<<< Date Index >>>     <<< Thread Index >>>

Cisco Security Advisory: OpenSSH Server Vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Cisco Security Advisory: OpenSSH Server Vulnerabilities

Revision Numeral: 1.0 INTERIM

  For Public Release 2003 September 17 0700 GMT

     ----------------------------------------------------------------------

Contents

     Summary
     Affected Products
     Details
     Impact
     Software Versions and Fixes
     Obtaining Fixed Software
     Workarounds
     Exploitation and Public Announcements
     Status of This Notice: INTERIM
     Distribution
     Revision History
     Cisco Security Procedures

     ----------------------------------------------------------------------

Summary

   New vulnerabilities in the OpenSSH implementation for SSH
   servers have been announced.

   An affected network device, running an SSH server based on the OpenSSH
   implementation, may be vulnerable to a Denial of Service (DoS) attack when
   an exploit script is repeatedly executed against the same device. There
   are workarounds available to mitigate the effects of these
   vulnerabilities.

   This advisory will be posted at
   http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml.

Affected Products

   The following products, have their SSH server implementation based on the
   OpenSSH code, and are affected by the OpenSSH vulnerabilities.

     * Cisco Catalyst Switching Software (CatOS)

     * CiscoWorks 1105 Hosting Solution Engine (HSE)

     * CiscoWorks 1105 Wireless LAN Solution Engine (WLSE)

     * Cisco SN 5428 Storage Router

       Vulnerable versions are:

          * SN5428-2.5.1-K9

          * SN5428-3.2.1-K9

          * SN5428-3.2.2-K9

          * SN5428-3.3.1-K9

          * SN5428-3.3.2-K9

          * SN5428-2-3.3.1-K9

          * SN5428-2-3.3.2-K9

   This does not include release sr2122-3.1.1-K9, which only contains SSL and
   no SSH. Cisco has not released code with SSH for the SN5420 storage
   router.

   The following products, which incorporate a SSH server, have been
   confirmed to be not vulnerable to the OpenSSH vulnerabilities.

     * Cisco IOS, both SSH version 1.5 and SSH version 2.0

     * Cisco PIX Firewall

     * Cisco Catalyst 6000 FireWall Service Module (FWSM)

     * Cisco VPN3000 and Cisco VPN5000

   No other Cisco products are currently known to be affected by these
   vulnerabilities.

Details

   The buffer size or the number of channels in the fixed code is now
   correctly incremented only after a successful allocation where as
   initially they were being set before an allocation. Upon an allocation
   failure, which could be externally triggered, memory contents would be
   incorrectly erased by the cleanup process. This would result in a
   corruption of the memory which would eventually lead to a crash for the
   process using that memory.

   The OpenSSH code diffs can be viewed at
   http://www.openssh.com/txt/buffer.adv.

   Please note, the SSH server code under Cisco IOS has other vulnerabilities
   as documented by
   http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml which may
   be triggered by the code written to exploit the OpenSHH vulnerabilities.

   Cisco Catalyst Switching Software (CatOS)-This vulnerability is documented
   as Bug ID CSCecxxxxx. To be determined.

   CiscoWorks 1105 Hosting Solution Engine (HSE)-This vulnerability is
   documented as Bug ID CSCecxxxxx. To be determined.

   CiscoWorks 1105 Wireless LAN Solution Engine (WLSE)-This vulnerability is
   documented as Bug ID CSCecxxxxx. To be determined.

   Cisco SN 5428 Storage Router-This vulnerability is documented as Bug ID
   CSCec32301 (registered customers only) . For more information on the SN
   5428 please refer to
   http://www.cisco.com/en/US/products/hw/ps4159/ps2160/index.html.

Impact

   An affected device, running an SSH server based on the OpenSSH
   implementation, may be vulnerable to a DoS attack when an exploit script
   is repeatedly executed against the same device.

Software Versions and Fixes

   Cisco Catalyst Switching Software (CatOS)-To be determined.

   CiscoWorks 1105 Hosting Solution Engine (HSE)-To be determined.

   CiscoWorks 1105 Wireless LAN Solution Engine (WLSE)-To be determined.

   Cisco SN 5428 Storage Router-Version 3.4.1, will incorporate this patch
   and will be available soon for the SN 5428, SN 5428-2, and the HP SR2122
   (SN 5422).

Obtaining Fixed Software

   Cisco is offering free software upgrades or patches to address these
   vulnerabilities for all affected customers. Customers may only install and
   expect support for the feature sets they have purchased. By installing,
   downloading, accessing or otherwise using such software upgrades or
   patches, Customers agree to be bound by the terms of Cisco's software
   license terms found at
   http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set
   forth at the Cisco Connection Online Software Center at
   http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

   Customers with service contracts should contact their regular update
   channels to obtain the free software upgrade(s) or patches identified via
   this advisory. For most customers with service contracts, this means that
   upgrades should be obtained through the Software Center on Cisco's
   worldwide website at http://www.cisco.com/tacpage/sw-center/. To access
   the software download URL, you must be a registered user and you must be
   logged in.

   Customers whose Cisco products are provided or maintained through a prior
   or existing agreement with third-party support organizations such as Cisco
   Partners, authorized resellers, or service providers should contact that
   support organization for assistance with obtaining the free software
   upgrade(s).

   Customers who purchased directly from Cisco but who do not hold a Cisco
   service contract, and customers who purchase through third party vendors
   but are unsuccessful at obtaining fixed software through their point of
   sale, should obtain fixed software by contacting the Cisco Technical
   Assistance Center (TAC) using the contact information listed below. In
   these cases, customers are entitled to obtain an upgrade to a later
   version of the same release or as indicated by the applicable corrected
   software version in the Software Versions and Fixes section (noted above).

     * +1 800 553 2447 (toll free from within North America)

     * +1 408 526 7209 (toll call from anywhere in the world)

     * e-mail: tac@xxxxxxxxx

   See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
   additional TAC contact information, including special localized telephone
   numbers and instructions and e-mail addresses for use in various
   languages.

   Please have your product serial number available and give the URL of this
   notice as evidence of your entitlement to a free upgrade. Free upgrades
   for non-contract customers must be requested through the TAC.

   Please do not contact either "psirt@xxxxxxxxx" or
   "security-alert@xxxxxxxxx" for software upgrades.

Workarounds

   The Cisco PSIRT recommends that affected users upgrade to a fixed software
   version of code as soon as it is available.

     * Restrict access to SSH server on the network device: Allow access to
       the network device only from trusted workstations by using ACL's / MAC
       filters that are available on the affected platforms.

     * As per best practices, if possible, ensure that the SSH server does
       not run on the default port of TCP 22 and is running on port higher
       than 1024 on critical network devices. This will prevent automated
       scanners from successfully exploiting this vulnerability.

Exploitation and Public Announcements

   The Cisco PSIRT is not aware of any malicious use of the vulnerabilities
   described in this advisory, at this time.

   These vulnerabilities have also been documented by CERT/CC at
   http://www.cert.org/advisories/CA-2003-24.html.

Status of This Notice: INTERIM

   This is an interim advisory. Although Cisco cannot guarantee the accuracy
   of all statements in this advisory, all of the facts have been checked to
   the best of our ability. Cisco does not anticipate issuing updated
   versions of this advisory unless there is some material change in the
   facts. Should there be a significant change in the facts, Cisco may update
   this advisory.

   A stand-alone copy or paraphrase of the text of this security advisory
   that omits the distribution URL in the following section is an
   uncontrolled copy, and may lack important information or contain factual
   errors.

Distribution

   This advisory will be posted on Cisco's worldwide website at
   http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml.

   In addition to worldwide website posting, a text version of this advisory
   is clear-signed with the Cisco PSIRT PGP key having the fingerprint 8C82
   5207 0CA9 ED40 1DD2 EE2A 7B31 A8CF 32B6 B590 and is posted to the
   following e-mail and Usenet news recipients:

     * cust-security-announce@xxxxxxxxx

     * bugtraq@xxxxxxxxxxxxxxxxx

     * first-teams@xxxxxxxxx (includes CERT/CC)

     * vulnwatch@xxxxxxxxxxxxx

     * cisco@xxxxxxxxxxxxxxxxx

     * cisco-nsp@xxxxxxxxxxxxxxx

     * full-disclosure@xxxxxxxxxxxxxxxx

     * comp.dcom.sys.cisco@xxxxxxxxxxxxxxxxxx

     * Various internal Cisco mailing lists

   Future updates of this advisory, if any, will be placed on Cisco's
   worldwide website, but may or may not be actively announced on mailing
   lists or newsgroups. Users concerned about this problem are encouraged to
   check the above URL for any updates.

Revision History

   +------------------------------------------+
   |Revision|2003-September-17|Initial public |
   |1.0     |                 |release.       |
   +------------------------------------------+

Cisco Security Procedures

   Complete information on reporting security vulnerabilities in Cisco
   products, obtaining assistance with security incidents, and registering to
   receive security information from Cisco, is available on Cisco's worldwide
   website at
   http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
   includes instructions for press inquiries regarding Cisco security
   notices. All Cisco security advisories are available at
   http://www.cisco.com/go/psirt.

     ----------------------------------------------------------------------

   This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be
   redistributed freely after the release date given at the top of the text,
   provided that redistributed copies are complete and unmodified, and
   include all date and version information.

     ----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Comment: PGP Signed by Sharad Ahlawat, Cisco Systems PSIRT

iD8DBQE/aB+lezGozzK2tZARAq5XAKD6yUwMQk/Oivq4Ysl1vbukn9/EBwCgwabS
rKgdDxatOsxe1GLHbg8oxoU=
=Y8b1
-----END PGP SIGNATURE-----