__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN OpenSSH SSH1 Coding Error and Server Key Vulnerability February 13, 2001 20:00 GMT Number L-047 ______________________________________________________________________________ PROBLEM: OpenSSH has two SSH1-related problems. 1) Some earlier versions of OpenSSH contain a work around with a coding error. The work around was intended to ward off an integer overflow by remote users that could lead to a root compromise. 2) SSH1 protocol implementation has a vulnerability that can lead to the decryption of the entire contents of a snooped connection. PLATFORM: Those running FreeBSD 4.x, 4.2-STABLE versions that were released prior to the correction dates. Those using ports collections that were released prior to the correction dates. OpenSSH [FreeBSD 4.x base system]: 2000-12-05 (Vulnerability 1) 2001-02-11 (Vulnerability 2) OpenSSH [ports]: 2001-02-09 (Vulnerability 1) 2001-02-11 (Vulnerability 2) ssh [ports]: 2001-02-09 (Vulnerability 1) 2001-02-09 (Vulnerability 2) DAMAGE: The SSH server could be root compromised. The encrypted session could be decrypted. SOLUTION: Use the proper updated versions which contain the corrected work around. Use the proper updated versions to greatly reduce the possibility of unwanted decryption of an encrypted session. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM because the integer overflow has been ASSESSMENT: discussed in public forums but there are no reports yet of successful exploit programs. ______________________________________________________________________________ [Start FreeBSD, Inc. Advisory ] ============================================================================= FreeBSD-SA-01:24 Security Advisory FreeBSD, Inc. Topic: SSH1 implementations may allow remote system, data compromise Category: core/ports Module: openssh, ssh Announced: 2001-02-12 Credits: Michal Zalewski (Vulnerability 1) Core-SDI (http://www.core-sdi.com) (Vulnerability 2) Affects: FreeBSD 4.x, 4.2-STABLE prior to the correction date Ports collection prior to the correction date. Corrected: OpenSSH [FreeBSD 4.x base system]: 2000-12-05 (Vulnerability 1) 2001-02-11 (Vulnerability 2) OpenSSH [ports]: 2001-02-09 (Vulnerability 1) 2001-02-11 (Vulnerability 2) ssh [ports]: 2001-02-09 (Vulnerability 1) 2001-02-09 (Vulnerability 2) Vendor status: Patches released. FreeBSD only: NO I. Background OpenSSH is an implementation of the SSH1 and SSH2 secure shell protocols for providing encrypted and authenticated network access, which is available free for unrestricted use. An SSH1 client/server (ssh) from ssh.com is included in the ports collection. This software is not available free of charge for all uses, and the FreeBSD Security Officer does not recommend its use. II. Problem Description There are two flaws in the SSH1 protocol as implemented by OpenSSH and ssh. Vulnerability 1: An integer overflow may allow arbitrary remote users to obtain root permissions on the server running sshd. This is due to a coding mistake in code intended to work around a protocol flaw in the SSH1 protocol. This vulnerability was corrected in OpenSSH 2.3.0, which was committed to FreeBSD 4.2-STABLE on 2000-12-05. Vulnerability 2; Remote attackers who can observe the encrypted contents of a user's SSH1 session, and who have the ability to mount large numbers of connections fo the SSH1 server may be able to break the transient server key used by the server to negotiate encryption parameters for the session, and from there can decrypt the entire contents of the snooped connection. The transient key has a lifetime of only one hour by default, but all snooped SSH1 sessions captured within this timeframe may be broken if the attack is successful. This attack is mitigated by the requirement to initiate large numbers of SSH1 protocol connections to the server during the lifetime of the key. On average a sustained connection rate of around 400 connections and SSH1 protocol handshakes must be carried out per second to have a high chance of succeeding within the 1 hour lifetime of the server key. OpenSSH contains rate-limiting code which will limit the number of outstanding connections to a fraction of this number in the default configuration, and computational and network limitations may reduce this number still further. Therefore, though the potential impact of this flaw is great, it is made very difficult to exploit in practice. However, note that even though the chances of success are reduced, the vulnerability is not eliminated. OpenSSH is installed if you chose to install the 'crypto' distribution at install-time or when compiling from source, and is installed and enabled by default as of FreeBSD 4.1.1-RELEASE. By default SSH1 protocol support is enabled. If SSH1 protocol support has been disabled in OpenSSH, it is not vulnerable to these attacks. They do not affect implementations of the SSH2 protocol, such as OpenSSH run in SSH2-only mode. Versions of the OpenSSH port prior to openssh-2.2.0_2, and versions of the ssh port prior to ssh-1.2.27_3 are vulnerable to these attacks. III. Impact Arbitrary remote users may be able to execute arbitrary code as root on an SSH1 server accepting connections via the SSH1 protocol. Remote users who can snoop the encrypted contents of SSH1 sessions belonging to other users, and who can mount a very high rate of connections to the server may be able to mount an attack leading to the ability to decrypt these sessions. This attack may disclose account password details as well as other sensitive data. IV. Workaround If you are running sshd, disable the use of the SSH1 protocol in OpenSSH. SSH1 contains inherent protocol deficiencies and is not recommended for use in high-security environments. Note that some third-party SSH clients are not capable of using the SSH2 protocol, however the OpenSSH client (version 2.1 and later) included in FreeBSD is SSH2-capable. To disable SSH1, add the following line to the /etc/ssh/sshd_config file (/usr/local/etc/sshd_config for the OpenSSH port): Protocol 2 and remove any other "Protocol" directives from that file. Execute the following command as root: # kill -HUP `cat /var/run/sshd.pid` This will cause the parent process to reread its configuration file, and should not interfere with existing SSH sessions. V. Solution - --[OpenSSH - base system]----- One of the following: 1) Upgrade to FreeBSD 4.2-STABLE after the correction date. Note that these versions of FreeBSD contain a newer version of OpenSSH (version 2.3.0) than was in 4.2-RELEASE (version 2.2.0). 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.2-RELEASE. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24 /sshd-4.2-release.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24 /sshd-4.2-release.patch.asc The folllowing patch applies to FreeBSD 4.2-STABLE which is running OpenSSH 2.3.0 (4.2-STABLE dated after 2000-12-05) # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24 /sshd-4.2-stable.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24 /sshd-4.2-stable.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src/crypto/openssh # patch -p < /path/to/patch # cd /usr/src/secure/lib/libssh # make all # cd /usr/src/secure/usr.bin/ssh-agent # make all install # cd /usr/src/secure/usr.sbin/sshd # make all install Finally, if sshd is already running then kill and restart the sshd daemon: perform the following command as root: # kill -KILL `cat /var/run/sshd.pid` && /usr/sbin/sshd This will not affect sessions in progress. - --[OpenSSH - port]----- Use one of the following options to upgrade the OpenSSH software, then kill and restart the sshd daemon if it is already running. This will not affect sessions in progress. To kill and restart the sshd daemon, perform the following command as root: # kill -KILL `cat /var/run/sshd.pid` && /usr/local/sbin/sshd 1) Upgrade your entire ports collection and rebuild the OpenSSH port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security /openssh-2.2.0_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security /openssh-2.2.0_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security /openssh-2.2.0_2.tgz NOTE: It may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the OpenSSH port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel /portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel /portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel /portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel /portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel /portcheckout-2.0.tgz - --[ssh - port]----- Use one of the following options to upgrade the ssh software, then kill and restart the sshd daemon if it is already running. This will not affect sessions in progress. To kill and restart the sshd daemon, perform the following command as root: # kill -KILL `cat /var/run/sshd.pid` && /usr/local/sbin/sshd 1) Upgrade your entire ports collection and rebuild the ssh port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security /ssh-1.2.27_3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security /ssh-1.2.27_3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security /ssh-1.2.27_3.tgz NOTE: It may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the OpenSSH port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel /portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel /portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel /portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel /portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel /portcheckout-2.0.tgz [End FreeBSD, Inc. Advisory ] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of FreeBSD, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-037: FreeBSD periodic Uses Insecure Temporary Files L-038: FreeBSD inetd ident Server Vulnerability L-039: FreeBSD sort Uses Insecure Temporary Files L-040: The Ramen Worm L-041: Microsoft Hotfix Packaging Anomalies L-042: Compaq Web-enabled Management Software Buffer Overflow L-043: Microsoft NTLMSSP Privilege Elevation Vulnerability L-044: Microsoft Network DDE Agent Request Vulnerability L-045: Red Hat Linux 'sysctl, ptrace, & mxcsr P4 ' Vulnerability L-046: The VBS.AnnaKournikova Worm