Click here for an Overview of our Solutions
Button - HomeButton - Contact UsButton - DownloadsButton My Profile
     
 

Home > Security Center > X-Force Database Results

 
openssh-channel-error (8383) High Risk

OpenSSH off-by-one error in channel code

Description:

OpenSSH versions 2.0 through 3.0.2 contain an off-by-one error in the channel code, which could allow a local user to gain root privileges and execute arbitrary code on the system. A malicious SSH server could exploit this vulnerability on a vulnerable SSH client connecting to the server.

Platforms Affected:
Caldera OpenLinux Server 3.1
Caldera OpenLinux Server 3.1.1
Caldera OpenLinux Workstation 3.1
Caldera OpenLinux Workstation 3.1.1
Caldera OpenServer 5.0.6a and earlier
Caldera OpenUnix 8.0.0
Caldera UnixWare 7.1.1
Conectiva Linux 5.0
Conectiva Linux 5.1
Conectiva Linux 6.0
Conectiva Linux 7.0
Conectiva Linux ecommerce
Conectiva Linux prg graficos
EnGarde Secure Linux Community Edition
FreeBSD 4.4-RELEASE
FreeBSD 4.5-RELEASE
FreeBSD 4.5-STABLE
Mandrake Linux 7.1
Mandrake Linux 7.2
Mandrake Linux 8.0
Mandrake Linux 8.1
Mandrake Linux Corporate Server 1.0.1
Mandrake Single Network Firewall 7.2
NetBSD 1.5
NetBSD 1.5.1
NetBSD 1.5.2
NetBSD-current pre20020307
OpenPKG 1.0
OpenSSH 2.0 up to 3.0.2
OpenSSH Any version
Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.x
SuSE Linux 6.4
SuSE Linux 7.0
SuSE Linux 7.1
SuSE Linux 7.2
SuSE Linux 7.3
SuSE Linux Connectivity Server Any version
SuSE Linux Database Server Any version
SuSE Linux Enterprise Server 7
SuSE Linux Firewall Any version
SuSE eMail Server III Any version
Trustix Secure Linux 1.1
Trustix Secure Linux 1.2
Trustix Secure Linux 1.5

Remedy:

Upgrade to the latest version of OpenSSH (3.1 or later), as listed in OpenSSH Security Advisory (adv.channelalloc). See References.

For Conectiva Linux 5.0:
Upgrade to the latest version of OpenSSH (3.0.2pl-1U50_2cl or later), as listed in Conectiva Linux Security Annoucement CLA-2002:467. See References.

For Conectiva Linux 5.1:
Upgrade to the latest version of OpenSSH (3.0.2pl-1U51_2cl or later), as listed in Conectiva Linux Security Annoucement CLA-2002:467. See References.

For Conectiva Linux 6.0:
Upgrade to the latest version of OpenSSH (3.0.2pl-1U60_2cl or later), as listed in Conectiva Linux Security Annoucement CLA-2002:467. See References.

For Conectiva Linux 7.0:
Upgrade to the latest version of OpenSSH (3.0.2pl-1U70_2cl or later), as listed in Conectiva Linux Security Annoucement CLA-2002:467. See References.

For Conectiva Linux prg graficos and ecommerce:
Upgrade to the latest version of OpenSSH (3.0.2pl-1U50_2cl or later), as listed in Conectiva Linux Security Annoucement CLA-2002:467. See References.

For EnGarde Secure Linux Community Edition:
Upgrade to the latest version of OpenSSH (2.3.0p1-1.0.18 or later), as listed in EnGarde Secure Linux Security Advisory ESA-20020307-007. See References.

For FreeBSD 4.4-RELEASE, 4.5-RELEASE, and 4.5-STABLE dated prior to the correction date:
Upgrade to the latest version of FreeBSD (4.4-RELEASEp9 or 4.5-RELEASEp2 or 4.5-STABLE dated after the correction date), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-02:13. See References.

— OR —

For FreeBSD 4.4-RELEASE, 4.5-RELEASE, and 4.5-STABLE dated prior to the correction date:
Apply the openssh patch, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-02:13. See References.

For SuSE 6.4 (i386 Intel):
Upgrade to the latest version of openssh (2.9.9p2-94 or later), as listed in SuSE Security Announcement SuSE-SA:2002:009. See References.

For SuSE 7.0 (i386 Intel):
Upgrade to the latest version of openssh (2.9.9p2-97 or later), as listed in SuSE Security Announcement SuSE-SA:2002:009. See References.

For SuSE Linux 7.1 and 7.3 (i386 Intel):
Upgrade to the latest version of openssh (2.9.9p2-98 or later), as listed in SuSE Security Announcement SuSE-SA:2002:009. See References.

For SuSE 7.2 (i386 Intel):
Upgrade to the latest version of openssh (2.9.9p2-96 or later), as listed in SuSE Security Announcement SuSE-SA:2002:009. See References.

For SuSE 7.0, 7.1, and 7.3 (Sparc):
Upgrade to the latest version of openssh (2.9.9p2-36 or later), as listed in SuSE Security Announcement SuSE-SA:2002:009. See References.

For SuSE 6.4 (AXP Alpha):
Upgrade to the latest version of openssh (2.9.9p2-37 or later), as listed in SuSE Security Announcement SuSE-SA:2002:009. See References.

For SuSE 7.0 (AXP Alpha):
Upgrade to the latest version of openssh (2.9.9p2-38 or later), as listed in SuSE Security Announcement SuSE-SA:2002:009. See References.

For SuSE 7.1 (AXP Alpha):
Upgrade to the latest version of openssh (2.9.9p2-39 or later), as listed in SuSE Security Announcement SuSE-SA:2002:009. See References.

For SuSE 6.4 (PPC Power PC):
Upgrade to the latest version of openssh (2.9.9p2-67 or later), as listed in SuSE Security Announcement SuSE-SA:2002:009. See References.

For SuSE 7.0 (PPC Power PC):
Upgrade to the latest version of openssh (2.9.9p2-68 or later), as listed in SuSE Security Announcement SuSE-SA:2002:009. See References.

For SuSE 7.1 and 7.3 (PPC Power PC):
Upgrade to the latest version of openssh (2.9.9p2-69 or later), as listed in SuSE Security Announcement SuSE-SA:2002:009. See References.

Note: For SuSE Firewall, Database Server, eMail Server III, Connectivity Server, and Enterprise Server 7 refer to the SuSE Security Announcement SuSE-SA:2002:009. See References.

For Red Hat Linux 7.0 and 7.1:
Upgrade to the latest version of openssh (3.1p1-1 or later), as listed in Red Hat Linux Errata Advisory RHSA-2002:043-10. See References.

For Red Hat Linux 7.2:
Upgrade to the latest version of openssh (3.1p1-2 or later), as listed in Red Hat Linux Errata Advisory RHSA-2002:043-10. See References.

For OpenPKG 1.0:
Upgrade to the latest version of openssh (3.0.2p1-1.0.2 or later), as listed in OpenPKG Security Advisory OpenPKG-SA-2002.001. See References.

For Mandrake Linux 7.1 and Corporate Server 1.0.1:
Upgrade to the latest version of openssh (3.0.2p1-1.7mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:019 : openssh. See References.

For Mandrake Linux 7.2 and Single Network Firewall 7.2:
Upgrade to the latest version of openssh (3.0.2p1-1.6mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:019. See References.

For Mandrake Linux 8.0 and 8.1:
Upgrade to the latest version of openssh (3.1p1-1.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:019. See References.

For Trustix Secure Linux 1.1, 1.2, and 1.5:
Upgrade to the latest version of openssh (3.1.0p1-1tr or later), as listed in Trustix Secure Linux Security Advisory #2002-0039. See References.

For NetBSD-current (dated prior to 2002-03-06), 1.5, 1.5.1, and 1.5.2:
Upgrade to the appropriate fixed versions of NetBSD, as listed in NetBSD Security Advisory 2002-004. See References.

For Caldera OpenServer 5.0.6a and earlier:
Upgrade to the latest version of openssh (3.1p1-VOLS or later), as listed in Caldera International, Inc. Security Advisory CSSA-2002-SCO.10. See References.

For Caldera OpenUnix 8.0.0 and UnixWare 7.1.1:
Upgrade to the latest version of openssh (3.1p1 or later), as listed in Caldera International, Inc. Security Advisory CSSA-2002-SCO.11. See References.

For Caldera OpenLinux Server 3.1 and Workstation 3.1:
Upgrade to the latest version of openssh (2.9p2-5 or later), as listed in Caldera International, Inc. Security Advisory CSSA-2002-012.0. See References.

For Caldera OpenLinux Server 3.1.1 and Workstation 3.1.1:
Upgrade to the latest version of openssh (2.9.9p2-3 or later), as listed in Caldera International, Inc. Security Advisory CSSA-2002-012.0. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:
Gain Privileges

References:
Pine Internet Security Advisory PINE-CERT-20020301, "OpenSSH off-by-one" at http://www.pine.nl/advisories/pine-cert-20020301.txt

OpenPKG Security Advisory OpenPKG-SA-2002.001, "openssh" at http://www.openpkg.org/security/OpenPKG-SA-2002.002-openssh.html

OpenSSH Security Advisory - March 7, 2002, "adv.channelalloc" at http://www.openbsd.org/advisories/ssh_channelalloc.txt

Conectiva Linux Announcement CLSA-2002:467, "openssh" at http://archives.neohapsis.com/archives/bugtraq/2002-03/0067.html

EnGarde Secure Linux Security Advisory ESA-20020307-007, "Local vulnerability in OpenSSH's channel code." at http://www.linuxsecurity.com/advisories/other_advisory-1937.html

MandrakeSoft Security Advisory MDKSA-2002:019, "openssh" at http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:019

Trustix Secure Linux Security Advisory #2002-0039, "openssh" at http://www.trustix.net/errata/misc/2002/TSL-2002-0039-openssh.asc.txt

FreeBSD, Inc. Security Advisory FreeBSD-SA-02:13, "OpenSSH contains exploitable off-by-one bug" at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:13.openssh.asc

SuSE Security Announcement SuSE-SA:2002:009, "channelID vulnerability in openssh" at http://www.suse.com/de/security/2002_009_openssh_txt.html

Red Hat Security Advisory RHSA-2002:043-10, "Updated openssh packages available" at http://rhn.redhat.com/errata/RHSA-2002-043.html

Debian Security Advisory DSA-119-1, "ssh -- local root exploit, remote client exploit" at http://www.debian.org/security/2002/dsa-119

NetBSD Security Advisory 2002-004, "Off-by-one error in openssh session" at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-004.txt.asc

Caldera International, Inc. Security Advisory CSSA-2002-SCO.10, "OpenServer: OpenSSH channel code" at ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.10/CSSA-2002-SCO.10.txt

Caldera International, Inc. Security Advisory CSSA-2002-SCO.11, "Open UNIX, UnixWare: OpenSSH channel code vulnerability" at ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.11/CSSA-2002-SCO.11.txt

BugTraq Mailing List, Wed Mar 27 2002 - 21:23:51 CST, "OpenSSH channel_lookup() off by one exploit" at http://archives.neohapsis.com/archives/bugtraq/2002-03/0347.html

Caldera International, Inc. Security Advisory CSSA-2002-012.0, "Linux: OpenSSH channel code vulnerability" at ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2002-012.0.txt

CERT Vulnerability Note VU#408419, "OpenSSH contains a one-off overflow of an array in the channel handling code" at http://www.kb.cert.org/vuls/id/408419

CIAC Information Bulletin M-054, "OpenSSH Contains Remotely Exploitable Vulnerability" at http://www.ciac.org/ciac/bulletins/m-054.shtml

Standards associated with this entry:
BID-4241: OpenSSH Channel Code Off-By-One Vulnerability

CVE-2002-0083: Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges.

Reported:
March 07 2002.


 
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2003 Internet Security Systems, Inc. All rights reserved worldwide.
 
 
 

For corrections or additions please email mailto:xforce@iss.net?Subject=openssh-channel-error(8383) feedback

Return to the main page