Security alert: Unix at risk from secure login system flaw

Unix users have been urged to disable the OpenSSH secure login system to prevent a potential attack that could take over the...

Unix users have been urged to disable the OpenSSH secure login system to prevent a potential attack that could take over the entire operating system.

Internet Security Systems (ISS) has uncovered vulnerability within the "challenge-response" authentication mechanism in the OpenSSH secure login feature, which is used in a number of Unix operating systems including OpenBSD, FreeBSD and NetBSD.

Some Linux and commercial Unix operating systems also include the feature, which was designed to reduce hacking attacks.

The SSH2 protocol verifies a user's identity by generating a challenge and forcing the user to supply a number of responses. However, a flaw in OpenSSH versions 2.9.9 to 3.3 means it is possible for a remote attacker to send a specially crafted reply that would trigger a buffer overflow, ISS warned.

ISS believes such an attack could result in a remote denial of service attack on the OpenSSH system or a complete compromise of the system.

Since the OpenSSH server runs with super user privilege, ISS said a remote attackers could gain super user access by exploiting this vulnerability. ISS has provided a tool for detecting potentially vulnerable installations of OpenSSH, which is available from the ISS Download Center at

OpenSSH, the organisation that oversees development of the software is urging users to upgrade to the latest 3.4 release immediately. In the short term it has advised users to disable "ChallengeResponseAuthentication" in the sshd_config configuration file

Operating systems that include OpenSSH include:
Debian Linux
SuSE Linux
Red Hat Linux
Mandrake Linux
Caldera OpenLinux
MacOS X Version 10.1
HP Procurve Switch 4108GL and 2524/2512
Sun Solaris 9 (named SunSSH)



Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.