There are two related vulnerabilities in the challenge response handling code in OpenSSH versions 2.3.1p1 through 3.3. They may allow a remote intruder to execute arbitrary code as the user running sshd (often root). The first vulnerability affects OpenSSH versions 2.9.9 through 3.3 that have the challenge response option enabled and that use SKEY or BSD_AUTH authentication. The second vulnerability affects PAM modules using interactive keyboard authentication in OpenSSH versions 2.3.1p1 through 3.3, regardless of the challenge response option setting. Additionally, a number of other possible security problems have been corrected in OpenSSH version 3.4.
Two related vulnerabilities have been found in the handling of challenge responses in OpenSSH.
The first vulnerability is an integer overflow in the handling of the number of responses received during challenge response authentication. If the challenge response configuration option is set to yes and the system is using SKEY or BSD_AUTH authentication then a remote intruder may be able to exploit the vulnerability to execute arbitrary code. This vulnerability is present in versions of OpenSSH 2.9.9 through 3.3. An exploit for this vulnerability is reported to exist. This vulnerability is partially described in a recent ISS security advisory available at
A remote attacker can execute code with the privileges of the user running the sshd (often root). These vulnerabilities may also be used to cause a denial-of-service condition.
Upgrade to OpenSSH version 3.4
Disable SSH protocol version 2
Apple Computer Inc. Affected
Compaq Computer Corporation Affected
Cray Inc. Affected
F5 Networks Affected
Guardian Digital Inc. Affected
Hewlett-Packard Company Affected
Nortel Networks Affected
Red Hat Inc. Affected
SuSE Inc. Affected
Sun Microsystems Inc. Affected
The SCO Group (SCO Linux) Affected
Alcatel Not Affected
F-Secure Not Affected
Fujitsu Not Affected
Juniper Networks Not Affected
Lotus Development Corporation Not Affected
Microsoft Corporation Not Affected
Netscreen Not Affected
Network Appliance Not Affected
Process Software Not Affected
SSH Communications Security Not Affected
Unisphere Networks Not Affected
Xerox Not Affected
Cisco Systems Inc. Unknown
Computer Associates Unknown
Data General Unknown
NEC Corporation Unknown
Sony Corporation Unknown
The SCO Group (SCO UnixWare) Unknown
Wind River Systems Inc. Unknown
The CERT/CC thanks Theo de Raadt and Markus Friedl of the OpenSSH project for their technical assistance in producing this document. The SKEY/BSD_AUTH vulnerability was discovered by Mark Dowd at ISS X-Force.
This document was written by Cory F Cohen.