New vulnerabilities in the OpenSSH implementation for SSH servers have been announced. An affected network device, running an SSH server based on the OpenSSH implementation, may be vulnerable to a Denial of Service (DoS) attack when an exploit script is repeatedly executed against the same device. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory will be posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030917-openssh.
New vulnerabilities in the OpenSSH implementation for SSH servers have been announced.
An affected network device, running an SSH server based on the OpenSSH implementation, may be vulnerable to a Denial of Service (DoS) attack when an exploit script is repeatedly executed against the same device. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory will be posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030917-openssh.
This section provides details on affected products.
The following products, have their SSH server implementation based on the OpenSSH code, and are affected by the OpenSSH vulnerabilities.
Cisco has not released code with SSH for the SN5420 storage router.
The following products, which incorporate a SSH server, have been confirmed to be not vulnerable to the OpenSSH vulnerabilities.
No other Cisco products are currently known to be affected by these vulnerabilities.
The buffer size or the number of channels in the fixed code is now correctly incremented only after a successful allocation where as initially they were being set before an allocation. Upon an allocation failure, which could be externally triggered, memory contents would be incorrectly erased by the cleanup process. This would result in a corruption of the memory which would eventually lead to a crash for the process using that memory.
Portable OpenSSH version (not OpenBSD version) 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM authentication code. These vulnerabilities are not known to affect any Cisco products.
Please note, the SSH server code under Cisco IOS has other vulnerabilities as documented by http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml which may be triggered by the code written to exploit the OpenSHH vulnerabilities.
The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code as soon as it is available.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
The Cisco PSIRT is not aware of any malicious use of the vulnerabilities described in this advisory, at this time.
These vulnerabilities have also been documented by CERT/CC at http://www.cert.org/advisories/CA-2003-24.html .
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.6 |
2003-November-07 |
Added Cisco PGW 2200 Softswitch as a vulnerable product. Added 8.1(3) as a fixed release for CatOS. |
Revision 1.5 |
2003-September-27 |
Added not vulnerable to Portable OpenSSH version in the details section. Added ACNS and BTS10200 as vulnerable. Added 5.x as affected release for CSS11000. Updated fix information for NAM. |
Revision 1.4 |
2003-September-23 |
Added CatOS release schedule in Software Versions and Fixes. |
Revision 1.3 |
2003-September-19 |
Added Cisco Content Service CSS11000 Switch series and Cisco Network Analysis Modules (NAM) as being affected. |
Revision 1.2 |
2003-September-18 |
Added an additional workaround for the CatOS in the Workaround section. |
Revision 1.1 |
2003-September-18 |
Added CatOS versions, Cisco Secure Intrusion Detection System (NetRanger) appliance, and Cisco GSS 4480 Global Site Selector to the Affected Products section; and Cisco Secure Intrusion Detection System Catalyst Module (IDSM) to the not vulnerable list. Added Cisco Secure Intrusion Detection System (NetRanger) appliance, and Cisco GSS 4480 Global Site Selector to the Details section, and added Bug IDs for the products. Added Cisco Secure Intrusion Detection System (NetRanger) appliance to the Software Versions and Fixes section, and added upcoming fixes for the products. |
Revision 1.0 |
2003-September-17 |
Initial public release. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.