SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#333628

OpenSSH contains buffer management errors

Overview

Versions of the OpenSSH server prior to 3.7.1 contain buffer management errors. While the full impact of this vulnerabilities are unclear, they may lead to memory corruption and a denial-of-service situation.

I. Description

Versions of OpenSSH prior to 3.7.1 contain errors in the general handling of buffers. These vulnerabilities appear to occur due to some buffer management errors. Specifically, this is an issue with freeing the appropriate memory size on the heap. In certain cases the memory cleared is too large and might cause heap corruption.

Various network and embedded systems may use OpenSSH or derived code. These systems may also be affected by this issue.

We have seen reports of exploitation that may be related to this issue.

II. Impact

The full impact of these vulnerabilities is unclear. The most likely impact is that the heap may be corrupted leading to a denial of service.


If it is possible to exploit this vulnerability in a manner that would allow the execution of arbitrary code then an attacker may be able to so with the privileges of the user running the sshd process, usually root. The impact may be limited on systems using the privilege separation feature available in OpenSSH for some systems.

III. Solution

Apply patches

The OpenSSH developement team has developed patches and an advisory for this issue. More details will be available at


Users of systems that include OpenSSH software are encouraged to check the vendors section of this document for more information.

Disable or limit access to the ssh service

For those systems that do not require ssh to be enabled, we encourage users to disable the service. If the service cannot be disabled and patches cannot be applied, we recommend using a packet filter to limit access to the vulnerable service from only trusted hosts.

Systems Affected
VendorStatusDate Updated
3ComUnknown16-Sep-2003
AlcatelUnknown16-Sep-2003
AppGate Network Security ABVulnerable1-Oct-2003
Apple Computer, Inc.Vulnerable1-Oct-2003
AT&TUnknown16-Sep-2003
AvayaUnknown16-Sep-2003
Berkeley Software Design, Inc.Unknown16-Sep-2003
BitviseNot Vulnerable16-Sep-2003
Cisco Systems, Inc.Vulnerable17-Sep-2003
Cray Inc.Vulnerable16-Sep-2003
Cyclades CorporationVulnerable22-Sep-2003
D-Link SystemsUnknown16-Sep-2003
Debian LinuxVulnerable17-Sep-2003
EMC CorporationUnknown16-Sep-2003
Extreme NetworksUnknown16-Sep-2003
F-SecureVulnerable18-Sep-2003
F5 Networks, Inc.Unknown16-Sep-2003
FiSSHUnknown16-Sep-2003
Foundry Networks Inc.Vulnerable15-Oct-2003
FreeBSD, Inc.Vulnerable18-Sep-2003
FreSSHUnknown16-Sep-2003
FujitsuNot Vulnerable22-Sep-2003
Guardian Digital Inc. Vulnerable18-Sep-2003
Hewlett-Packard CompanyUnknown18-Sep-2003
HitachiNot Vulnerable7-Oct-2003
IBM-zSeriesUnknown16-Sep-2003
IBM CorporationVulnerable1-Oct-2003
IBM eServerVulnerable22-Sep-2003
Ingrian Networks, Inc.Vulnerable1-Oct-2003
IntelUnknown16-Sep-2003
Intersoft International Inc.Unknown16-Sep-2003
Juniper Networks, Inc.Vulnerable22-Sep-2003
LachmanUnknown16-Sep-2003
LshUnknown16-Sep-2003
Lucent TechnologiesUnknown16-Sep-2003
MacSSHUnknown16-Sep-2003
Mandriva, Inc.Vulnerable17-Sep-2003
Mandriva, Inc.Vulnerable18-Sep-2003
Microsoft CorporationNot Vulnerable16-Sep-2003
MirapointVulnerable18-Sep-2003
MontaVista Software, Inc.Unknown16-Sep-2003
Multi-Tech Systems Inc.Unknown16-Sep-2003
NEC CorporationUnknown16-Sep-2003
NetBSDVulnerable17-Sep-2003
NETcompositeUnknown16-Sep-2003
NetScreen Technologies Inc.Unknown16-Sep-2003
Network ApplianceVulnerable17-Sep-2003
NokiaVulnerable18-Sep-2003
Nortel Networks, Inc.Unknown16-Sep-2003
OpenBSDUnknown16-Sep-2003
OpenPKGVulnerable17-Sep-2003
OpenSSHVulnerable17-Sep-2003
Openwall GNU/*/LinuxVulnerable18-Sep-2003
Pragma SystemsNot Vulnerable1-Oct-2003
PuttyNot Vulnerable16-Sep-2003
Red Hat, Inc.Vulnerable18-Sep-2003
Redback Networks Inc.Unknown16-Sep-2003
Riverstone NetworksVulnerable1-Oct-2003
SCOVulnerable7-Oct-2003
Secure Computing CorporationNot Vulnerable22-Sep-2003
Sequent Computer Systems, Inc.Unknown16-Sep-2003
SGIUnknown16-Sep-2003
SlackwareVulnerable16-Sep-2003
Sony CorporationUnknown16-Sep-2003
SSH Communications SecurityNot Vulnerable17-Sep-2003
Sun Microsystems, Inc.Vulnerable16-Jan-2007
SUSE LinuxVulnerable18-Sep-2003
TFS TechnologyVulnerable17-Sep-2003
Top Layer NetworksNot Vulnerable18-Sep-2003
TrustixVulnerable17-Sep-2003
TTSSH/TeraTermUnknown16-Sep-2003
UnisysUnknown16-Sep-2003
VanDyke Software Inc.Not Vulnerable16-Sep-2003
VMwareVulnerable1-Oct-2003
Wind River Systems, Inc.Unknown16-Sep-2003
WirexUnknown16-Sep-2003
ZyxelUnknown16-Sep-2003

References


http://www.openssh.com/txt/buffer.adv
http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000062.html
http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/openssh/files/patch-buffer.c
http://www.secunia.com/advisories/10156/

Credit

Thanks to OpenSSH for information regarding this vulnerability.

This document was written by Jason A Rafail.

Other Information

Date Public09/16/2003
Date First Published09/16/2003 12:18:55 PM
Date Last Updated01/16/2007
CERT AdvisoryCA-2003-24
CVE NameCVE-2003-0693
US-CERT Technical Alerts 
Metric28.98
Document Revision20

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader