Vulnerability Note VU#333628

OpenSSH contains buffer management errors

Original Release date: 16 Sep 2003 | Last revised: 12 Aug 2008

Overview

Versions of the OpenSSH server prior to 3.7.1 contain buffer management errors. While the full impact of these vulnerabilities are unclear, they may lead to memory corruption and a denial-of-service situation.

Description

Versions of OpenSSH prior to 3.7.1 contain errors in the general handling of buffers. These vulnerabilities appear to occur due to some buffer management errors. Specifically, this is an issue with freeing the appropriate memory size on the heap. In certain cases, the memory cleared is too large and might cause heap corruption.

Various network and embedded systems may use OpenSSH or derived code. These systems may also be affected by this issue.

We have seen reports of exploitation that may be related to this issue.

Impact

The full impact of these vulnerabilities is unclear. The most likely impact is that the heap may be corrupted leading to a denial of service.
If it is possible to exploit this vulnerability in a manner that would allow the execution of arbitrary code then an attacker may be able to so with the privileges of the user running the sshd process, usually root. The impact may be limited on systems using the privilege separation feature available in OpenSSH for some systems.

Solution

Apply patches
The OpenSSH developement team has developed patches and an advisory for this issue. More details will be available at

Users of systems that include OpenSSH software are encouraged to check the vendors section of this document for more information.

Disable or limit access to the ssh service


For those systems that do not require ssh to be enabled, we encourage users to disable the service. If the service cannot be disabled and patches cannot be applied, we recommend using a packet filter to limit access to the vulnerable service from only trusted hosts.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
AppGate Network Security ABAffected-01 Oct 2003
Apple Computer, Inc.Affected16 Sep 200301 Oct 2003
Cisco Systems, Inc.Affected16 Sep 200317 Sep 2003
Cray Inc.Affected16 Sep 200316 Sep 2003
Cyclades CorporationAffected-22 Sep 2003
Debian LinuxAffected16 Sep 200317 Sep 2003
F-SecureAffected16 Sep 200318 Sep 2003
Foundry Networks Inc.Affected16 Sep 200315 Oct 2003
FreeBSD, Inc.Affected16 Sep 200318 Sep 2003
Guardian Digital Inc. Affected16 Sep 200318 Sep 2003
IBM CorporationAffected16 Sep 200301 Oct 2003
IBM eServerAffected16 Sep 200322 Sep 2003
Ingrian Networks, Inc.Affected16 Sep 200301 Oct 2003
Juniper Networks, Inc.Affected16 Sep 200322 Sep 2003
Mandriva, Inc.Affected16 Sep 200317 Sep 2003
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to OpenSSH for information regarding this vulnerability.

This document was written by Jason A Rafail.

Other Information

  • CVE IDs: CVE-2003-0693
  • CERT Advisory: CA-2003-24
  • Date Public: 16 Sep 2003
  • Date First Published: 16 Sep 2003
  • Date Last Updated: 12 Aug 2008
  • Severity Metric: 28.98
  • Document Revision: 22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.