f69
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssh-2.9.9p2-156.src.rpm
98b8b7281fe04aab8c8838adcf195697
Sparc Platform:
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec1/openssh-2.9.9p2-53.sparc.rpm
97cb0218e9354b8cc062e44a0d6fb19f
source rpm(s):
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/openssh-2.9.9p2-53.src.rpm
8cddb96e633864469d7ba08d3cf7436a
PPC Power PC Platform:
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/openssh-2.9.9p2-109.ppc.rpm
37b1e82a3971f5c4c427ce37227b11e0
source rpm(s):
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/openssh-2.9.9p2-109.src.rpm
7a19424887772b86d14bacbf5add9628
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- A buffer overflow vulnerability has been found in the mysql package,
an Open Source relational database system. The error may allow a remote
attacker to execute arbitrary code with the privileges of the database
process.
We are in the process of building and testing the update packages and
will release them with a SuSE Security Announcement as soon as possible.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
*** Reply to message from Roman Drahtmueller
On Fri, 19 Sep 2003 07:05:27 +0600
or am I really just illiterate and can use the intel packages w/o problems? Tia blonde
Yes, you can use the Intel packages. The Athelon is compatible with i386, i586 and i686. Charles -- A Linux machine! because a 486 is a terrible thing to waste! (By jjs@wintermute.ucr.edu, Joe Sloan)
Hello, I am new here so please forgive me if that question is stupid. If I use YOU do I get the required patch? BTW: What is with the new sendmail alert from CERT? Thanx and regards, Claus
Hello,
I am new here so please forgive me if that question is stupid. If I use YOU do I get the required patch?
There is some oddity there if you have once updated to 3.4p1, when we offered a downgrade to 2.9.9p2. We'll dig into that.
BTW: What is with the new sendmail alert from CERT?
Later, today.
Thanx and regards, Claus
Roman.
--
- -
| Roman Drahtmüller
Roman Drahtmueller wrote:
There is some oddity there if you have once updated to 3.4p1, when we offered a downgrade to 2.9.9p2. We'll dig into that.
I am on SuSE 8.0 and I got SSH Version # ssh -V OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f Is this safe or do I need to downgrade something? Thanx, Claus
* Roman Drahtmueller wrote on Thu, Sep 18, 2003 at 20:23 +0200:
SuSE-7.2: source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssh-2.9.9p2-156.src.rpm 98b8b7281fe04aab8c8838adcf195697
Hiya, I made a backport SSH-RPM for SuSE 7.0 and write here some upgrade instructions just in case someone else also has some 7.0 installations around there. First, make sure you understood that this comes without any warranty or anything, is provided AS-IS, is completely unofficial of course which means that is has nothing to do with SuSE, and even may not work at all for you. Prefer upgrading your system if you have the chance! I assume you have only remote access to the 7.0 installation (otherwise, update locally to 8.2 :-)). Make sure you have an official openssh.rpm on the machine in case you need to downgrade after errors. First, it is required to set up a SSH daemon that will survive the restart to assure you can connect after upgrade :-) As "startproc" isn't the smartest tool on 7.0, let's try this: $ cp /usr/sbin/sshd /usr/sbin/emerg.sshd $ /usr/sbin/emerg.sshd -p 27 Now connect on *another* xterm to the server by ssh, passing "-p 27". Make sure this backup works before continuing or disconnecting the prot 22 shell! If your firewall block port 27, choose another, maybe 25, 80 or 443 if unused or something greater that 1024 - or adjust your firewall. Do not continue if you don't have a SSH connection on a port different from 22 via a binary which name doesn't *start* with "/usr/sbin/sshd"! Now upgrade the rpm from the shell opened on port 27 (!): $ rpm -Uhv openssh-2.9.9p2-156.i386.rpm (Do not forget to pray from this point on, it may help) Make sure the file /etc/rc.d/sshd exists. It seems that RPM makes the backup-rename of the startscript after upgrading (or whatever). If it does not exists, just try again with force: $ rpm -Uhv --force openssh-2.9.9p2-156.i386.rpm Now - make sure you're using emerg.sshd on port 27 - execute the two commands: $ killall sshd $ rcsshd start Check if you can connect to the new port 22 sshd by using ssh without the -p option. Finally (from a port 22 shell): $ killall emerg.sshd $ rm /usr/sbin/emerg.sshd Verify that anything is fine and working. You now may stop praying and thank the lord :-) You can find the RPM here: http://sws.dett.de/tmp/openssh-2.9.9p2-156.i386.rpm (source: http://sws.dett.de/tmp/openssh-2.9.9p2-156.src.rpm) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (6)
-
Charles Philip Chan -
claus -
jfweber@bellsouth.net -
Peter Wiersig -
Roman Drahtmueller -
Steffen Dettmer