search menu icon-carat-right cmu-wordmark

CERT Coordination Center

OpenSSH contains buffer management errors

Vulnerability Note VU#333628

Original Release Date: 2003-09-16 | Last Revised: 2008-08-12

Overview

Versions of the OpenSSH server prior to 3.7.1 contain buffer management errors. While the full impact of these vulnerabilities are unclear, they may lead to memory corruption and a denial-of-service situation.

Description

Versions of OpenSSH prior to 3.7.1 contain errors in the general handling of buffers. These vulnerabilities appear to occur due to some buffer management errors. Specifically, this is an issue with freeing the appropriate memory size on the heap. In certain cases, the memory cleared is too large and might cause heap corruption.

Various network and embedded systems may use OpenSSH or derived code. These systems may also be affected by this issue.

We have seen reports of exploitation that may be related to this issue.

Impact

The full impact of these vulnerabilities is unclear. The most likely impact is that the heap may be corrupted leading to a denial of service.
If it is possible to exploit this vulnerability in a manner that would allow the execution of arbitrary code then an attacker may be able to so with the privileges of the user running the sshd process, usually root. The impact may be limited on systems using the privilege separation feature available in OpenSSH for some systems.

Solution

Apply patches
The OpenSSH developement team has developed patches and an advisory for this issue. More details will be available at

http://www.openssh.com/txt/buffer.adv
Users of systems that include OpenSSH software are encouraged to check the vendors section of this document for more information.

Disable or limit access to the ssh service


For those systems that do not require ssh to be enabled, we encourage users to disable the service. If the service cannot be disabled and patches cannot be applied, we recommend using a packet filter to limit access to the vulnerable service from only trusted hosts.

Vendor Information

333628
 
Affected   Unknown   Unaffected

AppGate Network Security AB

Updated:  October 01, 2003

Status

  Vulnerable

Vendor Statement

AppGate versions from 4.0 up to and including 5.3.1 do include the vulnerable code. Patches are available from the appgate support pages at http://www.appgate.com.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer, Inc.

Notified:  September 16, 2003 Updated:  October 01, 2003

Status

  Vulnerable

Vendor Statement

Apple: Mac OS X 10.2.8 contains the patches to address CVE CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. On Mac OS X versions prior to 10.2.8, the vulnerability is limited to a denial of service from the possibility of causing sshd to crash. Each login session has its own sshd, so established connections are preserved up to the point where system resources are exhausted by an attack.

To deliver the update in a rapid and reliable manner, only the patches for CVE IDs listed above were applied, and not the entire set of patches for OpenSSH 3.7.1. Thus, the OpenSSH version in Mac OS X 10.2.8, as obtained via the "ssh -V" command, is:


    OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090609f
Mac OS X 10.2.8 is available as a free update for customers running Mac OS X 10.2.x. It is available from:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems, Inc.

Notified:  September 16, 2003 Updated:  September 17, 2003

Status

  Vulnerable

Vendor Statement

Cisco has some products which are vulnerable to this issue. Cisco's response is now published at http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Vulnerable

Vendor Statement

Cray Inc. supports OpenSSH through its Cray Open Software (COS) package. Cray is vulnerable to this buffer management error and is in the process of compiling OpenSSH 3.7. The new version will be made available in the next COS release.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cyclades Corporation

Updated:  September 22, 2003

Status

  Vulnerable

Vendor Statement

Cyclades Corporation Position:


Our Cyclades-TS and AlterPath ACS families have been updated against this vulnerability. Please go to Cyclades download page at:

All other Cyclades products are not affected by this advisory.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Linux

Notified:  September 16, 2003 Updated:  September 17, 2003

Status

  Vulnerable

Vendor Statement

Debian has issued DSA 382 and DSA 383 for these issues.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F-Secure

Notified:  September 16, 2003 Updated:  September 18, 2003

Status

  Vulnerable

Vendor Statement

This vulnerability does not affect any version of F-Secure SSH software that utilizes ssh protocol version 2. The non-affected versions have been available since 1998.

This vulnerability only affects the following F-Secure SSH server versions: F-Secure SSH for Unix versions 1.3.14 and earlier.

More information is available from

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Foundry Networks Inc.

Notified:  September 16, 2003 Updated:  October 15, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see <http://www.foundrynet.com/solutions/advisories/openssh333628.html>.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD, Inc.

Notified:  September 16, 2003 Updated:  September 18, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-03:12                                            Security Advisory

FreeBSD, Inc.

Topic:          OpenSSH buffer management error

Category:       core, ports
Module:         openssh, ports_openssh, openssh-portable
Announced:      2003-09-16
Credits:        The OpenSSH Project <openssh@openssh.org>
Affects:        All FreeBSD releases after 4.0-RELEASE

FreeBSD 4-STABLE prior to the correction date
openssh port prior to openssh-3.6.1_3
openssh-portable port prior to openssh-portable-3.6.1p2_3

Corrected:      2003-09-17 16:24:02 UTC (RELENG_4, 4.9-PRERELEASE)
2003-09-17 14:46:58 UTC (RELENG_5_1, 5.1-RELEASE-p4)
2003-09-17 14:50:14 UTC (RELENG_5_0, 5.0-RELEASE-p13)
2003-09-17 14:51:09 UTC (RELENG_4_8, 4.8-RELEASE-p6)
2003-09-17 14:51:37 UTC (RELENG_4_7, 4.7-RELEASE-p16)
2003-09-17 14:52:08 UTC (RELENG_4_6, 4.6-RELEASE-p19)
2003-09-17 14:52:42 UTC (RELENG_4_5, 4.5-RELEASE-p31)
2003-09-17 14:57:32 UTC (RELENG_4_4, 4.4-RELEASE-p41)
2003-09-17 14:58:56 UTC (RELENG_4_3, 4.3-RELEASE-p37)
2003-09-17 16:07:48 UTC (ports/security/openssh)
2003-09-17 16:07:48 UTC (ports/security/openssh-portable)

CVE:            CAN-2003-0693, CAN-2003-0695, CAN-2003-0682
FreeBSD only:   NO

0.   Revision History

v1.0  2003-09-16  Initial release
v1.1  2003-09-17  Typo in instructions for restarting sshd

Additional buffer management errors corrected

I.   Background

OpenSSH is a free version of the SSH protocol suite of network
connectivity tools.  OpenSSH encrypts all traffic (including
passwords) to effectively eliminate eavesdropping, connection
hijacking, and other network-level attacks. Additionally, OpenSSH
provides a myriad of secure tunneling capabilities, as well as a
variety of authentication methods. `ssh' is the client application,
while `sshd' is the server.

II.  Problem Description

Several operations within OpenSSH require dynamic memory allocation
or reallocation.  Examples are: the receipt of a packet larger
than available space in a currently allocated buffer; creation of
additional channels beyond the currently allocated maximum; and
allocation of new sockets beyond the currently allocated maximum.
Many of these operations can fail either due to `out of memory' or
due to explicit checks for ridiculously sized requests.  However, the
failure occurs after the allocation size has already been updated, so
that the bookkeeping data structures are in an inconsistent state (the
recorded size is larger than the actual allocation).  Furthermore,
the detection of these failures causes OpenSSH to invoke several
`fatal_cleanup' handlers, some of which may then attempt to use these
inconsistent data structures.  For example, a handler may zero and
free a buffer in this state, and as a result memory outside of the
allocated area will be overwritten with NUL bytes.

III. Impact

A remote attacker can cause OpenSSH to crash.  The bug is not believed
to be exploitable for code execution on FreeBSD.

IV.  Workaround

Do one of the following:

1) Disable the base system sshd by executing the following command as
root:


# kill `cat /var/run/sshd.pid`

Be sure that sshd is not restarted when the system is restarted
by adding the following line to the end of /etc/rc.conf:


sshd_enable="NO"

AND

Deinstall the openssh or openssh-portable ports if you have one of
them installed.


V.   Solution

Do one of the following:

[For OpenSSH included in the base system]

1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1,
RELENG_4_8, or RELENG_4_7 security branch dated after
the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or
4.7-RELEASE-p15, respectively).


2) FreeBSD systems prior to the correction date:

The following patches have been verified to apply to FreeBSD 4.x and
FreeBSD 5.x systems prior to the correction date.

Download the appropriate patch and detached PGP signature from the following
locations, and verify the signature using your PGP utility.

[FreeBSD 4.3 and 4.4]
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer44.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer44.patch.asc

[FreeBSD 4.5]
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc

[FreeBSD 4.6 and later, FreeBSD 5.0 and later]
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc

Execute the following commands as root:

# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all install
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install

Be sure to restart `sshd' after updating.

# kill `cat /var/run/sshd.pid`
# /usr/sbin/sshd

[For the OpenSSH ports]

One of the following:

1) Upgrade your entire ports collection and rebuild the OpenSSH port.

2) Deinstall the old package and install a new package obtained from
the following directory:

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/

[other platforms]
Packages are not automatically generated for other platforms at this
time due to lack of build resources.

3) Download a new port skeleton for the openssh or openssh-portable
port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz

Be sure to restart `sshd' after updating.

# kill `cat /var/run/sshd.pid`
# test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in the FreeBSD base system and ports collection.

Branch                                                           Revision
Path

- -------------------------------------------------------------------------
[Base system]
RELENG_4

src/crypto/openssh/buffer.c                                 1.1.1.1.2.7
src/crypto/openssh/channels.c                              1.1.1.1.2.10
src/crypto/openssh/deattack.c                               1.1.1.1.2.5
src/crypto/openssh/misc.c                                   1.1.1.1.2.3
src/crypto/openssh/session.c                                   1.4.2.18
src/crypto/openssh/ssh-agent.c                                 1.2.2.11
src/crypto/openssh/version.h                               1.1.1.1.2.12

RELENG_5_1
src/UPDATING                                                  1.251.2.5
src/crypto/openssh/buffer.c                                 1.1.1.6.4.2
src/crypto/openssh/channels.c                                  1.15.2.1
src/crypto/openssh/deattack.c                               1.1.1.5.4.1
src/crypto/openssh/misc.c                                   1.1.1.4.2.1
src/crypto/openssh/session.c                                   1.40.2.1
src/crypto/openssh/ssh-agent.c                                 1.18.2.1
src/crypto/openssh/version.h                                   1.20.2.2
src/sys/conf/newvers.sh                                        1.50.2.6

RELENG_5_0
src/UPDATING                                                 1.229.2.19
src/crypto/openssh/buffer.c                                 1.1.1.6.2.2
src/crypto/openssh/channels.c                                  1.13.2.1
src/crypto/openssh/deattack.c                               1.1.1.5.2.1
src/crypto/openssh/misc.c                                   1.1.1.3.2.1
src/crypto/openssh/session.c                                   1.38.2.1
src/crypto/openssh/ssh-agent.c                                 1.16.2.1
src/crypto/openssh/version.h                                   1.18.2.2
src/sys/conf/newvers.sh                                       1.48.2.14

RELENG_4_8
src/UPDATING                                              1.73.2.80.2.8
src/crypto/openssh/buffer.c                             1.1.1.1.2.4.4.2
src/crypto/openssh/channels.c                           1.1.1.1.2.8.2.1
src/crypto/openssh/deattack.c                           1.1.1.1.2.4.4.1
src/crypto/openssh/misc.c                               1.1.1.1.2.2.4.1
src/crypto/openssh/session.c                               1.4.2.17.2.1
src/crypto/openssh/ssh-agent.c                             1.2.2.10.2.1
src/crypto/openssh/version.h                           1.1.1.1.2.10.2.2
src/sys/conf/newvers.sh                                   1.44.2.29.2.7

RELENG_4_7
src/UPDATING                                             1.73.2.74.2.19
src/crypto/openssh/buffer.c                             1.1.1.1.2.4.2.2
src/crypto/openssh/channels.c                           1.1.1.1.2.7.2.1
src/crypto/openssh/deattack.c                           1.1.1.1.2.4.2.1
src/crypto/openssh/misc.c                               1.1.1.1.2.2.2.1
src/crypto/openssh/session.c                               1.4.2.16.2.1
src/crypto/openssh/ssh-agent.c                              1.2.2.8.2.1
src/crypto/openssh/version.h                            1.1.1.1.2.9.2.2
src/sys/conf/newvers.sh                                  1.44.2.26.2.18

RELENG_4_6
src/UPDATING                                             1.73.2.68.2.47
src/crypto/openssh/buffer.c                             1.1.1.1.2.3.4.3
src/crypto/openssh/channels.c                           1.1.1.1.2.6.2.2
src/crypto/openssh/deattack.c                           1.1.1.1.2.3.4.2
src/crypto/openssh/misc.c                               1.1.1.1.2.1.4.2
src/crypto/openssh/session.c                               1.4.2.12.2.2
src/crypto/openssh/ssh-agent.c                              1.2.2.7.4.2
src/crypto/openssh/version.h                            1.1.1.1.2.8.2.3
src/sys/conf/newvers.sh                                  1.44.2.23.2.36

RELENG_4_5
src/UPDATING                                             1.73.2.50.2.48
src/crypto/openssh/buffer.c                             1.1.1.1.2.3.2.2
src/crypto/openssh/channels.c                           1.1.1.1.2.5.2.2
src/crypto/openssh/deattack.c                           1.1.1.1.2.3.2.1
src/crypto/openssh/scp.c                                1.1.1.1.2.4.2.1
src/crypto/openssh/session.c                               1.4.2.11.2.1
src/crypto/openssh/ssh-agent.c                              1.2.2.7.2.1
src/crypto/openssh/version.h                            1.1.1.1.2.7.2.3
src/sys/conf/newvers.sh                                  1.44.2.20.2.32

RELENG_4_4
src/UPDATING                                             1.73.2.43.2.49
src/crypto/openssh/buffer.c                             1.1.1.1.2.2.4.2
src/crypto/openssh/channels.c                           1.1.1.1.2.4.4.2
src/crypto/openssh/deattack.c                           1.1.1.1.2.2.4.1
src/crypto/openssh/scp.c                                1.1.1.1.2.3.4.1
src/crypto/openssh/session.c                                1.4.2.8.4.2
src/crypto/openssh/ssh-agent.c                              1.2.2.6.4.1
src/crypto/openssh/version.h                            1.1.1.1.2.5.2.4
src/sys/conf/newvers.sh                                  1.44.2.17.2.40

RELENG_4_3
src/UPDATING                                             1.73.2.28.2.36
src/crypto/openssh/buffer.c                             1.1.1.1.2.2.2.2
src/crypto/openssh/channels.c                           1.1.1.1.2.4.2.2
src/crypto/openssh/deattack.c                           1.1.1.1.2.2.2.1
src/crypto/openssh/scp.c                                1.1.1.1.2.3.2.1
src/crypto/openssh/session.c                                1.4.2.8.2.2
src/crypto/openssh/ssh-agent.c                              1.2.2.6.2.1
src/crypto/openssh/version.h                            1.1.1.1.2.4.2.4
src/sys/conf/newvers.sh                                  1.44.2.14.2.26

[Ports]
ports/security/openssh-portable/Makefile                           1.75
ports/security/openssh-portable/files/patch-buffer.c                1.2
ports/security/openssh-portable/files/patch-deattack.c              1.1
ports/security/openssh-portable/files/patch-misc.c                  1.3
ports/security/openssh-portable/files/patch-session.c              1.16
ports/security/openssh-portable/files/patch-ssh-agent.c             1.1
ports/security/openssh/Makefile                                   1.122
ports/security/openssh/files/patch-buffer.c                         1.2
ports/security/openssh/files/patch-deattack.c                       1.1
ports/security/openssh/files/patch-misc.c                           1.3
ports/security/openssh/files/patch-session.c                       1.15
ports/security/openssh/files/patch-ssh-agent.c                      1.1

- -------------------------------------------------------------------------

Branch                       Version string
- -------------------------------------------------------------------------
HEAD                         OpenSSH_3.6.1p1 FreeBSD-20030917
RELENG_4                     OpenSSH_3.5p1 FreeBSD-20030917
RELENG_5_1                   OpenSSH_3.6.1p1 FreeBSD-20030917
RELENG_4_8                   OpenSSH_3.5p1 FreeBSD-20030917
RELENG_4_7                   OpenSSH_3.4p1 FreeBSD-20030917
RELENG_4_6                   OpenSSH_3.4p1 FreeBSD-20030917
RELENG_4_5                   OpenSSH_2.9 FreeBSD localisations 20030917
RELENG_4_4                   OpenSSH_2.3.0 FreeBSD localisations 20030917
RELENG_4_3                   OpenSSH_2.3.0 green@FreeBSD.org 20030917
- -------------------------------------------------------------------------

To view the version string of the OpenSSH server, execute the
following command:

% /usr/sbin/sshd -\?

The version string is also displayed when a client connects to the
server.

To view the version string of the OpenSSH client, execute the
following command:

% /usr/bin/ssh -V

VII. References

<URL:http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html>

<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693>
<URL:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0695>
<URL:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0682>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/aKuVFdaIBMps37IRAj/nAJ9x7UQj1Mp0vTAZBHnjGsp/9LQLlQCfVybJ
AVHLwTVUmQXV9S2naBBX14I=
=JhlR
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc.

Notified:  September 16, 2003 Updated:  September 18, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+------------------------------------------------------------------------+
| Guardian Digital Security Advisory                  September 18, 2003 |
|
http://www.guardiandigital.com                        ESA-20030918-024 |
|                                                                        |
| Packages: openssh, openssh-clients, openssh-server                     |
| Summary:  additional buffer management bugs.                           |
+------------------------------------------------------------------------+

EnGarde Secure Linux is an enterprise class Linux platform engineered
to enable corporations to quickly and cost-effectively build a complete
and secure Internet presence while preventing Internet threats.


OVERVIEW
- --------

After the release of ESA-20030916-023, the OpenSSH team discovered more
buffer management bugs (fixed in OpenSSH 3.7.1) of the same type.


The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0695 to this issue.


Additionally, Solar Designer fixed additional bugs of this class.  His
fixes are included in this update.


The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0682 to this issue.


Guardian Digital products affected by this issue include:

EnGarde Secure Community v1.0.1
EnGarde Secure Community 2
EnGarde Secure Professional v1.1
EnGarde Secure Professional v1.2
EnGarde Secure Professional v1.5


It is recommended that all users apply this update as soon as possible.

SOLUTION
- --------

Guardian Digital Secure Network subscribers may automatically update
affected systems by accessing their account from within the Guardian
Digital WebTool.


To modify your GDSN account and contact preferences, please go to:

https://www.guardiandigital.com/account/

Below are MD5 sums for the updated EnGarde Secure Linux 1.0.1 packages:

Source Packages:

SRPMS/openssh-3.4p1-1.0.24.src.rpm
MD5 Sum: 99fe7fb778502a2052bf77820c98e75f


Binary Packages:

i386/openssh-3.4p1-1.0.24.i386.rpm
MD5 Sum: 47c27d82dedff376039757b982a64354


i386/openssh-clients-3.4p1-1.0.24.i386.rpm
MD5 Sum: 033b6c372912ead498da72e61b726af5


i386/openssh-server-3.4p1-1.0.24.i386.rpm
MD5 Sum: 9b9564ca3cbf8dd6f9a56fb19c2bbb7a


i686/openssh-3.4p1-1.0.24.i686.rpm
MD5 Sum: 62b9c11f36e8ce38221d5eb31bf5e7f3


i686/openssh-clients-3.4p1-1.0.24.i686.rpm
MD5 Sum: b3b382a4b4a5923b02f5eac7a1d35290


i686/openssh-server-3.4p1-1.0.24.i686.rpm
MD5 Sum: 513893fc0ad8eda5ffdfc2f79c820e45


REFERENCES
- ----------

Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

OpenSSH's Official Web Site:
http://www.openssh.com/

Guardian Digital Advisories:
http://infocenter.guardiandigital.com/advisories/

Security Contact: security@guardiandigital.com

- --------------------------------------------------------------------------
Author: Ryan W. Maple <ryan@guardiandigital.com>
Copyright 2003, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/acadHD5cqd57fu0RAm6kAJ9Mri+Rq56dr8cwm82tcyOLDcZQJACgjE+A
T+zQmXJeR4nmKZ4JfffjNyw=
=01Ez
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Corporation

Notified:  September 16, 2003 Updated:  October 01, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The AIX Security Team is aware of the issues discussed in CERT
Vulnerability Note VU#333628 and CERT Advisory CA-2003-24.

OpenSSH is available for AIX via the AIX Toolbox for Linux or the
Bonus Pack.

OpenSSH 3.4p1, revision 9 contains fixes for this issue for the AIX Toolbox
for Linux. For more information about the AIX Toolbox for Linux or to download
OpenSSH 3.4p1 revision 9, please see:

http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html

Please note that AIX Toolbox for Linux is available "as-is" and is unwarranted.

Patched versions of OpenSSH for the Bonus Pack on AIX 5.1 and 5.2 are available
Please see:

http://oss.software.ibm.com/developerworks/projects/opensshi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)

iD8DBQE/caebcnMXzUg7txIRAgOJAJ0Y6J/hQbjj55RfRv3cEzBhuNbN6wCdGghw
JuV94jCMTXFz9xzJD3b5qo4=
=Uhli
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM eServer

Notified:  September 16, 2003 Updated:  September 22, 2003

Status

  Vulnerable

Vendor Statement

For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to

https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID=3D

In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to http://app-06.www.ibm.com/servers/resourcelink and follow the steps for registration.

All questions should be refered to servsec@us.ibm.com.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks, Inc.

Notified:  September 16, 2003 Updated:  October 01, 2003

Status

  Vulnerable

Vendor Statement

Ingrian Networks Security Advisory ING-2003-05

Revision 1.0

Dated: 9/22/2003

Posted: https://www.ingrian.com/support/iwsc/security.php


Summary
=======


The Ingrian DataSecure platform secures business applications and data.

This advisory describes a vulnerabilty in all Ingrian platforms.
This vulnerability is in the SSH server, which is used for secure
access to the command line interface (CLI). There are buffer overflow
bugs in the SSH server that could allow an attacker who can connect to the
ssh port to crash the SSH server. At this time there are no
known exploits, nor are there any known attacks that exploit the
buffer overflow to obtain access to an Ingrian device.


There is a workaround: block access to port 22 (ssh) at the firewall.


Applying the appropriate patch from those listed below will
fix the vulnerability. The patches are available at
https://www.ingrian.com/support/iwsc/security.php



Affected Products
=================

All releases of the IngrianOS.

Details
=======


Sshd, prior to version 3.71, contains buffer overflow bugs that
can allow an attacker to crash the program.

This vulnerability was announced in CERT advisory CA-2003-24
(http://www.cert.org/advisories/CA-2003-24.html)


Impact
======

An attacker could use this vulnerability to perform a denial-of-service
attack on an Ingrian device. Since the Ingrian watches and restarts
critical services, even if the vulnerability were exploited on an
Ingrian device, the period that service would be denied is short.
If attackers develop exploits that put the attacker's code on the
stack, it would be possible for them to obtain access to the
affected machines.

Ingrian is not aware of any exploits currently in the field.


Software Versions and Fixes
===========================


This vulnerability is fixed in these patches:

2.6.3p02
2.8.2p02
2.9.0p07

These patches are released as "untested" patches, meaning that they
have gone through an acceptance test but have not yet passed the
full QA cycle. Fully tested patches will be released shortly.
Please contact your Ingrian representative.


Obtaining A Fix
===============

Customers with service contracts should go through the regular
update channels to obtain the software upgrades identified in this
advisory. For most customers with service contracts, this means
that upgrades should be obtained through the Ingrian Support Center
at https://www.ingrian.com/suppport


Workarounds
===========

This vulnerability exists only when attackers can access the
ssh port, port 22. Disabling access to port 22 at the outer
firewall prevents the attack. See your firewall vendors'
documentation for details.

Another workaround is to disable SSH Administration.
To do this, select Maintenance, then Services. Click on
'SSH Administration' and then click the 'disable startup' button.
Then click 'Stop'.


Source
======

This vulnerability was reported in CERT announcement CA-2003-24.


Revision History
================

Version 1.0, dated 9/19/2003


Copyright
=========

This advisory is copyright 2003 by Ingrian Networks, Inc. This advisory
may be redistributed freely, provided that redistributed copies are
complete and unmodified, including all date and version information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks, Inc.

Notified:  September 16, 2003 Updated:  September 22, 2003

Status

  Vulnerable

Vendor Statement

Juniper Networks has identified this vulnerability in all shipping versions of JUNOS and coded a software fix. The fix will be included in all releases of JUNOS Internet software built on or after September 17. Customers with current support contracts should contact JTAC to obtain the fix for this vulnerability.

JUNOSe and SDX are not vulnerable to this issue.

Contract customers can review the details at:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc.

Notified:  September 16, 2003 Updated:  September 17, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

Mandrake Linux Security Update Advisory
________________________________________________________________________

Package name:           openssh
Advisory ID:            MDKSA-2003:090-1
Date:                   September 17th, 2003
Original Advisory Date: September 16th, 2003
Affected versions:8.2, 9.0, 9.1, Corporate Server 2.1,

Multi Network Firewall 8.2
________________________________________________________________________

Problem Description:

A buffer management error was discovered in all versions of openssh
prior to version 3.7.  According to the OpenSSH team's advisory:
"It is uncertain whether this error is potentially exploitable,
however, we prefer to see bugs fixed proactively."  There have also
been reports of an exploit in the wild.


MandrakeSoft encourages all users to upgrade to these patched openssh
packages immediately and to disable sshd until you are able to upgrade
if at all possible.


Update:

The OpenSSH developers discovered more, similar, problems and revised
the patch to correct these issues.  These new packages have the latest
patch fix applied.

________________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0695
http://www.kb.cert.org/vuls/id/333628
http://www.openssh.com/txt/buffer.adv
________________________________________________________________________

Updated Packages:

Corporate Server 2.1:
e4dd6a2be580feeceddb7bf702646992  corporate/2.1/RPMS/openssh-3.6.1p2-1.2.90mdk.i586.rpm
b643425ed773606865f31797db73b6d5  corporate/2.1/RPMS/openssh-askpass-3.6.1p2-1.2.90mdk.i586.rpm
bf403b678dd74c14c489bf5a32939e80  corporate/2.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.90mdk.i586.rpm
c4ec1f56320d69a37455d4f74da30d2d  corporate/2.1/RPMS/openssh-clients-3.6.1p2-1.2.90mdk.i586.rpm
0252fc0a7273c7c2ebbe4ae92fe492c6  corporate/2.1/RPMS/openssh-server-3.6.1p2-1.2.90mdk.i586.rpm
8909a7349c3e18993784900e1c501dc8  corporate/2.1/SRPMS/openssh-3.6.1p2-1.2.90mdk.src.rpm


Corporate Server 2.1/x86_64:
7a297d5ad1cf8f266a7045e5ed6407b4  x86_64/corporate/2.1/RPMS/openssh-3.6.1p2-1.2.90mdk.x86_64.rpm
0e1047d7ac87e4cb2fc83f51156f89e8  x86_64/corporate/2.1/RPMS/openssh-askpass-3.6.1p2-1.2.90mdk.x86_64.rpm
09592be1376bff2acb58577eb22927e5  x86_64/corporate/2.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.90mdk.x86_64.rpm
cb39634d5cb6811a53e833a566dca625  x86_64/corporate/2.1/RPMS/openssh-clients-3.6.1p2-1.2.90mdk.x86_64.rpm
2e49b64404318ee3c10f7088781f36da  x86_64/corporate/2.1/RPMS/openssh-server-3.6.1p2-1.2.90mdk.x86_64.rpm
8909a7349c3e18993784900e1c501dc8  x86_64/corporate/2.1/SRPMS/openssh-3.6.1p2-1.2.90mdk.src.rpm


Mandrake Linux 8.2:
862ccaea668653af1dd98d4f4cba388e  8.2/RPMS/openssh-3.6.1p2-1.2.82mdk.i586.rpm
abb351c902abd9bcfc7eefd0d8e56b43  8.2/RPMS/openssh-askpass-3.6.1p2-1.2.82mdk.i586.rpm
614a6bd4680be732689f5bd1e791a351  8.2/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.82mdk.i586.rpm
baa534caf5c7121741a7089e11cd169e  8.2/RPMS/openssh-clients-3.6.1p2-1.2.82mdk.i586.rpm
6f0b03ff0dd99857159177d3e797e916  8.2/RPMS/openssh-server-3.6.1p2-1.2.82mdk.i586.rpm
d6fd51341f521dc7fc2086915dcaec20  8.2/SRPMS/openssh-3.6.1p2-1.2.82mdk.src.rpm


Mandrake Linux 8.2/PPC:
c453de5cac92707c112c9245663fd25c  ppc/8.2/RPMS/openssh-3.6.1p2-1.2.82mdk.ppc.rpm
48211a23e464b38ebd4e7deed7347f48  ppc/8.2/RPMS/openssh-askpass-3.6.1p2-1.2.82mdk.ppc.rpm
77d27118abff6a1d6c0f57c167fefb52  ppc/8.2/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.82mdk.ppc.rpm
b58b03854614f14c861f42121d165a2b  ppc/8.2/RPMS/openssh-clients-3.6.1p2-1.2.82mdk.ppc.rpm
9c477dda47eab7cad24839d0ea43e6a4  ppc/8.2/RPMS/openssh-server-3.6.1p2-1.2.82mdk.ppc.rpm
d6fd51341f521dc7fc2086915dcaec20  ppc/8.2/SRPMS/openssh-3.6.1p2-1.2.82mdk.src.rpm


Mandrake Linux 9.0:
e4dd6a2be580feeceddb7bf702646992  9.0/RPMS/openssh-3.6.1p2-1.2.90mdk.i586.rpm
b643425ed773606865f31797db73b6d5  9.0/RPMS/openssh-askpass-3.6.1p2-1.2.90mdk.i586.rpm
bf403b678dd74c14c489bf5a32939e80  9.0/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.90mdk.i586.rpm
c4ec1f56320d69a37455d4f74da30d2d  9.0/RPMS/openssh-clients-3.6.1p2-1.2.90mdk.i586.rpm
0252fc0a7273c7c2ebbe4ae92fe492c6  9.0/RPMS/openssh-server-3.6.1p2-1.2.90mdk.i586.rpm
8909a7349c3e18993784900e1c501dc8  9.0/SRPMS/openssh-3.6.1p2-1.2.90mdk.src.rpm


Mandrake Linux 9.1:
2f657dd739f51adad400b75e627db53a  9.1/RPMS/openssh-3.6.1p2-1.2.91mdk.i586.rpm
2284741fdae6b3809b85f1f193dc9c7b  9.1/RPMS/openssh-askpass-3.6.1p2-1.2.91mdk.i586.rpm
3462362cb6364701bfe536541f24d349  9.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.91mdk.i586.rpm
5a8b2d3763dfc4dd77c7705401b4155e  9.1/RPMS/openssh-clients-3.6.1p2-1.2.91mdk.i586.rpm
508f52a1bc06e57b5176c31dc7d1674b  9.1/RPMS/openssh-server-3.6.1p2-1.2.91mdk.i586.rpm
4d9c124f212d3ad840bc19f6579784fc  9.1/SRPMS/openssh-3.6.1p2-1.2.91mdk.src.rpm


Mandrake Linux 9.1/PPC:
bf558d8fba0c8f779f73e8a3f75956d8  ppc/9.1/RPMS/openssh-3.6.1p2-1.2.91mdk.ppc.rpm
ca0ff77a847d5485cf03e4abb1fc7a88  ppc/9.1/RPMS/openssh-askpass-3.6.1p2-1.2.91mdk.ppc.rpm
4c45f30751958b8347713b818a55caf1  ppc/9.1/RPMS/openssh-askpass-gnome-3.6.1p2-1.2.91mdk.ppc.rpm
e7912e06b6bf2579badac32f583d8511  ppc/9.1/RPMS/openssh-clients-3.6.1p2-1.2.91mdk.ppc.rpm
809424b2dd19bd2f654fdf4743fc5a8b  ppc/9.1/RPMS/openssh-server-3.6.1p2-1.2.91mdk.ppc.rpm
4d9c124f212d3ad840bc19f6579784fc  ppc/9.1/SRPMS/openssh-3.6.1p2-1.2.91mdk.src.rpm


Multi Network Firewall 8.2:
862ccaea668653af1dd98d4f4cba388e  mnf8.2/RPMS/openssh-3.6.1p2-1.2.82mdk.i586.rpm
baa534caf5c7121741a7089e11cd169e  mnf8.2/RPMS/openssh-clients-3.6.1p2-1.2.82mdk.i586.rpm
6f0b03ff0dd99857159177d3e797e916  mnf8.2/RPMS/openssh-server-3.6.1p2-1.2.82mdk.i586.rpm
d6fd51341f521dc7fc2086915dcaec20  mnf8.2/SRPMS/openssh-3.6.1p2-1.2.82mdk.src.rpm

________________________________________________________________________

Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
________________________________________________________________________

To upgrade automatically, use MandrakeUpdate or urpmi.  The verification
of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team by executing:

gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team

<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/aIYrmqjQ0CJFipgRAkuzAKCZtNMVd9LqiR0CVbkz9XILvIB4hACeIlqv
LB/u5JclV/2Ny+Cao90MLTc=
=0Nsc
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc.

Notified:  September 16, 2003 Updated:  September 18, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE   : openssh
SUMMARY   : Remote vulnerabilities
DATE      : 2003-09-17 18:48:00
ID        : CLA-2003:741
RELEVANT
RELEASES  : 7.0, 8, 9

- -------------------------------------------------------------------------

DESCRIPTION
OpenSSH[1] is a very popular and versatile tool that uses encrypted
connections between hosts and is commonly used for remote
administration.


This update fixes new vulnerabilities found in the code that handles
buffers in OpenSSH. These vulnerabilities are similiar to the ones
fixed in the CLSA-2003:739 announcement[2] (CAN-2003-0693) and can be
exploited by a remote attacker to cause a denial of service condition
and potentially execute arbitrary code (although there is still no
concrete evidence of that).


The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0695 to this additional issue[3].


The OpenSSH team released the version 3.7.1 which fixes this
vulnerability[4]. This update contains the versions originally
distributed with Conectiva Linux added of backported patches.


Additionally, patches made by Solar Designer to fix memory bugs in
other parts of the code are being added. Althought it is unlikely
that these bugs are exploitable, they are being treatead as security
fixes by now and have the name CAN-2003-0682 assigned[5] by The
Common Vulnerabilities and Exposures project (cve.mitre.org).



SOLUTION
It is recommended that all OpenSSH users upgrade their packages.


The ssh service will be automatically restarted during the upgrade if
it is already running. Current ssh sessions will remain open during
the restart.



REFERENCES:
1.http://www.openssh.org
2.http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000739&idioma=en
3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0695
4.http://www.openssh.com/txt/buffer.adv
5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0682



UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-3.4p1-1U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-askpass-3.4p1-1U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-askpass-gnome-3.4p1-1U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-clients-3.4p1-1U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssh-server-3.4p1-1U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openssh-3.4p1-1U70_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-3.4p1-1U80_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-askpass-3.4p1-1U80_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-askpass-gnome-3.4p1-1U80_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-clients-3.4p1-1U80_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssh-server-3.4p1-1U80_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/openssh-3.4p1-1U80_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/openssh-3.5p1-27767U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/openssh-askpass-3.5p1-27767U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/openssh-askpass-gnome-3.5p1-27767U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/openssh-clients-3.5p1-27767U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/openssh-server-3.5p1-27767U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/openssh-3.5p1-27767U90_2cl.src.rpm


ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:


- run:                 apt-get update
- after that, execute: apt-get upgrade


Detailed instructions reagarding the use of apt and upgrade examples
can be found at
http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at
http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see
http://www.gnupg.org

iD8DBQE/aNbu42jd0JmAcZARAnByAJ4la1+ZTsDPuuQoFcu4ygjk406b5wCg11KG
KWI0pS7VlyuaHtgastTIZrA=
=QKv8
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mirapoint

Notified:  September 16, 2003 Updated:  September 18, 2003

Status

  Vulnerable

Vendor Statement

Mirapoint released a patch (D3_SSH_CA_2003_24) last night to fix the first reported vulnerability and will release D3_SSH_CA_2003_24_1 to cover the second.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  September 16, 2003 Updated:  September 17, 2003

Status

  Vulnerable

Vendor Statement

The NetBSD Security Advisory on the OpenSSH buffer management issue is available here:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Appliance

Notified:  September 16, 2003 Updated:  August 12, 2008

Status

  Vulnerable

Vendor Statement

This issue applies only to SecureAdmin on Data ONTAP versions earlier than 6.4.3, and SecureAdmin for NetCache releases earlier than 5.5R2.

All current releases (NetCache 5.6, 6.0 and 6.1, and Filer 6.5, 7.0, 7.1, 7.2, 7.3 and 10.0) have been secured against this issue.

If you have an affected release:

    Disable the SSH server on the filer or NetCache appliance, or if it must remain enabled, ensure that the ssh.access option (config.admin.trusted_hosts in NetCache) is used to restrict ssh connections to authorized administrative hosts.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia

Notified:  September 16, 2003 Updated:  September 18, 2003

Status

  Vulnerable

Vendor Statement

Nokia confirms that IPSO and IPSO-SX are affected by the vulnerability described in CERT Coordination Center Vulnerability Note VU#333628. We are currently backporting the patches provided by the OpenSSH team into the OpenSSH versions deployed within IPSO and IPSO-SX.

According to CERT/CC, the most likely impact of the vulnerability is the potential for a DoS attack if an exploit script is repeatedly executed against the same device. This potential can be eliminated by restricting access to SSH, allowing access only from trusted workstations by using either Access Control Lists (ACLs) or firewall rules to restrict access to TCP port 22.

To prevent automated scanners from successfully exploiting this vulnerability, ensure that the SSH server does not run on the default port of TCP 22 and is running on an alternate port, preferably above port 1024. In IPSO, this can be done by going to the "Security and Access Configuration" section in Voyager and selecting "SSH (Secure Shell)," then click on the "Go to the advanced server options page" link. From here, under the "Configure Server Protocol Details" heading, the TCP port number for the SSH service can be changed to a different value.

We expect to provide updated releases of IPSO and IPSO-SX the week of September 22, 2003.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenPKG

Updated:  September 17, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security@openpkg.org                         openpkg@openpkg.org
OpenPKG-SA-2003.040                                          17-Sep-2003
________________________________________________________________________

Package:             openssh
Vulnerability:       arbitrary code execution
OpenPKG Specific:    no

Affected Releases:   Affected Packages:        Corrected Packages:
OpenPKG CURRENT      <= openssh-3.7p1-20030916 >= openssh-3.7.1p1-20030917
OpenPKG 1.3          <= openssh-3.6.1p2-1.3.1  >= openssh-3.6.1p2-1.3.2
OpenPKG 1.2          <= openssh-3.5p1-1.2.3    >= openssh-3.5p1-1.2.4

Dependent Packages:  none

Description:
According to an OpenSSH [1] Security Advisory [0], 2nd revision, all
versions of OpenSSH's sshd(8) prior to version 3.7.1 contain buffer
management errors. The discovery of additional similar errors by
Solar Designer show that version 3.7.1 is affected, too. Those errors
may allow remote attackers to execute arbitrary code by causing an
incorrect amount of memory to be cleared and corrupting the heap on
fatal cleanups.


The Common Vulnerabilities and Exposures (CVE) project assigned
the id CAN-2003-0693 [2] to the problem, as initially explained
in the 1st revision of the OpenSSH Security Advisory [0]. In the
current 2nd revision, similar problems were described and fixed, too.
Additionally, Solaris Designer found 4 more problematic instances
of similar memory management errors. The corrected OpenPKG packages
(see versions above) contain the collected bug fixes for all of those
errors.


Please check whether you are affected by running "<prefix>/bin/rpm -q
openssh". If you have the "openssh" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
(see Solution). [3][4]


Notice that the previous package versions openssh-3.7p1-20030916,
openssh-3.6.1p2-1.3.1 and openssh-3.5p1-1.2.3 contain the bug fixes
from the OpenSSH Security Advisory [0], 1st revision, only. You are
strongly advised to upgrade to the latest package versions because of
the contained additional bug fixes.


Solution:
Select the updated source RPM appropriate for your OpenPKG release
[5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
location, verify its integrity [9], build a corresponding binary RPM
from it [3] and update your OpenPKG installation by applying the
binary RPM [4]. For the current release OpenPKG 1.3, perform the
following operations to permanently fix the security problem (for
other releases adjust accordingly).


$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.3/UPD
ftp> get openssh-3.6.1p2-1.3.2.src.rpm
ftp> bye
$ <prefix>/bin/rpm -v --checksig openssh-3.6.1p2-1.3.2.src.rpm
$ <prefix>/bin/rpm --rebuild openssh-3.6.1p2-1.3.2.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssh-3.6.1p2-1.3.2.*.rpm

________________________________________________________________________

References:
[0]
http://www.openssh.com/txt/buffer.adv
[1]
http://www.openssh.com/
[2]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693
[3]
http://www.openpkg.org/tutorial.html#regular-source
[4]
http://www.openpkg.org/tutorial.html#regular-binary
[5]
ftp://ftp.openpkg.org/release/1.3/UPD/openssh-3.6.1p2-1.3.2.src.rpm
[6]
ftp://ftp.openpkg.org/release/1.2/UPD/openssh-3.5p1-1.2.4.src.rpm
[8]
ftp://ftp.openpkg.org/release/1.3/UPD/
[7]
ftp://ftp.openpkg.org/release/1.2/UPD/
[9]
http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from
http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on
http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>

iD8DBQE/aBsSgHWT4GPEy58RAuzEAJ9nHSDAWuei8cKha78J96d80capfgCgk+o7
4tYQRFxKe/DU86lAynKHRpo=
=i3sR
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSH

Notified:  September 16, 2003 Updated:  September 17, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is resolved in version 3.7.1. Please see the OpenSSH advisory at: http://www.openssh.com/txt/buffer.adv

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  September 16, 2003 Updated:  September 18, 2003

Status

  Vulnerable

Vendor Statement

The OpenSSH package in Openwall GNU/*/Linux did contain the buffer / memory management errors. As of 2003/09/17, we have included the fixes from OpenSSH 3.7.1 as well as 4 additional fixes to other such real or potential errors based on an exhaustive review of the OpenSSH source code for uses of *realloc() functions. At this time, it is uncertain whether and which of these bugs are exploitable. If exploits are possible, due to privilege separation, the worst direct impact should be limited to arbitrary code execution under the sshd pseudo-user account restricted within the chroot jail /var/empty, or under the logged in user account

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Notified:  September 16, 2003 Updated:  September 18, 2003

Status

  Vulnerable

Vendor Statement

Red Hat Linux and Red Hat Enterprise Linux ship with an OpenSSL package vulnerable to these issues. Updated OpenSSL packages are available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool.

Red Hat Linux:


Red Hat Enterprise Linux:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Riverstone Networks

Notified:  September 16, 2003 Updated:  October 01, 2003

Status

  Vulnerable

Vendor Statement

Riverstone Networks has issued an advisory on this issue at http://www.riverstonenet.com/support/tb0265-9.html.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO

Notified:  September 16, 2003 Updated:  October 07, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

SCO Security Advisory

Subject:OpenServer 5.0.7 : OpenSSH: multiple buffer handling problems
Advisory number: CSSA-2003-SCO.24
Issue date: 2003 October 1
Cross reference: sr884749 fz528324 erg712436 CERT VU#33362 CERT VU#602204 CAN-2003-0693  CAN-2003-0786 CAN-2003-0695 CAN-2003-0682
______________________________________________________________________________


1. Problem Description

Several buffer management errors and memory bugs are
corrected by this patch.


The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the following
names to these issues. CAN-2003-0693, CAN-2003-0695,
CAN-2003-0682, CAN-2003-0786.


The CERT Coordination Center has assigned the following
names VU#333628, and VU#602204.


CERT VU#333628 / CAN-2003-0693: A "buffer management error"
in buffer_append_space of buffer.c for OpenSSH before 3.7
may allow remote attackers to execute arbitrary code by
causing an incorrect amount of memory to be freed and
corrupting the heap, a different vulnerability than
CAN-2003-0695


CAN-2003-0695: Multiple "buffer management errors" in
OpenSSH before 3.7.1 may allow attackers to cause a denial
of service or execute arbitrary code using (1) buffer_init
in buffer.c, (2) buffer_free in buffer.c, or (3) a separate
function in channels.c, a different vulnerability than
CAN-2003-0693.


CAN-2003-0682: "Memory bugs" in OpenSSH 3.7.1 and earlier,
with unknown impact, a different set of vulnerabilities
than CAN-2003-0693 and CAN-2003-0695.


CERT VU#602204 / CAN-2003-0786: Portable OpenSSH versions
3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the
new PAM code. At least one of these bugs is remotely
exploitable (under a non-standard configuration, with
privsep disabled). OpenServer is not configured to use PAM,
so is not vulnerable.



2. Vulnerable Supported Versions

SystemBinaries
----------------------------------------------------------------------
OpenServer 5.0.7 OpenSSH Distribution



3. Solution

The proper solution is to install the latest packages.


4. OpenServer 5.0.7

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.24

4.2 Verification

MD5 (VOL.000.000) = f36194ca559c850794874f9c7a0b2a18
MD5 (VOL.000.001) = 02b76bd551a0a95f2544b8999c6fbcbf
MD5 (VOL.000.002) = 6818513c946dbcd43a3f34fc19ef79fc
MD5 (VOL.000.003) = 8149c475968c3d7318eda33f30ce8045


md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

1) Download the VOL* files to the /tmp directory

2) Run the custom command, specify an install from media
images, and specify the /tmp directory as the location of
the images.



5. References

Specific references for this advisory:
http://www.openssh.com/txt/buffer.adv
http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/security/openssh/files/patch-buffer.c
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940
http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=106375582924840

SCO security resources:
http://www.sco.com/support/security/index.html

This security fix closes SCO incidents sr884749 fz528324
erg712436.



6. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.


______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

iD8DBQE/eyW6aqoBO7ipriERAugiAJwP8ehQ81QNC7EuX8NEkINrtvII0gCfTbZl
HrkB1nNF8uxgUSgnWHR61O4=
=p5ga
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux

Notified:  September 16, 2003 Updated:  September 18, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

SuSE Security Announcement

Package:                openssh (second release)
Announcement-ID:        SuSE-SA:2003:039
Date:                   Thursday, Sep 18 2003 20:00 MEST
Affected products:      7.2, 7.3, 8.0, 8.1, 8.2

SuSE Linux Database Server,
SuSE eMail Server III, 3.1
SuSE Linux Enterprise Server 7, 8
SuSE Linux Firewall on CD/Admin host
SuSE Linux Connectivity Server
SuSE Linux Office Server
SuSE Linux Standard Server 8

Vulnerability Type:     potential remote privilege escalation
Severity (1-10):        8
SuSE default package:   yes
Cross References:      
http://www.openssh.com/txt/buffer.adv
CERTVU#333628 http://www.kb.cert.org/vuls/id/333628
CVE CAN-2003-0693
CVE CAN-2003-0695
CVE CAN-2003-0682



Content of this advisory:
1) security vulnerability resolved: openssh

problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds:

- mysql
3) standard appendix (further information)


______________________________________________________________________________

1)  problem description, brief discussion, solution, upgrade information

The openssh package is the most widely used implementation of the secure
shell protocol family (ssh). It provides a set of network connectivity
tools for remote (shell) login, designed to substitute the traditional
BSD-style r-protocols (rsh, rlogin). openssh has various authentification
mechanisms and many other features such as TCP connection and X11 display
forwarding over the fully encrypted network connection as well as file
transfer facilities.


This is a new release of SuSE Security Announcement (openssh),
ID SuSE-SA:2003:038. A set of new bugs were addressed by the openssh
development team. These bugs are fixed in the new 3.7.1 upstream release
of the openssh package; we have added the necessary changes to our
packages preserving the package version to avoid the risk of incompatible
behaviour of the software.


Specifics about the errors found:
(Topic for SuSE Security Announcement SuSE-SA:2003:038:)
A programming error has been found in code responsible for buffer
management. If exploited by a (remote) attacker, the error may lead to
unauthorized access to the system, allowing the execution of arbitrary
commands. The error is known as the buffer_append_space()-bug and is
assigned the Common Vulnerabilities and Exposures (CVE) name CAN-2003-0693.
The error was cause for the upstream release openssh-3.7.


(Topic for SuSE Security Announcement SuSE-SA:2003:039 (this announcement):)
Programming errors of a similar kind as described above have been found in
other portions of the code, with similar effects. These errors are known
as "buffer.c/channels.c bug", the CVE name for these errors is CAN-2003-0695.
This set of errors was cause for the upstream release openssh-3.7.1.
In addition to the fixes for the buffer.c/channels.c bugs we have added
some changes that have been assembled by Solar Designer during his review
of the source code. These fixes are considered a precautious measure and
are not believed to have a significant effect on the security of the
openssh code.


At the time of writing this announcement, we believe that at least one set
of errors as described above is exploitable by a remote attacker. As a
reminder,  at the time of writing the SuSE Security Announcement
SuSE-SA:2003:038 it was unclear if the bug addressed with the announcement
(buffer_append_space()-bug) is exploitable. An increasing amount of TCP
connection attempts to port 22 as observed in the internet during the
past days may indicate that there exists an exploit for the error in the
public.


Please note that we have disabled the Privilege Separation feature in
the ssh daemon (sshd) with this update. The PrivSep feature is designed
to have parts of the ssh daemon's work running under lowered privileges,
thereby limiting the effect of a possible vulnerability in the code. The
PrivSep feature is turned on/off by the UsePrivilegeSeparation keyword
in sshd's configuration file /etc/ssh/sshd_config. The feature is held
responsible for malfunctions in PAM (Pluggable Authentification Modules).
The update mechanism will not overwrite configuration files that have
been altered after the package installation.




SPECIAL INSTALL INSTRUCTIONS:
==============================
After the update has been successfully applied, the ssh daemon (sshd)
must be restarted for update package to become effective. To restart the
ssh daemon after the update, please run the following command as root:


rcsshd restart


Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.






Intel i386 Platform:

SuSE-8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssh-3.5p1-107.i586.rpm
e030b0803481d0f29f576e3b4726284f
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssh-3.5p1-107.i586.patch.rpm
d022894363b99e6bd03e9b2109c2244c
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/openssh-3.5p1-107.src.rpm
3f7f5ed43c7d795c63fe06148874944a

SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssh-3.4p1-215.i586.rpm
91cdd33a4149756b8f6371aa3177a5f4
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssh-3.4p1-215.i586.patch.rpm
3b7c44819c8fed5e33514481d99d4ab7
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/openssh-3.4p1-215.src.rpm
6c3694fc75bcf185035547b85abbc491

SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/openssh-3.4p1-215.i386.rpm
c61781b97767188cc3a39795535307ff
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/openssh-3.4p1-215.i386.patch.rpm
c222aef79a8fef6d44d8d61fc075efc5
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/openssh-3.4p1-215.src.rpm
bc327a4150058c9d1216cb96712973a5

SuSE-7.3:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec1/openssh-2.9.9p2-156.i386.rpm
c9928c04b03cb292aa96ad6890a5ee38
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/openssh-2.9.9p2-156.src.rpm
28aa82be9233e3ba93b94eb138c9ea04

SuSE-7.2:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/openssh-2.9.9p2-156.i386.rpm
b369724a788a2c6bd70a448a49530f69
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssh-2.9.9p2-156.src.rpm
98b8b7281fe04aab8c8838adcf195697




Sparc Platform:

SuSE-7.3:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec1/openssh-2.9.9p2-53.sparc.rpm
97cb0218e9354b8cc062e44a0d6fb19f
source rpm(s):
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/openssh-2.9.9p2-53.src.rpm
8cddb96e633864469d7ba08d3cf7436a



PPC Power PC Platform:

SuSE-7.3:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/openssh-2.9.9p2-109.ppc.rpm
37b1e82a3971f5c4c427ce37227b11e0
source rpm(s):
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/openssh-2.9.9p2-109.src.rpm
7a19424887772b86d14bacbf5add9628


______________________________________________________________________________

2)  Pending vulnerabilities in SuSE Distributions and Workarounds:

- A buffer overflow vulnerability has been found in the mysql package,
an Open Source relational database system. The error may allow a remote
attacker to execute arbitrary code with the privileges of the database
process.
We are in the process of building and testing the update packages and
will release them with a SuSE Security Announcement as soon as possible.


______________________________________________________________________________

3)  standard appendix: authenticity verification, additional information

- Package authenticity verification:

SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.


1) execute the command
md5sum <name-of-the-file.rpm>

after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security@suse.de),
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.


2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command

rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an un-installed rpm
package file.
Prerequisites:

a) gpg is installed
b) The package is signed using a certain key. The public part of this

key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):

gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "build@suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the top-level directory of the first CD (pubring.gpg)
and at
ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .


- SuSE runs two security mailing lists to which any interested party may
subscribe:


suse-security@suse.com
-   general/linux/SuSE security discussion.

All SuSE security announcements are sent to this list.
To subscribe, send an email to

<suse-security-subscribe@suse.com>.

suse-security-announce@suse.com
-   SuSE's announce-only mailing list.

Only SuSE's security announcements are sent to this list.
To subscribe, send an email to

<suse-security-announce-subscribe@suse.com>.

For general information or the frequently asked questions (faq)
send mail to:

<suse-security-info@suse.com> or
<suse-security-faq@suse.com> respectively.


=====================================================================
SuSE's security contact is <security@suse.com> or <security@suse.de>.
The <security@suse.de> public key is listed below.
=====================================================================

______________________________________________________________________________

The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the clear-text signature shows proof of the
authenticity of the text.
SuSE Linux AG makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.


Type Bits/KeyID    Date       User ID
pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see
http://www.gnupg.org

mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f

AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----

Roman Drahtmüller,
SuSE Security.
- --

-                                                                      -
| Roman Drahtmüller      <draht@suse.de> // "You don't need eyes to see, |

SuSE Linux AG - Security       Phone: //             you need vision!"
| Nürnberg, Germany     +49-911-740530 //           Maxi Jazz, Faithless |

-                                                                      -
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQEVAwUBP2n2qXey5gA9JdPZAQHLjAgAkiNLQzgEp8lIZVsbFdL66oMhogQjJaF6
kd9X1BQmx7Ad9ANs87ur68jZ3an0sIxTi63KkSiE83GsX69tubmQTn6myA11b95T
AfjXAaZxCPaQF7AZzR9M8cX9aKDNkybyyszkcXXG5DjlrkHZTSLH7UcBsTMdOo+o
5i4iIVNeQorKE/PEiRIA0xv2yJjbhzZ5bRQ1GdTetfo5ffaOKgMhuDBA5szGkHtQ
MgLdZpwCOTptDChZZV4mWsN6GuGELhE5GvzeyUGnAWYAp/KUN3w7QJOx3u0T5X5x
9Wsc9UThtkSdHYtDAngEtL+bcJLXAm79Rt8e1OoBhscqu6xpJNpKag==
=/e0m
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware

Updated:  September 16, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  OpenSSH Security Advisory (SSA:2003-259-01)

Upgraded OpenSSH packages are available for Slackware 8.1, 9.0 and
- -current.  These fix a buffer management error found in versions of
OpenSSH earlier than 3.7.  The possibility exists that this error
could allow a remote exploit, so we recommend all sites running
OpenSSH upgrade to the new OpenSSH package immediately.


Here are the details from the Slackware 9.0 ChangeLog:
+--------------------------+
Tue Sep 16 11:13:05 PDT 2003
patches/packages/openssh-3.7p1-i386-1.tgz:  Upgraded to openssh-3.7p1.

From the OpenSSH Security Advisory
(
http://www.openssh.com/txt/buffer.adv):
"All versions of OpenSSH's sshd prior to 3.7 contain a buffer
management error.  It is uncertain whether this error is
potentially exploitable, however, we prefer to see bugs
fixed proactively."

(* Security fix *)
+--------------------------+


WHERE TO FIND THE NEW PACKAGES:
+-----------------------------+

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssh-3.7p1-i386-1.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/openssh-3.7p1-i386-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssh-3.7p1-i486-1.tgz


MD5 SIGNATURES:
+-------------+

Slackware 8.1 package:
a86d410e47fe8ab4a8e9f04293a94093  openssh-3.7p1-i386-1.tgz

Slackware 9.0 package:
ca1d0b1e658c5391067f2a9cf11fc239  openssh-3.7p1-i386-1.tgz

Slackware -current package:
c58003eaaf4362c8475f0f5a77f2adbb  openssh-3.7p1-i486-1.tgz


INSTALLATION INSTRUCTIONS:
+------------------------+

(This procedure is safe to do while logged in through OpenSSH)

Upgrade using upgradepkg (as root):
# upgradepkg openssh-3.7p1-i386-1.tgz

Restart OpenSSH:
. /etc/rc.d/rc.sshd restart


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/Z1e9akRjwEAQIjMRAmufAJ9LzlDM92HI9GHUD6VBb7XszGvnQwCfd9cf
REvURD6OFDRCs4EhBQUsnuk=
=7iqn
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems, Inc.

Notified:  September 16, 2003 Updated:  January 16, 2007

Status

  Vulnerable

Vendor Statement

The Solaris Secure Shell in Solaris 9 is impacted by this issue described in CERT Vulnerability Note VU#333628. Sun has published Sun Alert 56861 available here:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-56861-1

which details the impact, contributing factors, workaround options, and resolution. This issue does not affect the Solaris Secure Shell in Solaris 10.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TFS Technology

Updated:  September 17, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux

Updated:  September 17, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2003-0033

Package name:      openssh
Summary:           Buffer Management error
Date:              2003-09-17
Affected versions: TSL 1.2, 1.5, 2.0

- --------------------------------------------------------------------------
Package description:

OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
up to date in terms of security and features, as well as removing all
patented algorithms to seperate libraries (OpenSSL).



Problem description:
Taken from the announcement of openssh 3.7.1:


All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management
errors.  It is uncertain whether these errors are potentially exploitable,
however, we prefer to see bugs fixed proactively.


OpenSSH 3.7 fixed one of these bugs.

OpenSSH 3.7.1 fixes more similar bugs.

The TSL team has choosen to backport these fixes into the various versions
of openssh packaged in TSL.


Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.



Location:
All TSL updates are available from
<URI:
http://www.trustix.net/pub/Trustix/updates/>
<URI:
ftp://ftp.trustix.net/pub/Trustix/updates/>


About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.



Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.


Users of TSL 1.2 can get SWUP from:
<URI:
ftp://ftp.trustix.net/pub/Trustix/software/swup/>
(In later versions of TSL, SWUP is included in the default installation.)



Public testing:
These packages have been available for public testing for some time.
If you want to contribute by testing the various packages in the
testing tree, please feel free to share your findings on the
tsl-discuss mailinglist.
The testing tree is located at
<URI:
http://www.trustix.net/pub/Trustix/testing/>
<URI:
ftp://ftp.trustix.net/pub/Trustix/testing/>

You may also use swup for public testing of updates for TSL 2.0 and later:

site {
class = 0
location = "
http://snow.trustix.org/cloud/rdfs/latest.rdf"
regexp = ".*"

}


Questions?
Check out our mailing lists:
<URI:
http://www.trustix.net/support/>


Verification:
This advisory along with all TSL packages are signed with the TSL sign key.
This key is available from:
<URI:
http://www.trustix.net/TSL-GPG-KEY>

The advisory itself is available from the errata pages at
<URI:
http://www.trustix.net/errata/trustix-1.2/>,
<URI:
http://www.trustix.net/errata/trustix-1.5/> and
<URI:
http://www.trustix.net/errata/trustix-2.0/>
or directly at
<URI:
http://www.trustix.net/errata/misc/2003/TSL-2003-0033-openssh.asc.txt>


MD5sums of the packages:
- --------------------------------------------------------------------------
55d636ae51c9e355e02fd9988c78471f  ./2.0/SRPMS/openssh-3.6.1p2-4tr.src.rpm
3855df802a31aef02312537c44f24d5f  ./2.0/RPMS/openssh-server-config-3.6.1p2-4tr.i586.rpm
3b99832e6d4ee04058c69b4f8767feab  ./2.0/RPMS/openssh-server-3.6.1p2-4tr.i586.rpm
68ac388fc68fe725cb6cdd8207017c1f  ./2.0/RPMS/openssh-clients-3.6.1p2-4tr.i586.rpm
1bb394fdf22f158a4c5ce154a5284318  ./2.0/RPMS/openssh-3.6.1p2-4tr.i586.rpm
abe0f77d98845e40d14548be63f7341c  ./1.5/SRPMS/openssh-3.1.0p1-6tr.src.rpm
9af4176b0919f9ee54e83df88248a9dd  ./1.5/RPMS/openssh-server-3.1.0p1-6tr.i586.rpm
877030c628b6986e034474068c41e139  ./1.5/RPMS/openssh-clients-3.1.0p1-6tr.i586.rpm
d97d217516f01761d7bc610dfd07e51e  ./1.5/RPMS/openssh-3.1.0p1-6tr.i586.rpm
abe0f77d98845e40d14548be63f7341c  ./1.2/SRPMS/openssh-3.1.0p1-6tr.src.rpm
32a74b28d709f09e4752daeb52113cb3  ./1.2/RPMS/openssh-server-3.1.0p1-6tr.i586.rpm
568a01beee4559b803d6457555850507  ./1.2/RPMS/openssh-clients-3.1.0p1-6tr.i586.rpm
925a2a23976c90b5f046c4966c7df80b  ./1.2/RPMS/openssh-3.1.0p1-6tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/aFQAwRTcg4BxxS0RAmeyAJ0eRmlx+/K3fDBQ5dRDnBxCTfZBaACfQjac
D1B4ib580D4o0FLThRTc1X8=
=zIeb
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VMware

Updated:  October 01, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see, http://www.vmware.com/download/esx/esx152-patch5.html

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Bitvise

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Not Vulnerable

Vendor Statement

Our software shares no codebase with the OpenSSH implementation, therefore we believe that, in our products, this problem does not exist.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  September 16, 2003 Updated:  September 22, 2003

Status

  Not Vulnerable

Vendor Statement

Fujitsu's UXP/V o.s. is not affected by the problem in VU#333628 because it does not support the SSH.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi

Notified:  September 16, 2003 Updated:  October 07, 2003

Status

  Not Vulnerable

Vendor Statement

Hitachi HI-UX/WE2 is NOT vulnerable, because it does not support OpenSSH.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Pragma Systems

Notified:  September 16, 2003 Updated:  October 01, 2003

Status

  Not Vulnerable

Vendor Statement

We have tested our code and double checked for the code vulnerability and we have found that our code is NOT vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Putty

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Not Vulnerable

Vendor Statement

PuTTY is not based on the OpenSSH code base, so it should not be vulnerable to any OpenSSH-specific attacks.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SSH Communications Security

Updated:  September 17, 2003

Status

  Not Vulnerable

Vendor Statement

SSH Secure Shell products do not contain the buffer management error. SSH Communications Security products have different code base than OpenSSH.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Secure Computing Corporation

Updated:  September 22, 2003

Status

  Not Vulnerable

Vendor Statement

Sidewinder(r) and Sidewinder G2 Firewall(tm) (including all appliances)


    Not Vulnerable.

    Sidewinder v5.x & Sidewinder G2 v6.x's embedded Type Enforcement(r) technology strictly limits the capabilities of Secure Computing's modified version of the OpenSSH daemon code integrated into the firewall's SecureOS operating system. Any attempt to exploit this vulnerability in the OpenSSH daemon code running on the firewalls results in an automatic termination of the attacker's connection and multiple Type Enforcement alarms.
Gauntlet(tm) & e-ppliance
    Not Vulnerable.

    Gauntlet and e-ppliance do not include SSH server software, and are thus immune to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Top Layer Networks

Updated:  September 18, 2003

Status

  Not Vulnerable

Vendor Statement

This notification is to inform you that Top Layer products are not susceptible to the recently announce OpenSSH vulnerability (versions prior to 3.7.1) which appear to occur as a result of buffer management errors. Specifically, this is an issue with freeing the appropriate memory size on the heap, where in certain cases, the memory cleared is too large and might cause heap corruption.

More detailed information about this vulnerability can be found at:

OpenSSH link:

Top Layer Networks advises following best security practices by restricting the management of any Top Layer device to required address range and ports, as well as denying access to all protocols that are not required.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VanDyke Software Inc.

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Not Vulnerable

Vendor Statement

No VanDyke products are affected by this vulnerability. VanDyke does not use any OpenSSH code.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

3Com

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Avaya

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Berkeley Software Design, Inc.

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

D-Link Systems

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

EMC Corporation

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Extreme Networks

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks, Inc.

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FiSSH

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreSSH

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  September 16, 2003 Updated:  September 18, 2003

Status

  Unknown

Vendor Statement

==============================================
Hewlett-Packard Company

SOURCE:  Hewlett-Packard Company
Software Security Response Team (SSRT)


Date: 16 September, 2003
CROSS REFERENCE ID:  SSRT3629


At the time of writing this document,
Hewlett Packard is currently investigating the potential
impact to HP released operating system software.


HP will provide notice of the availability of any necessary
patches through standard security bulletin announcements and
be available from your normal HP Services support channel.



To report any security issue for any HP software
products send email to  security-alert@hp.com

==============================================

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM-zSeries

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intel

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intersoft International Inc.

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lachman

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lsh

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lucent Technologies

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MacSSH

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software, Inc.

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Multi-Tech Systems Inc.

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NETcomposite

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetApp

Notified:  August 12, 2008 Updated:  August 12, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetScreen Technologies Inc.

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks, Inc.

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Redback Networks Inc.

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent Computer Systems, Inc.

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TTSSH/TeraTerm

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems, Inc.

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wirex

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Zyxel

Notified:  September 16, 2003 Updated:  September 16, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 78 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to OpenSSH for information regarding this vulnerability.

This document was written by Jason A Rafail.

Other Information

CVE IDs: CVE-2003-0693
CERT Advisory: CA-2003-24
Severity Metric: 28.98
Date Public: 2003-09-16
Date First Published: 2003-09-16
Date Last Updated: 2008-08-12 19:48 UTC
Document Revision: 22

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.