SuSE alert: ssh

Posted by dave on Feb 16, 2001 8:02 AM EDT
Mailing list
Mail this story
Print this story

SuSE distributions contain the ssh package in the version 1.2.27. No later version is provided because of licensing issues. SuSE maintains the 1.2.27 version in a patched package. Three new patches have been added that workaround three independent security problems in the ssh package: a) SSHD-1 Logging Vulnerability (discovered and published by Jose Nazario, Crimelabs). Attackers can remotely brute-force passwords without getting noticed or logged. In the ssh package from the SuSE distribution, root login is allowed, as well as password authentication. Even though brute-forcing a password may take an enormous amount of time and resources, the issue is to be taken seriously. b) SSH1 session key recovery vulnerability (by (Ariel Waissbein, Agustin Azubel) - CORE SDI, Argentina, and David Bleichenbacher). Captured encrypted ssh traffic can be decrypted with some effort by obtaining the session key for the ssh session. The added patch in our package causes the ssh daemon to generate a new server key pair upon failure of an RSA operation (please note that the patch supplied with Iván Arce on bugtraq on Wed, 7 Feb 2001 has been corrected later on!). c) In 1998, the ssh-1 protocol was found to be vulnerable to an attack where arbitrary sequences could be inserted into the ssh-1 protocol layer. The attack was called "crc32 compensation attack", and a fix was introduced (crc compensation attack detector in the ssh -v output) into the later versions of ssh. Michal Zalewski discovered that the fix in its most widely used implementation is defective. An integer overflow allows an attacker to overwrite arbitrary memory in the sshd process' address space, which potentionally results in a remote root compromise. There are easy resorts that can be offered: a) switch to openssh (please use the openssh packages on http://ftp.suse.com from the same update directories as the ssh package update URLs below indicate). openssh is a different implementation of the ssh protocol that is compatible to the protocol versions 1 and 2. Openssh Version 2.3.0 does not suffer from the problems listed above. Versions before 2.3.0 are vulnerable to other problems, so please use the updates from the update directory on the http://ftp.suse.de ftp server. See section 2) of this announcement for the md5sums of the packages. b) upgrade your ssh package from the locations described below.

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

                        SuSE Security Announcement

        Package: ssh
        Announcement-ID: SuSE-SA:2001:04
        Date: Friday, February 16th, 2000 18:00 MET
        Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0
        Vulnerability Type: possible remote root compromise
        Severity (1-10): 9
        SuSE default package: yes, no (openssh is default after SuSE-6.3)
        Other affected systems: Unix systems with sshd running

    Content of this advisory:
        1) security vulnerability resolved: ssh
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, solutions, workarounds
        3) standard appendix (further information)

______________________________________________________________________________

1) problem description, brief discussion, solution, upgrade information

    SuSE distributions contain the ssh package in the version 1.2.27. No
    later version is provided because of licensing issues. SuSE maintains
    the 1.2.27 version in a patched package. Three new patches have been added
    that workaround three independent security problems in the ssh package:
    a) SSHD-1 Logging Vulnerability (discovered and published by Jose Nazario,
       Crimelabs). Attackers can remotely brute-force passwords without
       getting noticed or logged. In the ssh package from the SuSE
       distribution, root login is allowed, as well as password
       authentication. Even though brute-forcing a password may take an
       enormous amount of time and resources, the issue is to be taken
       seriously.
    b) SSH1 session key recovery vulnerability (by (Ariel Waissbein, Agustin
       Azubel) - CORE SDI, Argentina, and David Bleichenbacher). Captured
       encrypted ssh traffic can be decrypted with some effort by obtaining
       the session key for the ssh session. The added patch in our package
       causes the ssh daemon to generate a new server key pair upon failure
       of an RSA operation (please note that the patch supplied with Iván
       Arce on bugtraq on Wed, 7 Feb 2001 has been corrected later on!).
    c) In 1998, the ssh-1 protocol was found to be vulnerable to an
       attack where arbitrary sequences could be inserted into the ssh-1
       protocol layer. The attack was called "crc32 compensation attack", and
       a fix was introduced (crc compensation attack detector in the ssh -v
       output) into the later versions of ssh. Michal Zalewski discovered
       that the fix in its most widely used implementation is defective. An
       integer overflow allows an attacker to overwrite arbitrary memory in
       the sshd process' address space, which potentionally results in a
       remote root compromise.
    There are easy resorts that can be offered:
    a) switch to openssh (please use the openssh packages on http://ftp.suse.com from
    the same update directories as the ssh package update URLs below indicate).
    openssh is a different implementation of the ssh protocol that is
    compatible to the protocol versions 1 and 2.
    Openssh Version 2.3.0 does not suffer from the problems listed above.
    Versions before 2.3.0 are vulnerable to other problems, so please
    use the updates from the update directory on the http://ftp.suse.de ftp server.
    See section 2) of this announcement for the md5sums of the packages.
    b) upgrade your ssh package from the locations described below.

    Download the update package from locations desribed below and install
    the package with the command `rpm -Uhv file.rpm'. The md5sum for each
    file is in the line below. You can verify the integrity of the rpm
    files using the command
        `rpm --checksig --nogpg file.rpm',
    independently from the md5 signatures below.

    SPECIAL INSTALL INSTRUCTIONS:
    ==============================
    If you run a sshd (secure shell daemon) server on your system, then the
    daemon process must be restarted for the update package to become active
    after installation of the update rpm.
    You can do this easily with the command (ran as root):
        kill -15 `cat /var/run/sshd.pid`
    After this, you can start the daemon using the command
        rcsshd start
    It should be possible now to log on again to your server as usual. Please
    consult the syslogs in /var/log if this is not the case.
    Warning: killing all instances of sshd on a system might render the system
             inaccessible from remote, especially if secure shell is your only
             method to access the system. Be careful to not lock yourself out.

    Note: The packages on our German ftp server have been built again to
          correct one of the patches. The package for the 6.1-i386 distribution
          has finished building a few minutes ago and uses the same name as the
          build from Wednesday. Use the --force commandline option for the rpm
          command if you have used the package that was published before the
          release date of this announcement.

    i386 Intel Platform:

    SuSE-7.1
    ftp://ftp.suse.de/pub/suse/i386/update/7.1/sec2/ssh-1.2.27-226.i386.rpm
      ae68bf3ac28b5e81f9c5f2a1d1d8980e
    source rpm:
    ftp://ftp.suse.de/pub/suse/i386/update/7.1/zq1/ssh-1.2.27-226.src.rpm
      d332e662daff71ff7d10cf4d962b6933

    SuSE-7.0
    ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/ssh-1.2.27-220.i386.rpm
      f88b339dea96ef186e70872ce9444c24
    source rpm:
    ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/ssh-1.2.27-220.src.rpm
      93ca5fc96c103a5f9adee16cb319195c

    SuSE-6.4
    ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/ssh-1.2.27-86.i386.rpm
      3f1b41116b7c7d63c791de4fdca9d1ee
    source rpm:
    ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/ssh-1.2.27-86.src.rpm
      3a8d859f2ae9751852339c642b07b4cf

    SuSE-6.3
    ftp://ftp.suse.de/pub/suse/i386/update/6.3/sec1/ssh-1.2.27-86.i386.rpm
      3f1b41116b7c7d63c791de4fdca9d1ee
    source rpm:
    ftp://ftp.suse.de/pub/suse/i386/update/6.3/zq1/ssh-1.2.27-86.src.rpm
      3a8d859f2ae9751852339c642b07b4cf

    SuSE-6.2
    ftp://ftp.suse.de/pub/suse/i386/update/6.2/sec1/ssh-1.2.27-210.i386.rpm
      b29822198dc6430167465706965e3499
    source rpm:
    ftp://ftp.suse.de/pub/suse/i386/update/6.2/zq1/ssh-1.2.27-210.src.rpm
      4a2130635f702bb266748b9e4838877a

    SuSE-6.1
    ftp://ftp.suse.de/pub/suse/i386/update/6.1/sec1/ssh-1.2.27-210.i386.rpm
      17f281262edd689d9861c099489cbcc6
    source rpm:
    ftp://ftp.suse.de/pub/suse/i386/update/6.1/zq1/ssh-1.2.27-210.src.rpm
      5e12e0086f61bba2f37c4ccbc4282a92

    Sparc Platform:

    SuSE-7.0
    ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/ssh-1.2.27-221.sparc.rpm
      e1545287f954d089707c55a66598c318
    source rpm:
    ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/ssh-1.2.27-221.src.rpm
      f37a8b3addaf70711d91f6a3f788a8b3

    AXP Alpha Platform:

    SuSE-7.0
    ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/ssh-1.2.27-221.alpha.rpm
      77bd0dcda5df929fba07d56de2bf3399
    source rpm:
    ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/ssh-1.2.27-221.src.rpm
      77305ae844c9b68e8af559ccf81417e8

    SuSE-6.4
    ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/ssh-1.2.27-86.alpha.rpm
      7a8d7086c8b99822b020f3c9d0e4764e
    source rpm:
    ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/ssh-1.2.27-86.src.rpm
      e75660e54edc2cf38086b4de3da91881

    SuSE-6.3
    ftp://ftp.suse.de/pub/suse/axp/update/6.3/sec1/ssh-1.2.27-212.alpha.rpm
      671761326c11c9eac50c3d992b550bdf
    source rpm:
    ftp://ftp.suse.de/pub/suse/axp/update/6.3/zq1/ssh-1.2.27-212.src.rpm
      5472b658aac01bea8667769a04e0e92d

    PPC Power PC Platform:

    SuSE-7.0
    ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/ssh-1.2.27-220.ppc.rpm
      ec7274c8a88b6ce5420c91da0622f94c
    source rpm:
    ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/ssh-1.2.27-220.src.rpm
      1ae9f7cf4c7099f5cad8cb0ccc8f3e5d

    SuSE-6.4
    ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/ssh-1.2.27-86.ppc.rpm
      fc3cb2e3b927c7ffc5e8374e183f860e
    source rpm:
    ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/ssh-1.2.27-86.src.rpm
      439abdfb6f56e2c0d3880cddd103935f

______________________________________________________________________________

2) Pending vulnerabilities in SuSE Distributions and Workarounds:

  - The openssh package URLs and md5sums:
    ftp://ftp.suse.de/pub/suse/i386/update/7.1/sec1/openssh-2.3.0p1-5.i386.rpm 3687c385e3e8f6e845c17518c12dd61b
    ftp://ftp.suse.de/pub/suse/i386/update/7.1/zq1/openssh-2.3.0p1-5.src.rpm 3cf3a1f652d92d66e70bfc9c40c0eb38
    ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-2.3.0p1-0.i386.rpm ce12abcff3dec118ceabe62e6cd1e090
    ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm 3a7cf864f695a9f3ec2dd0bf6cc7e161
    ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/openssh-2.3.0p1-0.i386.rpm 3219bf7853c2c27056ec502b5fd3345c
    ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm 82a18d49a9a98942417258ffcd7a4800
    ftp://ftp.suse.de/pub/suse/i386/update/6.3/sec1/openssh-2.3.0p1-0.i386.rpm 3219bf7853c2c27056ec502b5fd3345c
    ftp://ftp.suse.de/pub/suse/i386/update/6.3/zq1/openssh-2.3.0p1-0.src.rpm 82a18d49a9a98942417258ffcd7a4800
    ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/openssh-2.3.0p1-0.alpha.rpm b924315c09cb990009b24d3c1093e142
    ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm 6339a4f2a4982ba2e6b943a182d02420
    ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/openssh-2.3.0p1-0.alpha.rpm 61da28e2695d8f4a4b1c6300d867e6b6
    ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm 9e8e5af8b890f2a18e244da1c94be796
    ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/openssh-2.3.0p1-0.ppc.rpm 72f7c339991e54a476585012423dda62
    ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm 749ccc55396944ad43c1977e55903958
    ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/openssh-2.3.0p1-0.ppc.rpm e08ec87634dfd0dd76d18886d04ebd4b
    ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm 95820e1934a5586c8d73719957972d7c
    ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/openssh-2.3.0p1-0.sparc.rpm 8ed7a34fec7bcc6c658809effe20fd82
    ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm c551925107c7000fa32556dbe4a4fad4

  - Linux kernel upgrade.
    Several security flaws have been found in the linux-2.2.x kernel versions.
    The only suitable workaround is to upgrade to a newer kernel version.
    SuSE provides kernels that have been expanded with several dozen device
    drivers that are not included in the standard main stream kernel.
    While working on the kernel update packages for our distributions, more
    security problems were discovered. Currently, several persons audit code
    in the kernel, so that more problems are expected to be discovered in the
    very near future.
    Since kernel updates are very time-consuming on behalf of the system
    administrator, we decided to not publish a new kernel package
    each week. Instead, the new kernel packages with all known security bugs
    fixed will be published by the midth/end of next week.
    In the meanwhile, administrators who require immediate updates, please go
    to http://ftp.kernel.org (or one of its mirrors, respectively) and get Alan Cox'
    prepatches for the 2.2.19 version of the Linux kernel. The directory
    usually is /pub/linux/kernel/people/alan/2.2.19pre, his latest patch is
    pre-patch-2.2.19-13.gz. This patch fixes all currently publically known
    security problems in the Linux v2.2 kernel. For those who are not
    experienced in patching and installing kernels, we recommend to wait
    for the release of the SuSE Linux kernel update packages.

  - From SuSE-SA:2001:03 (bind8): The sparc update packages were pending
    because of build bottlenecks. The URLs to the update packages and the
    md5sums are as follows:
    SuSE-7.0
    ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/bind8-8.2.3-39.sparc.rpm
      c7e2a95bd4b90d03207ffc3a9880c36c
    source rpm:
    ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/bind8-8.2.3-39.src.rpm
      5d4d4b608f2a8a3e61f7dc6917254f4f

  - bind: The bind package version 4.x has been found vulnerable to multiple
    security problems that were discussed and published in public security
    forums. See http://www.securityfocus.com/templates/advisory.html?id=3051
    for more information. SuSE provides update packages for the bind nameserver
    in version 4 for all distributions and architectures.
    We also hereby announce that the bind package (bind-4.x; the bind
    nameserver in version 8 is contained in the bind8 package) will be
    discontinued in future versions of the SuSE Linux Distribution. We
    recommend to migrate to bind in the 8.x or 9.x series.
    There will be a seperate security announcement for the bind (4.x) package
    by Monday, February 19th 2001. In the meanwhile, get the md5sums from the
    URL ftp://ftp.suse.de/private/draht/bind4-checksums . It is signed.

  - More announcements are following this one. (mysql, tmpfile races, ...)
    Please read (this) section 2) in the announcements carefully.
______________________________________________________________________________

3) standard appendix:

    SuSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
        - general/linux/SuSE security discussion.
            All SuSE security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com
        - SuSE's announce-only mailing list.
            Only SuSE's security annoucements are sent to this list.
            To subscribe, send an email to
                <suse-security-announce-subscribe@suse.com>.

    For general information or the frequently asked questions (faq)
    send mail to:
        <suse-security-info@suse.com> or
        <suse-security-faq@suse.com> respectively.

    ===============================================
    SuSE's security contact is <security@suse.com>.
    ===============================================

______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way.
    SuSE GmbH makes no warranties of any kind whatsoever with respect
    to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048/3D25D3D9 1999/03/06 SuSE Security Team <security@suse.de>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12Cg==
=pIeS
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBOo1ck3ey5gA9JdPZAQFXJAgAle2SSB5ddOCY2fk3rzphFmqW7Loh+7KQ
jijyw1SQO2/aJsEjszMVGEmlnwJD0H8wOuTrHJzWvl4/lefC+D1qM2Lpd+yJTyus
tKdzGIESSmrhXD652iBndB+kpYmMmcRKx7KgBrr9/+q9Z6UNTRUy+8N7ClRoZmuM
srLN7KA2yuHDNVwUelmyeHOh3gQGeyKGuBXI8wg3IxQgr2C+64kUyuruTqnG196m
GirfMhCKIH1hTdhuM63JZBp6LxQ1rkv8Cd9EeFMm5kL+0yTKU0dv4nO1GHBYe3TD
wKkHpENOjGBqEb4jQe/syT/DvBqo8HH5fm9OA9j/R4onEDErFJJqYw==
=/AJH
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2.1.0 : Mon Jun 04 2001 - 18:25:16 PDT

  Nav
» Read more about: Story Type: Security; Groups: SUSE

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.