Note: This is an archival copy of Security Sun Alert 201922 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001423.1.
Article ID : 1001423.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-06-23
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

OpenSSH-2.9p2-12C4 May Allow root Exploit in Sun Cobalt RaQ 550

Category
Security

Release Phase
Resolved

Product
Sun Cobalt RaQ 550 Server

Bug Id
15562

Date of Workaround Release
01-JUL-2002

Date of Resolved Release
24-JUN-2003

Impact

The vulnerability in OpenSSH could lead to a remote root compromise or a denial of service. It may result in system integrity being compromised and may require reinstallation or restoration of the system.

This issue is described in the CERT Vulnerability VU#369347 (see http://www.kb.cert.org/vuls/id/369347) which is referenced in CERT advisory CA-2002-18 (see http://www.cert.org/advisories/CA-2002-18.html).

Note: This CERT advisory also impacts the Secure Shell shipped with Solaris 9. Please see Sun Alert Notification 45525 for details.


Contributing Factors

This issue can occur in the following releases:

x86 Platform

  • Sun Cobalt RaQ 550 and OpenSSH OpenSSH-2.9p2-12C4

Notes:

Sun Cobalt RaQ 550 is implemented only on x86 systems, under Linux.

OpenSSH is the tool of choice for secure remote command line management and secure port forwarding. OpenSSH is a free version of the SSH (Secure Shell) communications suite and is used as a secure replacement for protocols such as "telnet", "rlogin", "rsh", and "FTP". It operates by establishing an encrypted channel between the client and server hosts. Several options are included to enhance security. Among these options is the use of "challenge-response" technology which causes the client to respond to the challenge with several responses. The vulnerability lies in this mechanism. By sending specially crafted responses to the server's challenge, a Denial of Service or, possibly, a root compromise can occur.


Symptoms

The inability to login to the RaQ 550 through an SSH client could indicate that a denial of service is in progress.

Unmatched root logins in the /var/log/secure log file could indicate a root compromise.


Workaround

The workaround is to disable the "ChallengeResponseAuthentication" parameter within the OpenSSH daemon configuration file, "/etc/ssh/sshd_config" by setting it to "no", as below : 

	ChallengeResponseAuthentication no

The "sshd" process must be restarted for this change to take effect. This can be done by executing the following command, as root : 

	# /etc/rc.d/init.d/sshd restart

Resolution

This issue is addressed in the following releases:

RaQ 550

Note: The above patch depends on another patch located at http://ftp.cobalt.sun.com/pub/packages/raq550/all/RaQ550-All-Security-0.0.1-15674.pkg.



Modification History
Date: 24-JUN-2003
  • State Resolved
  • Updated Resolution section


























Attachments
This solution has no attachment