Subject: NetBSD Security Advisory 2003-012: Out of bounds memset(0) in sshd
To: None <netbsd-announce@NetBSD.org>
From: NetBSD Security Officer <security-officer@NetBSD.org>
List: netbsd-announce
Date: 09/18/2003 01:40:26
-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2003-012
		 =================================

Topic:		Out of bounds memset(0) in sshd

Version:	NetBSD-current:	source prior to September 17, 2003
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		pkgsrc:		packages prior to 3.7.1

Severity:	Unknown - Rumours speculate remote root exploitability

Fixed:		NetBSD-current:		September 18(*), 2003
		NetBSD-1.6 branch:	September 18(*), 2003 (1.6.2 will include the fix)
		NetBSD-1.5 branch:	September 18(*), 2003 (1.5.4 will include the fix)
		pkgsrc:			openssh-3.7.1 corrects this issue


Abstract
========

A buffer overwrite with unknown consequences has been found in OpenSSH.

No evidence to support remote root exploitability has been provided by
any source.

The ssh daemon does not run by default in a NetBSD installation, but is
often enabled by administrators for remote administration.

NOTE: (*) This advisory was first released on September 17th. At that
time, some fixes had been committed to the NetBSD source tree. Since
then, additional fixes have been imported and developed. Please note the
change in the Fixed dates, to September 18th, which includes all updates
currently known.

Currently, we expect that more patches are likely, so if you are
maintaining a large number of machines, use the workarounds discussed
below if appropriate, and be prepared for further updates.

The NetBSD Project will make binary patchsets available when builds have
completed. This advisory will be updated with details when they are
available.


Technical Details
=================

In NetBSD installations where OpenSSH 3.2.1 and later are used -
including the base system installations of NetBSD-1.6 and later, the
privilege separation feature of OpenSSH is enabled by default. In the
case of this buffer issue, privilege separation may prevent exploitation
of these buffer problems, and this advisory will be updated once any
exploits are demonstrated, whether successfully or not.

Regardless of privilege separation being enabled, this buffer issue
occurs in the child process of sshd, and so any over-zero'd buffer will
not crash the parent service, and will not deny ssh connectivity to the
machine. If the over-zeroing is exploitable, the attacker could of
course shut down the ssh daemon manually.

There is a lot of commotion over this buffer issue. Individuals have
mentioned an increased occurrence of port scans searching for open sshd
services. Since hard facts are not available yet, individuals
will have to decide whether to believe the rumours, and apply patches to
protect against this possible issue, or to use workarounds provided
below, where appropriate, and await further information.


http://www.openssh.com/txt/buffer.adv

http://xforce.iss.net/xforce/alerts/id/144

http://www.cert.org/advisories/CA-2003-24.html


Solutions and Workarounds
=========================

Workaround: Disable sshd.

If not required, and alternate means of administration, such as consoles
or serial consoles are available, disabling sshd may be acceptable.

Confirm that sshd is running. It is usually configured to start by the
presence of a line in /etc/rc.conf, such as:

sshd=YES

Stop any currently running daemon, with

/etc/rc.d/sshd stop

OR - for a pkgsrc installation:

/usr/pkg/etc/rc.d/sshd stop

Change YES to NO in /etc/rc.conf


Workaround: Constrain hosts which can connect to sshd.

In order to overflow this buffer, a client must be able to connect to
the sshd in question. As a workaround, the tcp wrapper functionality
included in all NetBSD installations of OpenSSH can be used to restrict
connections to a limited list of source IPs.

As an example, populating /etc/hosts.allow with:

sshd : 192.168.1.1

And /etc/hosts.deny with:

sshd : ALL

Will result in only allowing connections from the (RFC 1918, private
network) IP address 192.168.1.1.

Host names may also be used in the hosts.allow file. Lists are comma
separated, as explained in the hosts_access(5) manpage.  Review the
manpage hosts_access(5) for further details. If you use hostnames, it
may also be desirable to specify hosts.deny as 'sshd : ALL, PARANOID',
to require the forward and reverse DNS lookups to correspond. This
provides protection in cases where the host you are allowing access from
is on a remote network outside your control, and you wish to protect
against hijacked nameservers.

Another workaround is to prevent network access to only trusted
systems via a perimeter router or firewall, or using IPFilter on the
host itself.

Solution:

The following instructions describe how to upgrade your OpenSSH
binaries by updating your source tree and rebuilding and
installing a new version.


Note: In this situation, where patches may be committed on an ongoing
basis, it is desirable to update directly from anoncvs.netbsd.org.
Mirrors may not fully reflect all of the patches by the time you read
this.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2003-09-17
	should be upgraded to NetBSD-current dated 2003-09-18 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		src/crypto/dist/ssh

	To update from CVS, re-build, and re-install ssh related
	binaries:

		# cd src
		# cvs update -d -P crypto/dist/ssh
		# cd usr.bin/ssh

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 1.6, 1.6.1:

	The binary distribution of NetBSD 1.6 and 1.6.1 are vulnerable.

	Systems running NetBSD 1.6 sources dated from before 2003-09-17
	should be upgraded from NetBSD 1.6 sources dated 2003-09-18 or
	later.

	NetBSD 1.6.2 will include the fix.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		src/crypto/dist/ssh

	To update from CVS, re-build, and re-install ssh related
        binaries:

		# cd src
		# cvs update -d -P -r netbsd-1-6 crypto/dist/ssh
		# cd usr.bin/ssh

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	The binary distribution of NetBSD 1.5 to 1.5.3 are vulnerable.   

	Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
	from before 2003-09-17 should be upgraded from NetBSD 1.5.*
	sources dated 2003-09-18 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		src/crypto/dist/ssh

	To update from CVS, re-build, and re-install ssh related
        binaries:

		# cd src
		# cvs update -d -P -r netbsd-1-5 crypto/dist/ssh
		# cd usr.bin/ssh

		# make cleandir dependall
		# make install


Thanks To
=========

Christos Zoulas for the fix to NetBSD-current, incorporation of
additional patches from the FreeBSD source tree, and additional fixes of
further cases exhibiting the same programming error.

The FreeBSD Project, for additional patches.

Grant Beattie for pullups to NetBSD release branches.

The Full-Disclosure rumour mill.


Revision History
================

	2003-09-17	Initial release
	2003-09-18	Update with further source changes. Push Fixed date to
			September 18th.


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2003-012.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2003, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2003-012.txt,v 1.10 2003/09/18 05:23:33 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBP2lCJD5Ru2/4N2IFAQEb8QP/R1amYNksvrB42l2fSxl516CU706Pe9or
NtBVSWyijOeeJiUft3O06Jvx4IQc5kp9DKP42XaAzoWv8UzgNc0nOSr6Qo7AQyRn
ZM04KjruHm1iVcB+DbQsrXXDBv/3ME26D7u6iyIb2COFLD59byPmi9wwp6vwQHkp
n7PnC14rDvU=
=wH2p
-----END PGP SIGNATURE-----