search menu icon-carat-right cmu-wordmark

CERT Coordination Center

OpenSSH contains a race condition vulnerability

Vulnerability Note VU#851340

Original Release Date: 2006-10-04 | Last Revised: 2007-03-13

Overview

A race condition vulnerability exists in the OpenSSH daemon. Successful exploitation of this vulnerability may result in a denial-of-service condition.

Description

OpenSSH is an open source client and server implementation of the Secure Shell (SSH) protocol.

The OpenSSH server includes the ability to authenticate via the Generic Security Services Application Programming Interface (GSSAPI). Versions of OpenSSH prior to 4.4 contain a race condition in a signal handler during a logging operation prior to user authentication.

From the OpenSSH 4.4 release notes:
The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. On portable OpenSSH, this vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote.

Impact

A remote, unauthenticated attacker may be able to cause the OpenSSH server to crash, thereby creating a denial-of-service condition

Solution

Upgrade

See the systems affected section of this document for information about specific vendors. Users who compile OpenSSH from source are encouraged to update to the most recent version.


Restrict access
Restricting access to the SSH daemon may mitigate the affects of this vulnerability. Administrators can use application-level access controls or firewall rules to restrict access to the SSH server.

Disable the OpenSSH server
If the SSH server functionality is not required, disabling it will limit exposure to this vulnerability. Refer to system-specific documentation on how to disable the OpenSSH server.

Vendor Information

851340
 
Affected   Unknown   Unaffected

Apple Computer, Inc.

Updated:  March 13, 2007

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://docs.info.apple.com/article.html?artnum=305214 for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD, Inc.

Updated:  October 04, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://security.freebsd.org/advisories/FreeBSD-SA-06:22.openssh.asc for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Updated:  October 03, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://rhn.redhat.com/errata/RHSA-2006-0697.html for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubuntu

Updated:  October 03, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://www.ubuntu.com/usn/usn-355-1 for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSH

Updated:  October 03, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://openssh.org/txt/release-4.4 for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

OpenSSH credits Mark Dowd for reporting this vulnerability.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2006-5051
Severity Metric: 1.66
Date Public: 2006-09-29
Date First Published: 2006-10-04
Date Last Updated: 2007-03-13 21:29 UTC
Document Revision: 34

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.