SSH Buffer Overflow11/19/2001
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in SSH, Cistron RADIUS, Solaris'
format, Digital Unix's
dtaction, and Solaris'
write; and problems in the RADIUS Authentication Protocol, Postfix, Opera,
mini_http, Cisco 12000 Series Internet routers, and the Red Hat Linux 7.1 Korean installation.
- RADIUS Authentication Protocol
- Solaris format
- thttpd and mini_http
- Solaris write
- Cisco 12000 Series Internet Routers
- Red Hat Linux 7.1 Korean installation
Several implementations of the SSH tools have a buffer overflow in the SSH version 1 protocol code. The buffer overflow can be used by a remote attacker to execute arbitrary code, in most cases with the permissions of the root user. The buffer overflow is in the SSH CRC32 attack detection code. Both the SSH Communications Security's SSH (versions earlier than 1.2.32) and OpenSSH (before version 2.3.0) have been reported to be vulnerable. This vulnerability is being actively scanned for and then exploited. Cisco's SSH implementation is reported to not be vulnerable.
SSH Communications Security recommends that users stop using the SSH1 protocol and replace it with software that implements the SSH2 protocol, such as SSH 3.0. Users who cannot upgrade to SSH 3.0 should upgrade to version 1.2.32 as soon as possible.
Users of OpenSSH should upgrade to version 2.3.0 as soon as possible.
Flaws have been found in the RADIUS Authentication Protocol that can lead to encrypted data, such as user passwords, being exposed or can allow an attacker to spoof the source of Access-Request packets. Some of these flaws in the protocol are currently being exploited.
Additionally, a buffer overflow has been reported in Cistron RADIUS and other RADIUS-derived servers. The buffer overflow is in the digest calculation code and can be exploited using a spoofed IP address. It has been reported that the buffer overflow can only be used in a denial-of-service attack and cannot be used to execute arbitrary code.
The buffer overflow has been fixed in the 1.6.5 snapshot of Cistron RADIUS, which also repairs at least one flaw in its implementation of the RADIUS protocol. Users of RADIUS servers should watch their vendor for updated RADIUS servers and should consider network cryptographic solutions if their traffic traverses an untrusted network.
The Postfix SMTP server has a bug that can cause the SMTP session log to use all available memory. This bug can be exploited in a denial-of-service attack. All versions of Postfix released during 2001 are reported to be vulnerable.
Users should upgrade to a patched version.
format command distributed with Solaris has a buffer overflow in the code that handles the command line parameter that specifies the disk to format. The risk from this buffer overflow is minor, as it is installed without using any set user id or set group id bits.
Users should watch for an update to
thttpd is a small Web server that has an additional feature used to set the amount of data that will be served by
thttpd, based on the URL.
mini_http is a small Web server that can be configured to do SSL/HTTPS and IPv6. Both of these Web servers have a problem that can be exploited to view files that are not world-readable or are in a password-protected directory.
thttpd is only affected when run chrooted.
Affected users should upgrade to the latest versions of
write command under Solaris 2.6, 2.7, and some versions of 2.8 is vulnerable to a buffer overflow that potentially may be usable by a local attacker to gain additional privileges. The buffer overflow is in the code that handles the terminal name.
Users should remove the set group id bit from
write until a patch from Sun has been installed that repairs the buffer overflow.
Cisco has announced a denial-of-service vulnerability in their 12000 series of Internet routers. This vulnerability is caused by the router being made to send a large number of ICMP Unreachable packets.
The 12000 series of Internet routers also has problems in the way some versions handle Access Control Lists (ACLs). These problems can allow packets and packet fragments to bypass the ACLs, ignore some rules, pass through the router, or cause a denial of service.
It is recommended that users upgrade their 12000 series Internet router with the appropriate Cisco IOS release.
A bug in the Red Hat Linux 7.1 Korean installation results in the creation of files with world-writable permissions.
Affected users who have not installed Red Hat Linux 7.1 Korean should update their disk image and create a new boot disk before installing. Users who have installed Red Hat Linux 7.1 Korean should check the permissions on their files or install the upgraded Red Hat release.
A script was announced for
dtaction under Digital Unix 4.0d that exploits a buffer overflow to gain root permissions. The vulnerability that this script exploits is reported to have been fixed by Compaq and it is not clear which versions of Digital Unix are safe.
Users of Digital Unix should verify that they have installed a update from Compaq for this problem and, if CDE is not being used, consider removing the set user id bits from the CDE binaries.
Read more Security Alerts columns.
Return to the Linux DevCenter.