An advisory issued last night by vendor Internet Security Systems (ISS) warns that versions OpenBSD 3.0, OpenBSD 3.1, FreeBSD-Current, and OpenSSH 3.0-3.2.3 are affected by the vulnerability. According to ISS, Open Secure Shell (OpenSSH) is included in many operating system distributions, networking equipment, and security appliances.
Grant Slender, principal consultant for Australasia at ISS, said the vulnerability could allow a hacker to launch a buffer overflow attack against a company's server.
He said the vendor's X-Force team, which researches ways to protect systems, worked closely with underground teams of hackers and were making a hypothetical assumption that there was an exploit being constructed in the wild.
Slender described it as a buffer overflow attackâ€"where a message sent to a program is much longer than it's designed to expect. He said that the way some programs did not handle overflowing of buffers very well, which meant that a hacker could run executable programs on the system that was running OpenSSH, a free version of the Secure Shell (SSH) communications suite.
-It is possible for a remote attacker to send a specially-crafted reply that triggers an overflow," according to the ISS security advisory. -This can result in a remote denial-of-service attack on the OpenSSH daemon or a complete remote compromise. The OpenSSH daemon runs with superuser privilege, so remote attackers can gain superuser access by exploiting this vulnerability."
The vulnerability is in the -challenge-response" authentication mechanism in the OpenSSH daemon (sshd), the advisory states.
Slender said ISS had notified the senior developer of the program, who had developed a patch. -In this case we did contact the senior developer and, with his coordination, we worked towards making sure the community was ready to have the vulnerability announced," he said.
ISS is advising systems administrators to disable unused OpenSSH authentication mechanisms. It's also possible for them to remove the vulnerability by disabling the challenge-response authentication parameter within the OpenSSH daemon configuration file, according to the advisory. Slender also advised users to upgrade.
Information about the vulnerability has also been posted on security mailing lists such as BugTraq and Debian.
