Internet Security Systems (ISS) has uncovered vulnerability within the "challenge-response" authentication mechanism in the OpenSSH secure login feature, which is used in a number of Unix operating systems including OpenBSD, FreeBSD and NetBSD.
Some Linux and commercial Unix operating systems also include the feature, which was designed to reduce hacking attacks.
The SSH2 protocol verifies a user's identity by generating a challenge and forcing the user to supply a number of responses. However, a flaw in OpenSSH versions 2.9.9 to 3.3 means it is possible for a remote attacker to send a specially crafted reply that would trigger a buffer overflow, ISS warned.
ISS believes such an attack could result in a remote denial of service attack on the OpenSSH system or a complete compromise of the system.
Since the OpenSSH server runs with super user privilege, ISS said a remote attackers could gain super user access by exploiting this vulnerability. ISS has provided a tool for detecting potentially vulnerable installations of OpenSSH, which is available from the ISS Download Center at www.iss.net/download.
OpenSSH, the organisation that oversees development of the software is urging users to upgrade to the latest 3.4 release immediately. In the short term it has advised users to disable "ChallengeResponseAuthentication" in the sshd_config configuration file
Operating systems that include OpenSSH include:
Red Hat Linux
MacOS X Version 10.1
HP Procurve Switch 4108GL and 2524/2512
Sun Solaris 9 (named SunSSH)