[Dshield] SSH Vulnerability

Ben Robson ben at robson.ph
Tue Sep 16 15:35:31 GMT 2003


I generate security alerts for my employer, and have done one for the 
SSH vulnerability.  Given nobody has, as yet, posted a summary doco, I 
thought I might slap mine up.

Please excuse any formatting or content that may offend peoples 
sensibilities.  DShield is not intended as its native target audience.

If anyone has some alternate "factual" information I would be interested.


*** SO ALERT *** OpenSSH Vulnerability

Purpose:                Security Officer Alert
Subject:                Possible Vulnerability in OpenSSH v3.6p1
Threat Level:           High-Critical
Date:                   17th September 2003
Systems Affected:       All systems running OpenSSH
               (except OpenBSD 3.3)


    A vulnerability has been confirmed as existing within version 3.6p1 
of the OpenSSH application.  OpenSSH is an application critical to the 
secure, remote management of the vast majority of Unix servers running 
on networks throughout the world.  With almost all Unix varieties now 
installing and starting OpenSSH by default, and with it in the set of 
tools that are usually left running by administrators, a very large 
number of servers will be vulnerable to a remote attack until new 
binaries are made available by vendors and applied or until 
administrators download source code patch information and recompile and 
install OpenSSH.

    Due to the pervasiveness of the OpenSSH application throughout Unix 
variant based servers, desktops, and network appliances a very large 
number of devices could be, and are likely vulnerable to this issue.

    Whilst evidence of exploit code in the wild is yet to be 
substantiated, rumours exist of individuals administering servers being 
attacked, and compromised via their OpenSSH implementation.

Who is affected:

    The OpenSSH vulnerability appears to affect all users of the OpenSSH 
daemon, version 3.6p1, excluding users of OpenBSD 3.3 or above.  All 
Unix variant's are potential targets for this issue. It is unknown if 
prior versions are vulnerable, but administrators should upgrade beyond 
3.6p1 as soon as possible as vulnerabilities exist for all subsequent 
versions as well.



    As a mitigating action system and network administrators should either:
        1.    Disable the OpenSSH daemon (sshd) from running on devices,


        2.    Restrict access to the OpenSSH daemon (sshd) to 
known/trusted hosts via a network or host based firewall.


    To properly address this issue, by removing the vulnerability from 
the OpenSSH application, administrators should either:

        1.    Apply patches to the OpenSSH source code and recompile the 
OpenSSH application,


        2.    Obtain new releases of the OpenSSH application from their 


    Whilst patches and new binaries are filtering in from vendors for 
the OpenSSH application numerous questions are still outstanding:

    1.    How long has Theo Deraadt (OpenSSH principle developer) known 
about the vulnerability?
    2.    How long has the underground hacker community known about the 
    3.    Are the claims of a live exploit substantiated or fiction?
    4.    If 3. is 'substantiated', how long has Theo known this, and 
why didn't he tell administrators that, at the least, a vulnerability 
did exist so that they could take mitigating steps whilst they wait for 
a patch.

    A recent trend, supported disturbingly by both Microsoft, other 
leading vendors, and many in the security community, has been to 
withhold information on new vulnerabilities that are identified.  The 
intent of this is to prevent malicious users from obtaining details of 
the issue and developing exploits before the software vendors have the 
opportunity to release patches.

    Unfortunately for this method of issue management more often than 
not the hacker community is still finding out about an issue before the 
patch is released.  This means that system and network administrators 
are left with rumours and innuendo as to whether an issue exists, no 
official guidance from those who know, and thus no ability to decide 
whether a threat is real, whether they need to take action to prevent 
being attacked, or the ability to determine what sort of action might 
help them.

    I call on the above parties to stop this foolishness, and at the 
very least, when an issue is identified provide enough detail to allow 
administrators of networks and systems to make decisions to protect 
themselves whilst the software vendor works on fixing the problem.


    Early on Monday 16th September 2004 (AEST) news came to the 
Full-Disclosure mailing list of a rumoured vulnerability existing in the 
OpenSSH application.  Very quickly several other participants supported 
this rumour, but little hard evidence was presented.

    An initial posting by Christopher Neitzert reads, "Does anyone know 
of or have source related to a new, and unpublished ssh
exploit?  An ISP I work with has filtered all SSH connections due to 
several root level incidents involving ssh. Any information is

    Initial response by the security community was cautious, suggesting 
mitigation strategies be put in place in case the rumours turned out to 
be true.

    Follow-up posts to Neitzert's query suggested that an issue existed 
with the contents of buffer.c for version 3.6p1 of the OpenSSH application.

    A later post provided the offending portion of the buffer.c file 
which it was later disclosed contained an "off by one" vulnerability.

    Carl Livitt established a dialogue with Theo Deraadt, the principle 
of OpenSSH, and posted the following to the Full-Disclosure mailing list:

Straight from the horses mouth, this is a snippet of an email 
conversation I just had with Theo Deraadt:


Is there a patch available to patch the off-by-one that has been 
reported in OpenSSH ?  As it is being actively exploited in the wild, I 
would like to patch my servers ASAP (as you can probably imagine).

Thankyou for taking the time to read - and hopefully respond to - this 

Kind regards,


A flamefest ensued, but his answer was:

Bugger off, wait like the rest of the planet.


After more flaming abuse, I received this from him:

I have been spending the last 10 days making openbsd releases for
about 14-15 hours a day for people to use
We've been spending hours and hours making openssh release
We are dealing with an, as far as we know, unexploitable hole
(affects some systems, but not openbsd it is pretty clear) issue
for all of you who run other system
we've been dealing with this frantically
to make something that the internet relies on as good
as good as it possibly can be
no sleep for 30 hours
and you expect me to treat you special?



and you think that you pasting it to some icb channel makes me feel
worth less, when every single hp and cisco switch containing this code
is likely vulnerable, and i don't like that, and want to make the
world a better place even if it kills me due to stress and lack of
sleep because i think that a better world is a better place to live
my life?

The main point is that " every single hp and cisco switch containing 
this code is likely vulnerable". Oh dear, this could get nasty.. batten 
down the hatches...
Poor Theo, he needs his rest.


By late evening on the 16th of September 2003 (AEST) patches began to 
appear for the OpenSSH application.  Reports soon followed of vendors 
releasing new versions of the OpenSSH application to the community.

More information about the list mailing list