SuSE: openssh management errors
Summary
______________________________________________________________________________
SuSE Security Announcement
Package: openssh (second release)
Announcement-ID: SuSE-SA:2003:039
Date: Thursday, Sep 18 2003 20:00 MEST
Affected products: 7.2, 7.3, 8.0, 8.1, 8.2
SuSE Linux Database Server,
SuSE eMail Server III, 3.1
SuSE Linux Enterprise Server 7, 8
SuSE Linux Firewall on CD/Admin host
SuSE Linux Connectivity Server
SuSE Linux Office Server
SuSE Linux Standard Server 8
Vulnerability Type: potential remote privilege escalation
Severity (1-10): 8
SuSE default package: yes
Cross References: openssh
CERTVU#333628 cert
CVE CAN-2003-0693
CVE CAN-2003-0695
CVE CAN-2003-0682
Content of this advisory:
1) security vulnerability resolved: openssh
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds:
- mysql
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The openssh package is the most widely used implementation of the secure
shell protocol family (ssh). It provides a set of network connectivity
tools for remote (shell) login, designed to substitute the traditional
BSD-style r-protocols (rsh, rlogin). openssh has various authentification
mechanisms and many other features such as TCP connection and X11 display
forwarding over the fully encrypted network connection as well as file
transfer facilities.
This is a new release of SuSE Security Announcement (openssh),
ID SuSE-SA:2003:038. A set of new bugs were addressed by the openssh
development team. These bugs are fixed in the new 3.7.1 upstream release
of the openssh package; we have added the necessary changes to our
packages preserving the package version to avoid the risk of incompatible
behaviour of the software.
Specifics about the errors found:
(Topic for SuSE Security Announcement SuSE-SA:2003:038:)
A programming error has been found in code responsible for buffer
management. If exploited by a (remote) attacker, the error may lead to
unauthorized access to the system, allowing the execution of arbitrary
commands. The error is known as the buffer_append_space()-bug and is
assigned the Common Vulnerabilities and Exposures (CVE) name CAN-2003-0693.
The error was cause for the upstream release openssh-3.7.
(Topic for SuSE Security Announcement SuSE-SA:2003:039 (this announcement):)
Programming errors of a similar kind as described above have been found in
other portions of the code, with similar effects. These errors are known
as "buffer.c/channels.c bug", the CVE name for these errors is CAN-2003-0695.
This set of errors was cause for the upstream release openssh-3.7.1.
In addition to the fixes for the buffer.c/channels.c bugs we have added
some changes that have been assembled by Solar Designer during his review
of the source code. These fixes are considered a precautious measure and
are not believed to have a significant effect on the security of the
openssh code.
At the time of writing this announcement, we believe that at least one set
of errors as described above is exploitable by a remote attacker. As a
reminder, at the time of writing the SuSE Security Announcement
SuSE-SA:2003:038 it was unclear if the bug addressed with the announcement
(buffer_append_space()-bug) is exploitable. An increasing amount of TCP
connection attempts to port 22 as observed in the internet during the
past days may indicate that there exists an exploit for the error in the
public.
Please note that we have disabled the Privilege Separation feature in
the ssh daemon (sshd) with this update. The PrivSep feature is designed
to have parts of the ssh daemon's work running under lowered privileges,
thereby limiting the effect of a possible vulnerability in the code. The
PrivSep feature is turned on/off by the UsePrivilegeSeparation keyword
in sshd's configuration file /etc/ssh/sshd_config. The feature is held
responsible for malfunctions in PAM (Pluggable Authentification Modules).
The update mechanism will not overwrite configuration files that have
been altered after the package installation.
SPECIAL INSTALL INSTRUCTIONS:
============================= After the update has been successfully applied, the ssh daemon (sshd)
must be restarted for update package to become effective. To restart the
ssh daemon after the update, please run the following command as root:
rcsshd restart
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
Intel i386 Platform:
SuSE-8.2:
e030b0803481d0f29f576e3b4726284f
patch rpm(s):
d022894363b99e6bd03e9b2109c2244c
source rpm(s):
3f7f5ed43c7d795c63fe06148874944a
SuSE-8.1:
91cdd33a4149756b8f6371aa3177a5f4
patch rpm(s):
3b7c44819c8fed5e33514481d99d4ab7
source rpm(s):
6c3694fc75bcf185035547b85abbc491
SuSE-8.0:
c61781b97767188cc3a39795535307ff
patch rpm(s):
c222aef79a8fef6d44d8d61fc075efc5
source rpm(s):
bc327a4150058c9d1216cb96712973a5
SuSE-7.3:
c9928c04b03cb292aa96ad6890a5ee38
source rpm(s):
28aa82be9233e3ba93b94eb138c9ea04
SuSE-7.2:
b369724a788a2c6bd70a448a49530f69
source rpm(s):
98b8b7281fe04aab8c8838adcf195697
Sparc Platform:
SuSE-7.3:
97cb0218e9354b8cc062e44a0d6fb19f
source rpm(s):
8cddb96e633864469d7ba08d3cf7436a
PPC Power PC Platform:
SuSE-7.3:
37b1e82a3971f5c4c427ce37227b11e0
source rpm(s):
7a19424887772b86d14bacbf5add9628
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- A buffer overflow vulnerability has been found in the mysql package,
an Open Source relational database system. The error may allow a remote
attacker to execute arbitrary code with the privileges of the database
process.
We are in the process of building and testing the update packages and
will release them with a SuSE Security Announcement as soon as possible.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
References
