-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2003-012 ================================= Topic: Out of bounds memset(0) in sshd Version: NetBSD-current: source prior to September 17, 2003 NetBSD 1.6.1: affected NetBSD 1.6: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected pkgsrc: packages prior to 3.7.1 Severity: Unknown - Rumours speculate remote root exploitability Fixed: NetBSD-current: September 18(*), 2003 NetBSD-1.6 branch: September 18(*), 2003 (1.6.2 will include the fix) NetBSD-1.5 branch: September 18(*), 2003 (1.5.4 will include the fix) pkgsrc: openssh-3.7.1 corrects this issue Abstract ======== A buffer overwrite with unknown consequences has been found in OpenSSH. No evidence to support remote root exploitability has been provided by any source. The ssh daemon does not run by default in a NetBSD installation, but is often enabled by administrators for remote administration. NOTE: (*) This advisory was first released on September 17th. At that time, some fixes had been committed to the NetBSD source tree. Since then, additional fixes have been imported and developed. Please note the change in the Fixed dates, to September 18th, which includes all updates currently known. Currently, we expect that more patches are likely, so if you are maintaining a large number of machines, use the workarounds discussed below if appropriate, and be prepared for further updates. The NetBSD Project will make binary patchsets available when builds have completed. This advisory will be updated with details when they are available. Technical Details ================= In NetBSD installations where OpenSSH 3.2.1 and later are used - including the base system installations of NetBSD-1.6 and later, the privilege separation feature of OpenSSH is enabled by default. In the case of this buffer issue, privilege separation may prevent exploitation of these buffer problems, and this advisory will be updated once any exploits are demonstrated, whether successfully or not. Regardless of privilege separation being enabled, this buffer issue occurs in the child process of sshd, and so any over-zero'd buffer will not crash the parent service, and will not deny ssh connectivity to the machine. If the over-zeroing is exploitable, the attacker could of course shut down the ssh daemon manually. There is a lot of commotion over this buffer issue. Individuals have mentioned an increased occurrence of port scans searching for open sshd services. Since hard facts are not available yet, individuals will have to decide whether to believe the rumours, and apply patches to protect against this possible issue, or to use workarounds provided below, where appropriate, and await further information. http://www.openssh.com/txt/buffer.adv http://xforce.iss.net/xforce/alerts/id/144 http://www.cert.org/advisories/CA-2003-24.html Solutions and Workarounds ========================= Workaround: Disable sshd. If not required, and alternate means of administration, such as consoles or serial consoles are available, disabling sshd may be acceptable. Confirm that sshd is running. It is usually configured to start by the presence of a line in /etc/rc.conf, such as: sshd=YES Stop any currently running daemon, with /etc/rc.d/sshd stop OR - for a pkgsrc installation: /usr/pkg/etc/rc.d/sshd stop Change YES to NO in /etc/rc.conf Workaround: Constrain hosts which can connect to sshd. In order to overflow this buffer, a client must be able to connect to the sshd in question. As a workaround, the tcp wrapper functionality included in all NetBSD installations of OpenSSH can be used to restrict connections to a limited list of source IPs. As an example, populating /etc/hosts.allow with: sshd : 192.168.1.1 And /etc/hosts.deny with: sshd : ALL Will result in only allowing connections from the (RFC 1918, private network) IP address 192.168.1.1. Host names may also be used in the hosts.allow file. Lists are comma separated, as explained in the hosts_access(5) manpage. Review the manpage hosts_access(5) for further details. If you use hostnames, it may also be desirable to specify hosts.deny as 'sshd : ALL, PARANOID', to require the forward and reverse DNS lookups to correspond. This provides protection in cases where the host you are allowing access from is on a remote network outside your control, and you wish to protect against hijacked nameservers. Another workaround is to prevent network access to only trusted systems via a perimeter router or firewall, or using IPFilter on the host itself. Solution: The following instructions describe how to upgrade your OpenSSH binaries by updating your source tree and rebuilding and installing a new version. Note: In this situation, where patches may be committed on an ongoing basis, it is desirable to update directly from anoncvs.netbsd.org. Mirrors may not fully reflect all of the patches by the time you read this. * NetBSD-current: Systems running NetBSD-current dated from before 2003-09-17 should be upgraded to NetBSD-current dated 2003-09-18 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/crypto/dist/ssh To update from CVS, re-build, and re-install ssh related binaries: # cd src # cvs update -d -P crypto/dist/ssh # cd usr.bin/ssh # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 1.6, 1.6.1: The binary distribution of NetBSD 1.6 and 1.6.1 are vulnerable. Systems running NetBSD 1.6 sources dated from before 2003-09-17 should be upgraded from NetBSD 1.6 sources dated 2003-09-18 or later. NetBSD 1.6.2 will include the fix. The following directories need to be updated from the netbsd-1-6 CVS branch: src/crypto/dist/ssh To update from CVS, re-build, and re-install ssh related binaries: # cd src # cvs update -d -P -r netbsd-1-6 crypto/dist/ssh # cd usr.bin/ssh # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: The binary distribution of NetBSD 1.5 to 1.5.3 are vulnerable. Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated from before 2003-09-17 should be upgraded from NetBSD 1.5.* sources dated 2003-09-18 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: src/crypto/dist/ssh To update from CVS, re-build, and re-install ssh related binaries: # cd src # cvs update -d -P -r netbsd-1-5 crypto/dist/ssh # cd usr.bin/ssh # make cleandir dependall # make install Thanks To ========= Christos Zoulas for the fix to NetBSD-current, incorporation of additional patches from the FreeBSD source tree, and additional fixes of further cases exhibiting the same programming error. The FreeBSD Project, for additional patches. Grant Beattie for pullups to NetBSD release branches. The Full-Disclosure rumour mill. Revision History ================ 2003-09-17 Initial release 2003-09-18 Update with further source changes. Push Fixed date to September 18th. More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2003-012.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2003, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2003-012.txt,v 1.10 2003/09/18 05:23:33 david Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBP2lCJD5Ru2/4N2IFAQEb8QP/R1amYNksvrB42l2fSxl516CU706Pe9or NtBVSWyijOeeJiUft3O06Jvx4IQc5kp9DKP42XaAzoWv8UzgNc0nOSr6Qo7AQyRn ZM04KjruHm1iVcB+DbQsrXXDBv/3ME26D7u6iyIb2COFLD59byPmi9wwp6vwQHkp n7PnC14rDvU= =wH2p -----END PGP SIGNATURE-----