Note: This is an archival copy of Security Sun Alert 201922 as previously published on
Latest version of this security advisory is available from as Sun Alert 1001423.1.
Article ID : 1001423.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-06-23
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

OpenSSH-2.9p2-12C4 May Allow root Exploit in Sun Cobalt RaQ 550


Release Phase

Sun Cobalt RaQ 550 Server

Bug Id

Date of Workaround Release

Date of Resolved Release


The vulnerability in OpenSSH could lead to a remote root compromise or a denial of service. It may result in system integrity being compromised and may require reinstallation or restoration of the system.

This issue is described in the CERT Vulnerability VU#369347 (see which is referenced in CERT advisory CA-2002-18 (see

Note: This CERT advisory also impacts the Secure Shell shipped with Solaris 9. Please see Sun Alert Notification 45525 for details.

Contributing Factors

This issue can occur in the following releases:

x86 Platform

  • Sun Cobalt RaQ 550 and OpenSSH OpenSSH-2.9p2-12C4


Sun Cobalt RaQ 550 is implemented only on x86 systems, under Linux.

OpenSSH is the tool of choice for secure remote command line management and secure port forwarding. OpenSSH is a free version of the SSH (Secure Shell) communications suite and is used as a secure replacement for protocols such as "telnet", "rlogin", "rsh", and "FTP". It operates by establishing an encrypted channel between the client and server hosts. Several options are included to enhance security. Among these options is the use of "challenge-response" technology which causes the client to respond to the challenge with several responses. The vulnerability lies in this mechanism. By sending specially crafted responses to the server's challenge, a Denial of Service or, possibly, a root compromise can occur.


The inability to login to the RaQ 550 through an SSH client could indicate that a denial of service is in progress.

Unmatched root logins in the /var/log/secure log file could indicate a root compromise.


The workaround is to disable the "ChallengeResponseAuthentication" parameter within the OpenSSH daemon configuration file, "/etc/ssh/sshd_config" by setting it to "no", as below :

	ChallengeResponseAuthentication no

The "sshd" process must be restarted for this change to take effect. This can be done by executing the following command, as root :

	# /etc/rc.d/init.d/sshd restart


This issue is addressed in the following releases:

RaQ 550

Note: The above patch depends on another patch located at

Modification History
Date: 24-JUN-2003
  • State Resolved
  • Updated Resolution section

This solution has no attachment