Note: This is an archival copy of Security Sun Alert 201264 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000947.1.
Article ID : 1000947.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-06-28
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the sshd(1M) Protocol Version 1 Implementation May Allow a Denial of Service to the Host

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System

Bug Id
6477720

Date of Workaround Release
08-JUN-2007

Date of Resolved Release
29-JUN-2007

Impact

A security vulnerability which affects the sshd(1M) daemon when configured to use protocol version 1 may allow a remote user to cause the daemon to consume an excessive amount of CPU power. This will affect the performance and responsiveness of the system as a whole, resulting in a denial of service (DoS) to the system.

This issue is also referenced in the following document:

CVE-2006-4924 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 9 without patch 113273-15
  • Solaris 10 without patch 123324-03

x86 Platform

  • Solaris 9 without patch 114858-12
  • Solaris 10 without patch 123325-03

Notes:

  1. Solaris 8 does not include the sshd(1M) daemon and is therefore not impacted by this issue.
  2. This issue only affects systems which are configured to run the SSH service with version 1 of the SSH protocol.

A command such as the following can be used to determine if the sshd daemon is running on a host:

    $ pgrep sshd || echo "sshd not running"

To determine if sshd is configured to use version 1 of the protocol, a command such as the following can be used to list the configured protocols from the default configuration file (see sshd_config(4)):

    $ grep Protocol /etc/ssh/sshd_config
    Protocol 2,1

If '1' is included in the list of configured protocols (or if no 'Protocol' line is found as the default setting is '2,1'), then the host is potentially affected by this issue; note that in order for protocol version 1 to be truly supported on the host it must be provided with a compatible host key via the HostKey directive, see sshd_config(4) for more details.


Symptoms

If this issue is exploited to cause a denial of service on the host, one or more sshd processes will be running and will be consuming an unusually large percentage of CPU time. In addition, the host itself may be generally unresponsive.

To determine the CPU usage of the processes running on the system, a command such as the following can be used, which will sort the running process by CPU consumption (in descending order):

    $ prstat -s cpu
    [...]

Workaround

To work around the described issue, sites may choose to disable version 1 of the protocol by removing '1' from the list of supported protocols in the /etc/ssh/sshd_config file (see sshd_config(4)). E.g.:

    $ grep Protocol /etc/ssh/sshd_config
    Protocol 2

and then restart the sshd daemon:

For Solaris 9:

    # /etc/init.d/sshd stop ; /etc/init.d/sshd start

For Solaris 10:

    # svcadm restart ssh

Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 9 with patch 113273-15 or later
  • Solaris 10 with patch 123324-03 or later

x86 Platform

  • Solaris 9 with patch 114858-12 or later
  • Solaris 10 with patch 123325-03 or later


Modification History
Date: 21-JUN-2007
  • Updated Contributing Factors and Resolution sections

Date: 26-JUN-2007
  • Updated Contributing Factors and Resolution sections

Date: 29-JUN-2007
  • Updated Contributing Factors and Resolution sections
  • State: Resolved


References

123324-03
123325-03
113273-15
114858-12




Attachments
This solution has no attachment