Security alert: Unix at risk from secure login system flaw

News

Security alert: Unix at risk from secure login system flaw

Cliff Saran
Unix users have been urged to disable the OpenSSH secure login system to prevent a potential attack that could take over the entire operating system.

Internet Security Systems (ISS) has uncovered vulnerability within the "challenge-response" authentication mechanism in the OpenSSH secure login feature, which is used in a number of Unix operating systems including OpenBSD, FreeBSD and NetBSD.

Some Linux and commercial Unix operating systems also include the feature, which was designed to reduce hacking attacks.

The SSH2 protocol verifies a user's identity by generating a challenge and forcing the user to supply a number of responses. However, a flaw in OpenSSH versions 2.9.9 to 3.3 means it is possible for a remote attacker to send a specially crafted reply that would trigger a buffer overflow, ISS warned.

ISS believes such an attack could result in a remote denial of service attack on the OpenSSH system or a complete compromise of the system.

Since the OpenSSH server runs with super user privilege, ISS said a remote attackers could gain super user access by exploiting this vulnerability. ISS has provided a tool for detecting potentially vulnerable installations of OpenSSH, which is available from the ISS Download Center at www.iss.net/download.

OpenSSH, the organisation that oversees development of the software is urging users to upgrade to the latest 3.4 release immediately. In the short term it has advised users to disable "ChallengeResponseAuthentication" in the sshd_config configuration file

Operating systems that include OpenSSH include:
OpenBSD
Debian Linux
FreeBSD
SuSE Linux
Red Hat Linux
Mandrake Linux
BSDi BSD/OS
NetBSD
Caldera OpenLinux
MacOS X Version 10.1
HP Procurve Switch 4108GL and 2524/2512
IBM AIX
Sun Solaris 9 (named SunSSH)

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy