search menu icon-carat-right cmu-wordmark

CERT Coordination Center


OpenSSH vulnerabilities in challenge response handling

Vulnerability Note VU#369347

Original Release Date: 2002-06-26 | Last Revised: 2002-12-06

Overview

There are two related vulnerabilities in the challenge response handling code in OpenSSH versions 2.3.1p1 through 3.3. They may allow a remote intruder to execute arbitrary code as the user running sshd (often root). The first vulnerability affects OpenSSH versions 2.9.9 through 3.3 that have the challenge response option enabled and that use SKEY or BSD_AUTH authentication. The second vulnerability affects PAM modules using interactive keyboard authentication in OpenSSH versions 2.3.1p1 through 3.3, regardless of the challenge response option setting. Additionally, a number of other possible security problems have been corrected in OpenSSH version 3.4.

Description

Two related vulnerabilities have been found in the handling of challenge responses in OpenSSH.

The first vulnerability is an integer overflow in the handling of the number of responses received during challenge response authentication. If the challenge response configuration option is set to yes and the system is using SKEY or BSD_AUTH authentication then a remote intruder may be able to exploit the vulnerability to execute arbitrary code. This vulnerability is present in versions of OpenSSH 2.9.9 through 3.3. An exploit for this vulnerability is reported to exist. This vulnerability is partially described in a recent ISS security advisory available at

http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584

The second vulnerability is a buffer overflow involving the number of responses received during challenge response authentication. Regardless of the setting of the challenge response configuration option, systems using PAM modules that use interactive keyboard authentication (PAMAuthenticationViaKbdInt), may be vulnerable to the remote execution of code. At this time, it is not known if this vulnerability is exploitable. Both vulnerabilities are corrected by the patches in a recent OpenSSH security advisory available from

http://www.openssh.com/txt/preauth.adv

Both vulnerabilities exploit features present only in version 2 of the SSH protocol.

Impact

A remote attacker can execute code with the privileges of the user running the sshd (often root). These vulnerabilities may also be used to cause a denial-of-service condition.

Solution

Upgrade to OpenSSH version 3.4

These vulnerabilities are eliminated by upgrading to OpenSSH version 3.4, which is available from the OpenSSH web site at

http://www.openssh.com/

OpenSSH version 3.4 will correct several other software defects with potential security implications not described in this advisory.

Apply a patch from your vendor

A patch for this problem is included in the OpenSSH advisory at

http://www.openssh.com/txt/preauth.adv

This patch may be manually installed with minor changes to correct these vulnerabilities in all affected versions of OpenSSH. Please note that applying the patches described in the OpenSSH advisory does not correct the other software defects with potential security implications not described in this advisory.

If your vendor has provided a patch to correct these vulnerabilities, you may want to apply their patch rather than upgrading your version of sshd. System administrators may want to confirm whether their vendor's patch includes the other possible vulnerabilities corrected in OpenSSH 3.4. More information about vendor-specific patches can be found in the vendor section of this document. Because the publication of this advisory was unexpectedly accelerated, statements from all of the affected vendors were not available at publication time. We will update this document as vendors
provide additional information.

Disable SSH protocol version 2

Since both vulnerabilities are present only in protocol version 2 features, disabling version 2 of the protocol will prevent both vulnerabilities from being exploited. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config:

Protocol 1

This option may set to "2,1" by default. System administrators should be aware that disabling protocol version 2 may prevent the sshd daemon from accepting connections in certain configurations. Applying one or both of the configuration changes described below may be a less disruptive workaround for this problem.

Disable challenge response authentication

For OpenSSH versions greater than 2.9, system administrators can disable the vulnerable portion of the code by setting the "ChallengeResponseAuthentication" configuration option to "no" in their sshd configuration file. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config:

ChallengeResponseAuthentication no

This option may be enabled (set to "yes") by default. This workaround should prevent the first vulnerability from being exploited if SKEY or BSD_AUTH authentication is used. It will not prevent the possible exploitation of the vulnerability via PAM interactive keyboard authentication.

Disable PAM authentication via interactive keyboard

For OpenSSH versions greater than 2.9, system administrators can disable the vulnerable portion of the code affecting the PAM authentication issue by setting the "PAMAuthenticationViaKbdInt" configuration option to "no" in their sshd configuration file. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config:

PAMAuthenticationViaKbdInt no

This option may be disabled (set to "no") by default. This workaround should prevent the second vulnerability from being exploited if PAM interactive keyboard authentication is used. It will not prevent the possible exploitation of the vulnerability via SKEY or BSD_AUTH authentication.

Disable both options in older versions of OpenSSH

For OpenSSH versions between 2.3.1p1 and 2.9, system adminstrators will instead need to set the following options in their ssh configuration file:

KbdInteractiveAuthentication no
ChallengeResponseAuthentication no

Setting both of these options is believed to prevent the exploitation of the vulnerabilities regardless of which authentication mechanisms are used.

Use privilege separation to minimize impact

System administrators running OpenSSH versions 3.2 or 3.3 may be able to reduce the impact of this vulnerability by enabling the "UsePrivilegeSeparation" configuration option in their sshd configuration file. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config:

UsePrivilegeSeparation yes

This workaround does not prevent these vulnerabilities from being exploited, however due to the privilege separation mechanism, the intruder may be limited to a constrained chroot environment with restricted privileges. This workaround will not prevent these vulnerabilities from creating a denial-of-service condition. Not all operating system vendors have implemented the privilege separation code, and on some operating systems, it may limit the functionality of OpenSSH. System administrators are encouraged to carefully review the implications of using the workaround in their environment, and use a more comprehensive solution if one is available. The use of privilege separation to limit the impact of future vulnerabilities is encouraged.

Vendor Information

369347
Expand all

Apple Computer Inc.

Notified:  June 25, 2002 Updated:  July 02, 2002

Status

  Vulnerable

Vendor Statement

These vulnerabilities are fixed with the release of the "Security Update - July 2002" software update.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation

Notified:  June 25, 2002 Updated:  July 16, 2002

Status

  Vulnerable

Vendor Statement

Compaq has released Security Bulletin SSRT2263 (document number SRB0022W).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Updated:  June 27, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Conectiva has published a security advisory on this topics at:

Cray Inc.

Notified:  June 25, 2002 Updated:  June 27, 2002

Status

  Vulnerable

Vendor Statement

Cray, Inc. has found the OpenSSH released in Cray Open Software 3.0 to be vulnerable. Please see Field Notice 5105 and spr 722588 for fix information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  June 25, 2002 Updated:  June 27, 2002

Status

  Vulnerable

Vendor Statement

Debian 2.2 (the current stable release) is not affected by these problems. The current versions of our "testing" distribution, to become Debian 3.0, and our "unstable" distribution, are both affected by default.

We recommend that users be certain that both:

    ChallengeResponseAuthentication no

and
    PAMAuthenticationViaKbdInt no

are present and uncommented in /etc/ssh/sshd_config (and that the server is restarted). Also, we recommend the use of version 3.3p1, now available from security.debian.org (DSA-134). Stable users do not need to upgrade and may wish to wait until the packages have received better testing.

We intend to provide 3.4p1 packages in the near future.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Debian has published a security advisory on this topic at:

F5 Networks

Notified:  June 25, 2002 Updated:  July 17, 2002

Status

  Vulnerable

Vendor Statement

The following versions of F5 Networks, Inc. products contain a vulnerable version of the OpenSSH server. Instructions for obtaining and installing a patch are available at the following locations:


BIG-IP® and 3-DNS® versions 4.2 through 4.3

GLOBAL-SITE® versions 2.2 through 3.0

EDGE-FX® versions 2.0 through 3.0

Software versions not listed above are not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  June 25, 2002 Updated:  July 16, 2002

Status

  Vulnerable

Vendor Statement

Please see FreeBSD Security Advisory FreeBSD-SA-02:31. Note that no released versions of FreeBSD-STABLE are vulnerable to either issue described in this advisory.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc.

Notified:  June 25, 2002 Updated:  June 27, 2002

Status

  Vulnerable

Vendor Statement

Guardian Digital ships OpenSSH in all versions of EnGarde Secure Linux. Version 3.3p1 was introduced by ESA-20020625-015 on June 25, 2002. This update introduces privilege separation. All users are strongly urged to upgrade to this version as soon as possible.

An upgrade to version 3.4p1 (which properly fixes the bugs) will be made available sometime in the next few days.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Engarde Secure Linux has published a security advisory on this topic:

Hewlett-Packard Company

Notified:  June 25, 2002 Updated:  July 16, 2002

Status

  Vulnerable

Vendor Statement

HP has issued a security bulletin (HPSBUX0206-195) for HP 9000 Servers running HP-UX release 11.00 and 11.11 only with the T1471AA SSH product installed.

It says in part:

    As a short-term solution, disable PAMAuthenticationViaKbdInt in the sshd_config file; i.e.,

    PAMAuthenticationViaKbdInt no

    NOTE: ChallengeResponseAuthentication is not used in the HP product.
HP has also issued Security Bulletin HPSBTL0207-050 for Open SSH 3.1p1 running on HP Secure OS Software for Linux.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Hewlett-Packard published security bulletins HPSBUX0206-195 and HPSBTL0207-050 on this issue.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  June 25, 2002 Updated:  August 08, 2002

Status

  Vulnerable

Vendor Statement

IBM's AIX operating system does not ship with OpenSSH; however, OpenSSH is available for installation on AIX via the Linux Affinity Toolkit. The version included on the CD containing the Toolkit is vulnerable to the latest discovered vulnerability discussed here as is the version of OpenSSH available for downloading from the IBM Linux Affinity website. Anyone running this version is advised to follow the recommendations above to limit their vulnerability.

We working with the changes for version 3.4 and will have a new package availble for download as soon as possible. When available the new packages can be downloaded from:


This site contains Linux Affinity applications containing cryptographic algorithms, and new users of this site are asked to register first.

The IBM HMC product is also affected by the SSH vulnerability described above. The HMC is the hardware monitor and control console used with IBM's Regatta systems. This is a seperate hardware unit that uses a Linux-based operating system and Open Source software.

Customers are advised to obtain the latest security paches for the HMC. These paches will be available early next week from the following URL:

Customers are advised to limit the use of SSH until these patches have been applied.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  June 25, 2002 Updated:  June 27, 2002

Status

  Vulnerable

Vendor Statement

MandrakeSoft released OpenSSH 3.3p1 in updates Monday night to mitigate this vulnerability. Updates to OpenSSH 3.4p1 will be available for download later this week.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NETBSD

Notified:  June 25, 2002 Updated:  July 08, 2002

Status

  Vulnerable

Vendor Statement

The signed advisory is available at:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks

Notified:  June 25, 2002 Updated:  July 16, 2002

Status

  Vulnerable

Vendor Statement

Nortel Networks has concluded its portfolio review and has determined that the following two products are shipped with OpenSSH:

    1. In STORM, release SN04, the challenge response authentication feature is not used and therefore Nortel Networks recommends that it be disabled, which will not impact the product. The recommendations in CERT Advisory CA-2002-18 to disable features should be followed.
    2. The SFTP sshd server on the SuperNode Data Manager is not affected by the vulnerabilities noted in CERT Advisory CA-2002-18 because the challenge response and separation of privileges mechanisms are not enabled as shipped with ASG Passwerks v3.x.

    The core OpenSSH distribution will be upgraded to v3.4 with the SN05 release.

    For more information please contact Nortel at:
      North America: 1-8004NORTEL or 1-800-466-7835

      Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009

    Contacts for other regions are available at

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    OpenBSD

    Updated:  June 26, 2002

    Status

      Vulnerable

    Vendor Statement

    See

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    OpenPKG

    Updated:  July 17, 2002

    Status

      Vulnerable

    Vendor Statement

    The OpenPKG Project has released OpenPKG Security Advisory OpenPKG-SA-2002.005.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    OpenSSH

    Notified:  June 25, 2002 Updated:  June 26, 2002

    Status

      Vulnerable

    Vendor Statement

    See

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Red Hat Inc.

    Notified:  June 25, 2002 Updated:  November 27, 2002

    Status

      Vulnerable

    Vendor Statement

    Red Hat Linux versions 7, 7.1, 7.2 and 7.3 as well as Red Hat Linux Advanced Server version 2.1 ship with OpenSSH. The Red Hat Linux OpenSSH packages were not compiled with either BSD_AUTH or SKEY enabled, therefore in order to be vulnerable to this issue a user would need to have enabled the configuration option "PAMAuthenticationViaKbdInt" in their sshd configuration file (the default is disabled).

    We are continuing to investigate this vulnerability and will release updated packages where appropriate.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    RedHat has published a security advisory on this issue:

    Slackware

    Updated:  July 17, 2002

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    Slackware has upgraded to OpenSSH-3.4-p1. See the entry dated "Wed Jun 26 12:03:06 PDT 2002" in the slackware-8.1, slackware-8.0, and slackware-7.1 ChangeLogs.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    SuSE Inc.

    Notified:  June 25, 2002 Updated:  June 27, 2002

    Status

      Vulnerable

    Vendor Statement

    [F]urther details about the bugs in question have turned up by now, indicating that SuSE Linux products are not affected to the mentioned problem unless the administrator of an openssh installation has actively added the configuration option (PAMAuthenticationViaKbdInt) to the daemon configuration file /etc/ssh/sshd_config to turn this option on. In other words: We are not vulnerable by default.

    We have quickly published update packages with the workaround as described in your announcement, but due to incompatibilities and errors in the newer package, we think about downgrading back to our 2.9.9p2 version packages as well as one newer version on one of our newer products. The decision about the downgrade has not been made yet, but we are positive about that we will publish another set of update packages that effectively remove the weakness from the package. After all, the currently offered packages for download from our ftp server (ftp://ftp.suse.com/pub/suse/i386/update/) represent an emergency fix that should be considered incomplete considering the quality standards at SuSE.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    Since the SuSE Linux distributions of OpenSSH is not vulnerable by default, sites with PAMAuthenticationViaKbdInt enabled are encouraged to turn it off until final complete packages are availlable.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Sun Microsystems Inc.

    Notified:  June 25, 2002 Updated:  July 08, 2002

    Status

      Vulnerable

    Vendor Statement

    The version of OpenSSH that is in Solaris 9 is not believed to be vulnerable if the default configuration is used. If sshd_config(4) has been updated so that BOTH of the following entries are present then it is vulnerable.


      PAMAuthenticationViaKBDInt yes
      KbdInteractiveAuthentication yes

    Note that in the default sshd_config(4) PAMAuthenticationViaKBDInt is listed but KbdInteractiveAuthentication is not (the compiled in default for KbdInteractiveAuthentication is no).

    Sun is in the process of producing a patch for Solaris 9. Older Solaris releases are not vulnerable since they do not include OpenSSH as part of the Solaris distribution - hosts that added OpenSSH as part of their own site configurations should check the official OpenSSH advisory for details.

    The patch that Sun produces to fix this issue will not contain the new OpenSSH Privsep support as it is not yet stable enough on Solaris due to interactions with PAM and BSM auditing, this may appear in a future release - Sun is working with the OpenSSH developers on the PAM problems and once a working OpenSSH with PAM and BSM is available we will re-evaluate our position on Privsep.

    Sun will publish a Sun Security Bulletin and a Sun Alert for this issue. The Sun Alert will be available from:

    The patch will be available from:

    Sun Security Bulletins are available from:

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    The SCO Group (SCO Linux)

    Notified:  June 25, 2002 Updated:  June 27, 2002

    Status

      Vulnerable

    Vendor Statement

    Caldera OpenLinux OpenSSH has neither the S/KEY nor BSD Auth features compiled in, so it is not vulnerable to the Challenge/Response vulnerability. We do have the ChallengeResponseAuthentication option on by default, however, so to be safe, we recommend that the option be disabled in the sshd_config file.

    In addition, the sshd_config PAMAuthenticationViaKbdInt option is off by default, so OpenLinux is not vulnerable to the other alleged vulnerability in a default configuration, either. However, Caldera recommends that this option be disabled if it has been enabled by the system administrator.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    Caldera has published an advisory

    Trustix

    Updated:  July 17, 2002

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    Trustix has released Trustix Secure Linux Security Advisory #2002-0059.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Alcatel

    Notified:  June 25, 2002 Updated:  August 08, 2002

    Status

      Not Vulnerable

    Vendor Statement

    In relation to this CERT advisory on security vulnerabilities with OpenSSH implementation, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. An initial analysis has shown that none of our products is affected when used as delivered to customers. The security of our customers' networks is of highest priority for Alcatel. Therefore, updates will be provided if necessary. Customers may contact their Alcatel support representative for more details.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    F-Secure

    Notified:  June 25, 2002 Updated:  June 27, 2002

    Status

      Not Vulnerable

    Vendor Statement

    F-Secure SSH product versions are not affected by these vulnerabilities discussed in CERT Advisory CA-2002-18.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Fujitsu

    Notified:  June 25, 2002 Updated:  June 27, 2002

    Status

      Not Vulnerable

    Vendor Statement

    Fujitsu's UXP/V operating system is not affected because it does not support any SSH package.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Juniper Networks

    Notified:  June 25, 2002 Updated:  July 02, 2002

    Status

      Not Vulnerable

    Vendor Statement

    Although all domestically (i.e., United States) available releases of JUNOS Internet Software includes OpenSSH, the version of OpenSSH used is not susceptible to this vulnerability. There is therefore no need for customers to upgrade their JUNOS software.

    OpenSSH is not included in any world-wide version of JUNOS, nor is it included in the Prisma G10 CMTS software release. Therefore, neither of these products are not susceptible to this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Lotus Development Corporation

    Notified:  June 25, 2002 Updated:  June 26, 2002

    Status

      Not Vulnerable

    Vendor Statement

    Lotus products are not vulnerable to this problem.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Microsoft Corporation

    Notified:  June 25, 2002 Updated:  June 27, 2002

    Status

      Not Vulnerable

    Vendor Statement

    Microsoft products are not affected by the issues detailed in this advisory.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Netscreen

    Notified:  June 25, 2002 Updated:  June 27, 2002

    Status

      Not Vulnerable

    Vendor Statement

    NetScreen appliances and systems are not vulnerable to either issue mentioned in the referenced advisory. NetScreen products do not implement the challenge-response authentication methods described in the advisory.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Network Appliance

    Notified:  June 25, 2002 Updated:  June 27, 2002

    Status

      Not Vulnerable

    Vendor Statement

    NetApp systems are not vulnerable to this problem.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Process Software

    Updated:  June 27, 2002

    Status

      Not Vulnerable

    Vendor Statement

    MultiNet, TCPware, and SSH for OpenVMS are not affected by the problems outlined in this advisory.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    SSH Communications Security

    Notified:  June 26, 2002 Updated:  June 27, 2002

    Status

      Not Vulnerable

    Vendor Statement

    SSH Communications Security Oyj.

    SSH Secure Shell product versions are not affected by these vulnerabilities.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Unisphere Networks

    Notified:  June 25, 2002 Updated:  July 02, 2002

    Status

      Not Vulnerable

    Vendor Statement

    The SSH implementation used within the Unison OS found on the ERX and MRX product lines is based on a third-party product that has been confirmed to be invulnerable to the OpenSSH vulnerabilities outlined in CERT Advisory CA-2002-18.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Xerox

    Notified:  June 25, 2002 Updated:  December 06, 2002

    Status

      Not Vulnerable

    Vendor Statement

    A response to this advisory is available from our web site: http://www.xerox.com/security .

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    3Com

    Notified:  June 25, 2002 Updated:  June 25, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    AT&T

    Notified:  June 25, 2002 Updated:  June 25, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    BSDI

    Notified:  June 25, 2002 Updated:  June 25, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Cisco Systems Inc.

    Notified:  June 25, 2002 Updated:  July 08, 2002

    Status

      Unknown

    Vendor Statement

    Cisco Systems is evaluating the vulnerabilities identified by VU#369347. Should an issue be found, Cisco will release a Security Advisory. The most up-to-date information on all Cisco product security issues may be found at

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Computer Associates

    Notified:  June 25, 2002 Updated:  June 25, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Data General

    Notified:  June 25, 2002 Updated:  June 25, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Intel

    Notified:  June 25, 2002 Updated:  June 25, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Lachman

    Notified:  June 25, 2002 Updated:  June 25, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Lucent

    Notified:  June 25, 2002 Updated:  June 25, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Motorola

    Notified:  June 25, 2002 Updated:  June 25, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    NEC Corporation

    Notified:  June 25, 2002 Updated:  June 25, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Oracle

    Notified:  June 25, 2002 Updated:  June 25, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    SGI

    Notified:  June 25, 2002 Updated:  June 27, 2002

    Status

      Unknown

    Vendor Statement

    At this time, SGI does not ship OpenSSH as a part of IRIX.

    The OpenSSH privilege separation code mostly works with IRIX, but it uses a flag to mmap that isn't in IRIX (MAP_ANON) for compression so you can't have both on at the same time. IRIX doesn't ship with PAM so a lot of the PAM issues aren't issues for us.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Sequent

    Notified:  June 25, 2002 Updated:  June 25, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Sony Corporation

    Notified:  June 25, 2002 Updated:  June 25, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    The SCO Group (SCO UnixWare)

    Notified:  June 25, 2002 Updated:  June 25, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Unisys

    Notified:  June 25, 2002 Updated:  June 25, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Wind River Systems Inc.

    Notified:  June 25, 2002 Updated:  June 25, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base N/A N/A
    Temporal N/A N/A
    Environmental N/A

    References

    Credit

    The CERT/CC thanks Theo de Raadt and Markus Friedl of the OpenSSH project for their technical assistance in producing this document. The SKEY/BSD_AUTH vulnerability was discovered by Mark Dowd at ISS X-Force.

    This document was written by Cory F Cohen.

    Other Information

    CVE IDs: CVE-2002-0639
    CERT Advisory: CA-2002-18
    Severity Metric: 49.34
    Date Public: 2002-06-24
    Date First Published: 2002-06-26
    Date Last Updated: 2002-12-06 19:25 UTC
    Document Revision: 38

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.