OpenSSH Buffer Management Vulnerability

Early today we received a note that there are rumblings in the underground related to a new OpenSSH vulnerability. The official web site says that a new version of OpenSSH was released and the following security advisory was published. Below the official OpenSSH patch, you can see the vendor advisories on this issue. Note: The advisory in question has been updated with new patches, so please do visit: http://www.openssh.com/txt/buffer.adv for the latest patches.Subject: OpenSSH Security Advisory: buffer.adv This is the 1st revision of the Advisory. This document can be found at: http://www.openssh.com/txt/buffer.adv 1. Versions affected: All versions of OpenSSH’s sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively. 2. Solution: Upgrade to OpenSSH 3.7 or apply the following patch. Appendix: Index: buffer.c =================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.18
diff -u -r1.16 -r1.18
— buffer.c 26 Jun 2002 08:54:18 -0000 1.16
+++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18
@@ -23,8 +23,11 @@
void
buffer_init(Buffer *buffer)
{
– buffer->alloc = 4096;
– buffer->buf = xmalloc(buffer->alloc);
+ const u_int len = 4096;
+
+ buffer->alloc = 0;
+ buffer->buf = xmalloc(len);
+ buffer->alloc = len;
buffer->offset = 0;
buffer->end = 0;
}
@@ -34,8 +37,10 @@
void
buffer_free(Buffer *buffer)
{
– memset(buffer->buf, 0, buffer->alloc);
– xfree(buffer->buf);
+ if (buffer->alloc > 0) {
+ memset(buffer->buf, 0, buffer->alloc);
+ xfree(buffer->buf);
+ }
}

/*
@@ -69,6 +74,7 @@
void *
buffer_append_space(Buffer *buffer, u_int len)
{
+ u_int newlen;
void *p;

if (len > 0x100000)
@@ -98,11 +104,13 @@
goto restart;
}
/* Increase the size of the buffer and retry. */
– buffer->alloc += len + 32768;
– if (buffer->alloc > 0xa00000)
+
+ newlen = buffer->alloc + len + 32768;
+ if (newlen > 0xa00000)
fatal(“buffer_append_space: alloc %u not supported”,
– buffer->alloc);
– buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+ newlen);
+ buffer->buf = xrealloc(buffer->buf, newlen);
+ buffer->alloc = newlen;
goto restart;
/* NOTREACHED */
}

Related vendor advisories

+ Guardian Digital Security Advisory – openssh, openssh-clients, openssh-server (ESA-20030916-023)
+ FreeBSD Security Advisory – OpenSSH buffer management error
+ Red Hat Security Advisory – Updated OpenSSH packages fix potential vulnerability
+ Debian Security Advisory – OpenSSH buffer management fix
+ Conectiva Linux Security Announcement – openssh
+ Slackware Security Advisory – OpenSSH Security Advisory
+ Mandrake Linux Security Update Advisory – openssh
+ SuSE Security Announcement – openssh
+ Immunix Secured OS Security Advisory – openssh
+ CERT Advisory – Buffer Management Vulnerability in OpenSSH
+ Gentoo Linux Security Announcement – openssh
+ Gentoo Linux Security Announcement – openssh (update)
+ Immunix Secured OS Security Advisory – openssh (update)