A vulnerability in OpenSSH has been discovered that can lead to the complete compromise of many Linux/UNIX systems. Even worse, it appears that hackers have known about this vulnerability and have been exploiting it for as long as several months.
CERT advisory CA-2003-24, “Buffer Management Vulnerability in OpenSSH,” indicates that exploiting this hole in OpenSSH allows an attacker to either shut down the server or run any arbitrary code on the system.
OpenSSH is the open source version of the popular remote administration tool Secure Shell (SSH), which is often used to connect to remote Linux/UNIX servers. It's found on a large number of systems.
The CERT advisory says that all administrators using OpenSSH version 3.2 or higher need to examine their systems’ vulnerability to this flaw. According to the OpenSSH Web site, all versions prior to 3.7.1 are vulnerable.
Mandrake, Red Hat, Debian, NetBSD, and Sun have all confirmed that their code is vulnerable. However, the standard SSH protocol (from which OpenSSH was originally inspired) does not use the vulnerable code and according to SSH Communications Security, is not vulnerable to this flaw. Bitvise and PuTTY report that their versions of the SSH software are probably not vulnerable.
There are reports of an exploit in the wild for this vulnerability, and it's rumored that some systems had already been compromised for a considerable period of time before the threat was made public.
A patch is available or you can upgrade to OpenSSH 3.7.1. Damage can be mitigated on systems running OpenSSH versions higher than 3.2 by enabling the UsePrivilegeSeparation configuration option in the sshd configuration file. You can find additional details and links to some vendors’ reports in the CERT Advisory.
CERT emphasized that this workaround won't prevent exploitation of the vulnerability but says, "The intruder may be limited to a constrained chroot environment with restricted privileges." This will limit the risk posed to a DoS attack, eliminating the ability to take over the server and run arbitrary code.
Following on the recent disclosure that the primary GNU servers were compromised for several months (mid-March through the end of July) by a backdoor planted by a Trojan, this OpenSSH revelation is not the best news for the open source community.
Also watch out for…
- Sendmail has a new vulnerability in prescan() that can give an attacker root access to affected systems. This is a critical threat that has been confirmed by SendMail.org. Users should upgrade to SendMail version 8.12.10 or apply the provided patch. (This requires a recompile.)
- CERT, which has sometimes gone months without releasing a public advisory, has been tagged by The Department of Homeland Security to provide cutting-edge alerts for viruses and other cybersecurity issues. However, since I’ve never learned of a new virus from a CERT bulletin before it was already announced and added to the virus signature file of antivirus vendors, I have my doubts that a government entity is the best way to provide news and analysis of new threats.
The concern that open source advocates have cited regarding the security of Microsoft products—that key vulnerabilities are going undiscovered and unpatched for months after being exploited in the wild—also affects open source products, as recent events have shown.