TechTarget

Security alert: Unix at risk from secure login system flaw

Unix users have been urged to disable the OpenSSH secure login system to prevent a potential attack that could take over the...

Unix users have been urged to disable the OpenSSH secure login system to prevent a potential attack that could take over the entire operating system.

Internet Security Systems (ISS) has uncovered vulnerability within the "challenge-response" authentication mechanism in the OpenSSH secure login feature, which is used in a number of Unix operating systems including OpenBSD, FreeBSD and NetBSD.

Some Linux and commercial Unix operating systems also include the feature, which was designed to reduce hacking attacks.

The SSH2 protocol verifies a user's identity by generating a challenge and forcing the user to supply a number of responses. However, a flaw in OpenSSH versions 2.9.9 to 3.3 means it is possible for a remote attacker to send a specially crafted reply that would trigger a buffer overflow, ISS warned.

ISS believes such an attack could result in a remote denial of service attack on the OpenSSH system or a complete compromise of the system.

Since the OpenSSH server runs with super user privilege, ISS said a remote attackers could gain super user access by exploiting this vulnerability. ISS has provided a tool for detecting potentially vulnerable installations of OpenSSH, which is available from the ISS Download Center at www.iss.net/download.

OpenSSH, the organisation that oversees development of the software is urging users to upgrade to the latest 3.4 release immediately. In the short term it has advised users to disable "ChallengeResponseAuthentication" in the sshd_config configuration file

Operating systems that include OpenSSH include:
OpenBSD
Debian Linux
FreeBSD
SuSE Linux
Red Hat Linux
Mandrake Linux
BSDi BSD/OS
NetBSD
Caldera OpenLinux
MacOS X Version 10.1
HP Procurve Switch 4108GL and 2524/2512
IBM AIX
Sun Solaris 9 (named SunSSH)

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close