| openssh-channel-error (8383) |
 OpenSSH off-by-one error in channel code_files/risk_high.gif) High Risk
|
OpenSSH off-by-one error in channel
code
Description:
OpenSSH versions 2.0 through 3.0.2 contain an
off-by-one error in the channel code, which
could allow a local user to gain root privileges
and execute arbitrary code on the system. A
malicious SSH server could exploit this
vulnerability on a vulnerable SSH client
connecting to the server.
Platforms Affected:
Caldera
OpenLinux Server 3.1
Caldera OpenLinux Server
3.1.1
Caldera OpenLinux Workstation
3.1
Caldera OpenLinux Workstation
3.1.1
Caldera OpenServer 5.0.6a and
earlier
Caldera OpenUnix 8.0.0
Caldera
UnixWare 7.1.1
Conectiva Linux
5.0
Conectiva Linux 5.1
Conectiva Linux
6.0
Conectiva Linux 7.0
Conectiva Linux
ecommerce
Conectiva Linux prg
graficos
EnGarde Secure Linux Community
Edition
FreeBSD 4.4-RELEASE
FreeBSD
4.5-RELEASE
FreeBSD 4.5-STABLE
Mandrake
Linux 7.1
Mandrake Linux 7.2
Mandrake
Linux 8.0
Mandrake Linux 8.1
Mandrake
Linux Corporate Server 1.0.1
Mandrake Single
Network Firewall 7.2
NetBSD 1.5
NetBSD
1.5.1
NetBSD 1.5.2
NetBSD-current
pre20020307
OpenPKG 1.0
OpenSSH 2.0 up to
3.0.2
OpenSSH Any version
Red Hat Linux
7.0
Red Hat Linux 7.1
Red Hat Linux
7.2
Red Hat Linux 7.x
SuSE Linux
6.4
SuSE Linux 7.0
SuSE Linux 7.1
SuSE
Linux 7.2
SuSE Linux 7.3
SuSE Linux
Connectivity Server Any version
SuSE Linux
Database Server Any version
SuSE Linux
Enterprise Server 7
SuSE Linux Firewall Any
version
SuSE eMail Server III Any
version
Trustix Secure Linux 1.1
Trustix
Secure Linux 1.2
Trustix Secure Linux
1.5
Remedy:
Upgrade to the latest version of OpenSSH (3.1
or later), as listed in OpenSSH Security
Advisory (adv.channelalloc). See References.
For Conectiva Linux 5.0:
Upgrade to the
latest version of OpenSSH (3.0.2pl-1U50_2cl or
later), as listed in Conectiva Linux Security
Annoucement CLA-2002:467. See References.
For Conectiva Linux 5.1:
Upgrade to the
latest version of OpenSSH (3.0.2pl-1U51_2cl or
later), as listed in Conectiva Linux Security
Annoucement CLA-2002:467. See References.
For Conectiva Linux 6.0:
Upgrade to the
latest version of OpenSSH (3.0.2pl-1U60_2cl or
later), as listed in Conectiva Linux Security
Annoucement CLA-2002:467. See References.
For Conectiva Linux 7.0:
Upgrade to the
latest version of OpenSSH (3.0.2pl-1U70_2cl or
later), as listed in Conectiva Linux Security
Annoucement CLA-2002:467. See References.
For Conectiva Linux prg graficos and
ecommerce:
Upgrade to the latest version of
OpenSSH (3.0.2pl-1U50_2cl or later), as listed
in Conectiva Linux Security Annoucement
CLA-2002:467. See References.
For EnGarde Secure Linux Community
Edition:
Upgrade to the latest version of
OpenSSH (2.3.0p1-1.0.18 or later), as listed in
EnGarde Secure Linux Security Advisory
ESA-20020307-007. See References.
For FreeBSD 4.4-RELEASE, 4.5-RELEASE, and
4.5-STABLE dated prior to the correction
date:
Upgrade to the latest version of
FreeBSD (4.4-RELEASEp9 or 4.5-RELEASEp2 or
4.5-STABLE dated after the correction date), as
listed in FreeBSD, Inc. Security Advisory
FreeBSD-SA-02:13. See References.
— OR —
For FreeBSD 4.4-RELEASE, 4.5-RELEASE, and
4.5-STABLE dated prior to the correction
date:
Apply the openssh patch, as listed in
FreeBSD, Inc. Security Advisory
FreeBSD-SA-02:13. See References.
For SuSE 6.4 (i386 Intel):
Upgrade to the
latest version of openssh (2.9.9p2-94 or later),
as listed in SuSE Security Announcement
SuSE-SA:2002:009. See References.
For SuSE 7.0 (i386 Intel):
Upgrade to the
latest version of openssh (2.9.9p2-97 or later),
as listed in SuSE Security Announcement
SuSE-SA:2002:009. See References.
For SuSE Linux 7.1 and 7.3 (i386
Intel):
Upgrade to the latest version of
openssh (2.9.9p2-98 or later), as listed in SuSE
Security Announcement SuSE-SA:2002:009. See
References.
For SuSE 7.2 (i386 Intel):
Upgrade to the
latest version of openssh (2.9.9p2-96 or later),
as listed in SuSE Security Announcement
SuSE-SA:2002:009. See References.
For SuSE 7.0, 7.1, and 7.3
(Sparc):
Upgrade to the latest version of
openssh (2.9.9p2-36 or later), as listed in SuSE
Security Announcement SuSE-SA:2002:009. See
References.
For SuSE 6.4 (AXP Alpha):
Upgrade to the
latest version of openssh (2.9.9p2-37 or later),
as listed in SuSE Security Announcement
SuSE-SA:2002:009. See References.
For SuSE 7.0 (AXP Alpha):
Upgrade to the
latest version of openssh (2.9.9p2-38 or later),
as listed in SuSE Security Announcement
SuSE-SA:2002:009. See References.
For SuSE 7.1 (AXP Alpha):
Upgrade to the
latest version of openssh (2.9.9p2-39 or later),
as listed in SuSE Security Announcement
SuSE-SA:2002:009. See References.
For SuSE 6.4 (PPC Power PC):
Upgrade to
the latest version of openssh (2.9.9p2-67 or
later), as listed in SuSE Security Announcement
SuSE-SA:2002:009. See References.
For SuSE 7.0 (PPC Power PC):
Upgrade to
the latest version of openssh (2.9.9p2-68 or
later), as listed in SuSE Security Announcement
SuSE-SA:2002:009. See References.
For SuSE 7.1 and 7.3 (PPC Power
PC):
Upgrade to the latest version of openssh
(2.9.9p2-69 or later), as listed in SuSE
Security Announcement SuSE-SA:2002:009. See
References.
Note: For SuSE Firewall, Database Server,
eMail Server III, Connectivity Server, and
Enterprise Server 7 refer to the SuSE Security
Announcement SuSE-SA:2002:009. See
References.
For Red Hat Linux 7.0 and 7.1:
Upgrade to
the latest version of openssh (3.1p1-1 or
later), as listed in Red Hat Linux Errata
Advisory RHSA-2002:043-10. See References.
For Red Hat Linux 7.2:
Upgrade to the
latest version of openssh (3.1p1-2 or later), as
listed in Red Hat Linux Errata Advisory
RHSA-2002:043-10. See References.
For OpenPKG 1.0:
Upgrade to the latest
version of openssh (3.0.2p1-1.0.2 or later), as
listed in OpenPKG Security Advisory
OpenPKG-SA-2002.001. See References.
For Mandrake Linux 7.1 and Corporate Server
1.0.1:
Upgrade to the latest version of
openssh (3.0.2p1-1.7mdk or later), as listed in
MandrakeSoft Security Advisory MDKSA-2002:019 :
openssh. See References.
For Mandrake Linux 7.2 and Single Network
Firewall 7.2:
Upgrade to the latest version
of openssh (3.0.2p1-1.6mdk or later), as listed
in MandrakeSoft Security Advisory
MDKSA-2002:019. See References.
For Mandrake Linux 8.0 and 8.1:
Upgrade to
the latest version of openssh (3.1p1-1.1mdk or
later), as listed in MandrakeSoft Security
Advisory MDKSA-2002:019. See References.
For Trustix Secure Linux 1.1, 1.2, and
1.5:
Upgrade to the latest version of openssh
(3.1.0p1-1tr or later), as listed in Trustix
Secure Linux Security Advisory #2002-0039. See
References.
For NetBSD-current (dated prior to
2002-03-06), 1.5, 1.5.1, and 1.5.2:
Upgrade
to the appropriate fixed versions of NetBSD, as
listed in NetBSD Security Advisory 2002-004. See
References.
For Caldera OpenServer 5.0.6a and
earlier:
Upgrade to the latest version of
openssh (3.1p1-VOLS or later), as listed in
Caldera International, Inc. Security Advisory
CSSA-2002-SCO.10. See References.
For Caldera OpenUnix 8.0.0 and UnixWare
7.1.1:
Upgrade to the latest version of
openssh (3.1p1 or later), as listed in Caldera
International, Inc. Security Advisory
CSSA-2002-SCO.11. See References.
For Caldera OpenLinux Server 3.1 and
Workstation 3.1:
Upgrade to the latest
version of openssh (2.9p2-5 or later), as listed
in Caldera International, Inc. Security Advisory
CSSA-2002-012.0. See References.
For Caldera OpenLinux Server 3.1.1 and
Workstation 3.1.1:
Upgrade to the latest
version of openssh (2.9.9p2-3 or later), as
listed in Caldera International, Inc. Security
Advisory CSSA-2002-012.0. See References.
For other distributions:
Contact your
vendor for upgrade or patch information.
Consequences:
Gain Privileges
References:
Pine Internet Security
Advisory PINE-CERT-20020301, "OpenSSH
off-by-one" at http://www.pine.nl/advisories/pine-cert-20020301.txt
OpenPKG
Security Advisory OpenPKG-SA-2002.001, "openssh"
at http://www.openpkg.org/security/OpenPKG-SA-2002.002-openssh.html
OpenSSH
Security Advisory - March 7, 2002, "adv.channelalloc"
at http://www.openbsd.org/advisories/ssh_channelalloc.txt
Conectiva
Linux Announcement CLSA-2002:467, "openssh"
at http://archives.neohapsis.com/archives/bugtraq/2002-03/0067.html
EnGarde
Secure Linux Security Advisory ESA-20020307-007,
"Local
vulnerability in OpenSSH's channel code." at
http://www.linuxsecurity.com/advisories/other_advisory-1937.html
MandrakeSoft
Security Advisory MDKSA-2002:019, "openssh"
at http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:019
Trustix
Secure Linux Security Advisory #2002-0039, "openssh"
at http://www.trustix.net/errata/misc/2002/TSL-2002-0039-openssh.asc.txt
FreeBSD,
Inc. Security Advisory FreeBSD-SA-02:13, "OpenSSH
contains exploitable off-by-one bug" at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:13.openssh.asc
SuSE
Security Announcement SuSE-SA:2002:009, "channelID
vulnerability in openssh" at http://www.suse.com/de/security/2002_009_openssh_txt.html
Red
Hat Security Advisory RHSA-2002:043-10, "Updated
openssh packages available" at http://rhn.redhat.com/errata/RHSA-2002-043.html
Debian
Security Advisory DSA-119-1, "ssh
-- local root exploit, remote client
exploit" at http://www.debian.org/security/2002/dsa-119
NetBSD
Security Advisory 2002-004, "Off-by-one
error in openssh session" at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-004.txt.asc
Caldera
International, Inc. Security Advisory
CSSA-2002-SCO.10, "OpenServer:
OpenSSH channel code" at ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.10/CSSA-2002-SCO.10.txt
Caldera
International, Inc. Security Advisory
CSSA-2002-SCO.11, "Open
UNIX, UnixWare: OpenSSH channel code
vulnerability" at ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.11/CSSA-2002-SCO.11.txt
BugTraq
Mailing List, Wed Mar 27 2002 - 21:23:51 CST, "OpenSSH
channel_lookup() off by one exploit" at http://archives.neohapsis.com/archives/bugtraq/2002-03/0347.html
Caldera
International, Inc. Security Advisory
CSSA-2002-012.0, "Linux:
OpenSSH channel code vulnerability" at ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2002-012.0.txt
CERT
Vulnerability Note VU#408419, "OpenSSH
contains a one-off overflow of an array in the
channel handling code" at http://www.kb.cert.org/vuls/id/408419
CIAC
Information Bulletin M-054, "OpenSSH
Contains Remotely Exploitable Vulnerability"
at http://www.ciac.org/ciac/bulletins/m-054.shtml
Standards associated with this entry:
BID-4241:
OpenSSH Channel Code Off-By-One
Vulnerability
CVE-2002-0083:
Off-by-one error in the channel code of OpenSSH
2.0 through 3.0.2 allows local users or remote
malicious servers to gain
privileges.
Reported:
March 07 2002.
|
The information within this
database may change without notice. Use of this
information constitutes acceptance for use in an
AS IS condition. There are NO warranties,
implied or otherwise, with regard to this
information or its use. Any use of this
information is at the user's risk. In no event
shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages
whatsoever arising out of or in connection with
the use or spread of this information.
Copyright (c) 1994-2003 Internet Security
Systems, Inc. All rights reserved
worldwide.
|
|
For corrections or additions please email mailto:xforce@iss.net?Subject=openssh-channel-error(8383)
feedback
Return
to the main page
| |  OpenSSH off-by-one error in channel code_files/spacer.gif){kind=spacer}
 OpenSSH off-by-one error in channel code_files/logo_iss_hrz.gif){kind=logo}
 OpenSSH off-by-one error in channel code_files/solutions.gif)
 OpenSSH off-by-one error in channel code_files/button_home.gif){kind=small}
 OpenSSH off-by-one error in channel code_files/secnav_vertbar.gif){kind=small}
 OpenSSH off-by-one error in channel code_files/button_contact.gif){kind=small}
 OpenSSH off-by-one error in channel code_files/button_downloads.gif){kind=small}
 OpenSSH off-by-one error in channel code_files/button_myprofile.gif){kind=small}
 OpenSSH off-by-one error in channel code_files/nsb.gif){kind=small}
 OpenSSH off-by-one error in channel code_files/button_siteindex.gif){kind=small}
 OpenSSH off-by-one error in channel code_files/greenvert.gif){kind=small}
 OpenSSH off-by-one error in channel code_files/button_privacy.gif){kind=small}
 OpenSSH off-by-one error in channel code_files/button_copyright.gif){kind=small}
 OpenSSH off-by-one error in channel code_files/button_termsofuse.gif){kind=small}
 OpenSSH off-by-one error in channel code_files/image_7.jpg)