Fwd: TruSecure ALERT - TSA 03-013 - OpenSSH Remote Buffer Overflow
am 17.09.2003 19:56:05 von Walter OliveroHola !
Revisen muy bien esta informacion.
Saludos !
*************************************************
Walter Olivero
*************************************************
walter_olivero@hotmail.com
Cell # 1-305-872-6329
*************************************************
>From:
>To:
>Subject: TruSecure ALERT - TSA 03-013 - OpenSSH Remote Buffer Overflow
>Date: Tue, 16 Sep 2003 19:22:16 -0400
>
> SFheader
>
>The following alert was received by Secure Florida (
>www.secureflorida.org
>contract with the TruSecure Corporation. This alert is the property of
>the TruSecure Corporation, and Secure Florida makes no warranties as to
>the validity of this information. Please consult the technical expert
>of your choosing before taking any action.
>
>The following is a HOT alert, and should be taken seriously.
>
>TruSecure ALERT- TSA 03-013 - -- ALERT
>
>Current Assessment: HOT
>Initial Assessment: Important
>Current Assessment Date: September 16, 2003
>Time: 20:00 UTC
>Initial Assessment Date: September 15, 2003
>Time: 21:00 UTC
>
>
>
>
>Vulnerable systems include FreeBSD, Open BSD, NetBSD, and Linux systems,
>all running versions of OpenSSH earlier than 3.7. Users who do not
>employ any of these systems will not be effected by this vulnerability.
>
>
>
>If you are running a version of Open SSH earlier than 3.7, please update
>your software. The updated 3.7 version is available from the OpenSSH ftp
>repository: OpenBSD Source
>ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.7.tgz
>
>
>
>Executive Summary:
>A new vulnerability has been discovered in OpenSSH, a service that is
>customarily used for secure remote management of Unix type systems
>(particularly Linux, OpenBSD, HPUX Sun, and Cisco Storage Servers).
>There is no vulnerability related to Windows systems or servers. There
>are rumored public and private discussions that suggest successful
>attacks against this vulnerability have already occurred. Since the
>service is customarily used by Unix administrators for managing and
>administering critical systems, any exploit of OpenSSH would likely
>result in a denial of service or possibly administrative control of
>critical systems. If attack code is truly in the wild, then we would
>expect that attacks will accelerate.
>
>We will be updating this alert as we gain more information. Please check
>www.secureflorida.org
>
>Threat Rate: Low but attacks are reportedly in the wild; the threat
>rate will trend higher as attack code becomes more widely available.
>
>Vulnerability Prevalence: Moderate to high for vulnerable servers and
>infrastructure devices.
>
>Cost: Medium to High, Denial of Service to vulnerable infrastructure
>devices and possible administrative privilege on vulnerable servers.
>
>Summary:
>- ------------------------------------------------------------ ---------
>On September 15th, TruSecure issued a TS RADAR notification concerning a
>new OpenSSH vulnerability. An updated TS RADAR posting was issued early
>on the 16th, indicating that there was confirmation of the vulnerability
>and that vendors were preparing fixes for the OpenSSH code.
>
>The updated Code base addresses a situation which would occur when more
>buffer space is needed than has currently been allocated. The changes
>modify how additional buffer space is allocated before data can be
>written to the buffer.
>
>Availability of patched versions of OpenSSH will vary by OS
>version/distribution; customers with software maintenance agreements
>should consult their vendors regarding availability.
>
>The updated 3.7 version is available from the OpenSSH ftp repository:
>OpenBSD Source
>ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.7.tgz
>
>MD5 (openssh-3.7.tgz) = 86864ecc276c5f75b06d4872a553fa70
>
>Portable Source (Linux, etc.)
>
>ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh- 3.7p1.tgz
>MD5 (openssh-3.7p1.tar.gz) = 77662801ba2a9cadc0ac10054bc6cb37
>
>RPM (various)
>
>ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/
>
>Customers who are unable to patch or upgrade OpenSSH should consider
>disabling the service. In general, TruSecure recommends restricting
>access to vulnerable systems through the use of firewall or router ACLs
>that will only permit specific hosts to connect to the vulnerable
>systems.
>
>Although widespread availability of a tool to exploit this issue has NOT
>been confirmed, the rapid progression from hearsay to code updates
>appears to indicate that there is a credible threat. The ubiquitous
>deployment of OpenSSH makes it an attractive target, and should tools
>become widely available, the likelihood of automated
>exploitation is significant.
>
>Version Summary
>- ------------------------------------------------------------ ----------
>- -
>Conectiva, Debian, Immunix, Mandrake, and Slackware have released
>security advisories and updates packages to address the OpenSSH buffer
>overflow. CERT has released a vulnerability note as well.
>
>
>Warning Indicators
>- ------------------------------------------------------------ ---------
>Systems running versions of OpenSSH prior to 3.7 are vulnerable.
>
>OpenSSH.org has stated that the following operating systems, devices,
>and vendors use OpenSSH or binaries based on it:
>
>
>OpenBSD
>Debian Linux
>FreeBSD
>Suse Linux
>Redhat Linux
>Mandrake Linux
>BSDi BSD/OS
>NetBSD
>Computone
>Conectiva Linux
>Slackware Linux
>Caldera OpenLinux
>Stallion
>Rock Linux
>Cygwin
>e-smith server and gateway
>Engarde Linux
>MacOS X Version 10.1
>HP Procurve Switch 4108GL and 2524/2512
>IBM AIX
>Gentoo Linux
>Gwynux/Toadware Linux
>Sun Solaris 9 (named SunSSH)
>SmoothWall
>IPCop
>SGI Irix
>ThinLinc
>Nokia
>IPSO
>Cisco CSS11500 series content services switches
>Cisco SN 5400 series storage routers
>TopLayer IDS balancers
>
>Technical Information
>- ------------------------------------------------------------ ------
>The vulnerability exists in buffer.c, and is caused by a misallocation
>of buffer memory.
>
>The flaw occurs because of a segment of code within
>buffer_append_space() that calls the fatal() function without first
>examining the passed buffer. The fatal() function calls cleanup
>handlers that may operate using potentially corrupted information. Under
>some circumstances the buffer may expand beyond the allocated size. The
>published fix updates the buffer->alloc after the fatal () check.
>
>A diff CVS is available at the following FreeBSD security link for
>detailed technical review:
>["
>
>FreeBSD' >FreeBSD'">FreeBSD'">
>
>
>
>Because ssh is often part of default Linux installations and is now
>ships with Solaris and Mac OS X, ssh may be installed and administrators
>might not be aware of it. The service runs on port 22/tcp and can be
>found by checking netstat on the local system, port scanning at the
>network level, or by using the telnet command to
>check a particular host.
>
>
>MITIGATIONS:
>1. Customers are urged to upgrade OpenSSH to the 3.7 version.
>2. In addition, TruSecure recommends restricting access tovulnerable
>systems from unknown/untrusted hosts by implementing appropriate access
>control lists.
>
>Safeguards
>- ------------------------------------------------------------ ----------
>- -
>Administrators are advised to install the applicable patch.
>
>Administrators who are unable to patch or upgrade OpenSSH should
>consider disabling the service, or restricting access to affected
>systems through the use of firewall or router ACLs. When restricting
>access to these systems, administrators should specify specific only IP
>addresses that can access the port assigned to SSH, which is assigned
>port 22/tcp by default.
>
>It is important to remember that the firewalls and routers used to
>provide the access control mentioned above can also rely on SSH for
>administrative tasks. These devices should be sure to include
>themselves then firewall policies or router ACLs are modified.
>
>Patches/Software and vendor announcements
>- ------------------------------------------------------------ ----
>OpenSSH has released a security advisory at the following link:
>[ OpenSSH
>
>Conectiva has released a security announcement at the following link:
>[http://distro.conectiva.com.br/atualizacoes/index.php?id=a &anuncio=0007
>39" >CLSA-2003:739]
>
>Debian has released a security advisory at the following link:
>[http://lists.debian.org/debian-security-announce/debian-se curity-announ
>ce-2003/msg00187.html" >DSA-382-1]
>
>FreeBSD has released a security advisory that will be available at the
>following FTP link:
>[ FreeBSD-SA-03:12
>
>
>Guardian Digital has released a security advisory at the following link:
>[ ESA-20030916-023
>
>
>Mandrake has released a security advisory at the following link:
>[ MDKSA-2003:090
>
>
>Red Hat has released a security advisory at the following link:
>[ RHSA-2003:279-07
>
>Slackware has released a security advisory at the following link:
>[ SSA:2003-259-01
>
>
>CERT has released a vulnerability note at the following link:
>[ VU#333628
>
>
>
>
>Disclaimer:
>
>- --------------------
>
>Copyright (c) 2003 TruSecure Corporation. All rights reserved. This
>Alert is the property of the TruSecure Corporation. It may not be
>redistributed except within your own company or organization. This Alert
>is being provided for informational purposes only and is provided AS
>IS. The TruSecure Corporation makes no warranties of any kind, express
>or implied, including, but not limited to warranties of merchantability,
>fitness for a particular purpose, non-infringement, and warranties
>arising out of any course of dealing or course of conduct.
>
>
>
>Impenetrable security is unattainable in real world environments; the
>TruSecure Corporation cannot and does not guarantee protection against
>breaches of security.
>
>
>
>IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS
>INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND,
>HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE
>INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY
>PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE
>CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
>
>- ------------------------------------------------------------ ---
>
>Copyright @ 2003 by TruSecure: http://www.trusecure.com
>
>
>----------------------------------------------------------- ---------
>
>No further information regarding this Alert will be e-mailed to you; for
>additional updates please visit the Secure Florida web site at
>www.secureflorida.org
>
>As a Secure Florida registrant, you have opted to receive Hot and Red
>Hot alerts. If you wish to opt out of receiving e-mails in the
>future, go to this URL<
>https://imarcs.imarcsgroup.com/secure_florida/Default.asp
>
>the Secure Florida log-in page. After you log in, you can click on
>"Edit Profile" and select "remove me."
>
>Throughout this alert you may see references made by the TruSecure
>Corporation addressing the TruSecure "client" or "TruSecure Essential
>Practices." While members of Secure Florida are not members of
>TruSecure, we have opted not to change the wording of any alert in order
>to distribute them in a timely and efficient fashion, and to provide you
>this alert in its original form. If you need a less technical
>interpretation of any alert please consult the technical expert of your
>choosing before taking any action.
>
____________________________________________________________ _____
Get 10MB of e-mail storage! Sign up for Hotmail Extra Storage.
http://join.msn.com/?PAGE=features/es
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html