Vulnerability Note VU#333628
OpenSSH contains buffer management errors
Versions of the OpenSSH server prior to 3.7.1 contain buffer management errors. While the full impact of these vulnerabilities are unclear, they may lead to memory corruption and a denial-of-service situation.
Versions of OpenSSH prior to 3.7.1 contain errors in the general handling of buffers. These vulnerabilities appear to occur due to some buffer management errors. Specifically, this is an issue with freeing the appropriate memory size on the heap. In certain cases, the memory cleared is too large and might cause heap corruption.
Various network and embedded systems may use OpenSSH or derived code. These systems may also be affected by this issue.
The full impact of these vulnerabilities is unclear. The most likely impact is that the heap may be corrupted leading to a denial of service.
Disable or limit access to the ssh service
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|AppGate Network Security AB||Affected||-||01 Oct 2003|
|Apple Computer, Inc.||Affected||16 Sep 2003||01 Oct 2003|
|Cisco Systems, Inc.||Affected||16 Sep 2003||17 Sep 2003|
|Cray Inc.||Affected||16 Sep 2003||16 Sep 2003|
|Cyclades Corporation||Affected||-||22 Sep 2003|
|Debian Linux||Affected||16 Sep 2003||17 Sep 2003|
|F-Secure||Affected||16 Sep 2003||18 Sep 2003|
|Foundry Networks Inc.||Affected||16 Sep 2003||15 Oct 2003|
|FreeBSD, Inc.||Affected||16 Sep 2003||18 Sep 2003|
|Guardian Digital Inc.||Affected||16 Sep 2003||18 Sep 2003|
|IBM Corporation||Affected||16 Sep 2003||01 Oct 2003|
|IBM eServer||Affected||16 Sep 2003||22 Sep 2003|
|Ingrian Networks, Inc.||Affected||16 Sep 2003||01 Oct 2003|
|Juniper Networks, Inc.||Affected||16 Sep 2003||22 Sep 2003|
|Mandriva, Inc.||Affected||16 Sep 2003||17 Sep 2003|
CVSS Metrics (Learn More)
Thanks to OpenSSH for information regarding this vulnerability.
This document was written by Jason A Rafail.
- CVE IDs: CVE-2003-0693
- CERT Advisory: CA-2003-24
- Date Public: 16 Sep 2003
- Date First Published: 16 Sep 2003
- Date Last Updated: 12 Aug 2008
- Severity Metric: 28.98
- Document Revision: 22
If you have feedback, comments, or additional information about this vulnerability, please send us email.