Note: This is an archival copy of Security Sun Alert 200785 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000601.1.
Article ID : 1000601.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-10-09
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Secure Shell Daemon (sshd(1M)) Buffer Management Security Vulnerability


Release Phase

Solaris 9 Operating System

Bug Id

Date of Workaround Release

Date of Resolved Release


The Solaris Secure Shell daemon, sshd(1M), shipped with Solaris 9, is based on OpenSSH and is affected by a buffer management security vulnerability which may allow local or remote unprivileged users to execute arbitrary commands with the permissions of the sshd(1M) daemon or create a denial of service condition by corrupting the heap of the sshd(1M) daemon. The sshd(1M) daemon normally runs with "root" (uid 0) privileges.

This issue is described in the CERT Vulnerability VU#333628 (see which is referenced in CERT Advisory CA-2003-24 (see

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 9 without patch 113273-04

x86 Platform

  • Solaris 9 without patch 114858-03

Note: Solaris 8 and earlier releases did not ship with Solaris Secure Shell and therefore are not vulnerable.


There are no predictable symptoms that would indicate the above described issues have been exploited.


Until patches can be installed for this issue, sites are advised to disable the sshd(1M) daemon on Solaris 9 systems. The following commands can be run as root to kill the existing sshd(1M) daemon and prevent it from starting up after future reboots:

    # /etc/init.d/sshd stop    # mv /etc/rc3.d/S89sshd /etc/rc3.d/not-S89sshd


This issue is addressed in the following releases:

SPARC Platform

  • Solaris 9 with patch 113273-04 or later

x86 Platform

  • Solaris 9 with patch 114858-03 or later

Modification History
Date: 30-SEP-2003
  • Preliminary T-patches are available

Date: 10-OCT-2003
  • State Resolved
  • Updated Contributing Factors, and Resolution sections



This solution has no attachment