In-Depth

Alert: Vulnerability in SSH

Versions of OpenSSH prior to 3.7.1 are vulnerable to denial of service attacks via a buffer management problem. We explain the problem and what you can do about it.

• By Mathew Schwartz
• 09/24/2003

Software from Cisco, IBM, Network Appliance, Red Hat, and Solaris 9 includes or allows for OpenSSH code to be used, and is vulnerable.

OpenSSH is an open source, encrypted network log-in method. It is meant to replace such programs as telnet, rlogin, and FTP, all of which transmit passwords in clear text—unencrypted—across the Internet, making that information vulnerable to interception. OpenSSH, its creators say, “encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.” The software also provides various authentication and secure tunneling methods.

In an advisory, CERT warned that the vulnerability, which can be remotely exploited, “may allow a remote attacker to corrupt heap memory which could cause a denial-of-service condition. It may also be possible for an attacker to execute arbitrary code.” (See http://www.openssh.com/txt/buffer.adv for details.)

The problem, says CERT, occurs with how the program handles the buffer and large packets. After apportioning space for a large packet, “when the buffer is cleared, an improperly sized chunk of memory is filled with zeros.” In other words, buffer management looks outside the allocated space, and ends up corrupting the heap. That can lead to a denial of service. In addition, an attacker could piggyback off the privileges of the user they’ve attacked to get root access and run any code they want on the attacked system.

One temporary workaround for system administrators, says CERT, is to activate "UsePrivilegeSeparation” in the sshd configuration file. While it doesn’t prevent the attack, it does limit privileges, so an attacker wouldn’t gain root access.