CERT Advisory CA-2002-18 OpenSSH Vulnerabilities...

[z0s0]

Enough to strike fear into the hearts of sysadmin's worldwide...

Full text available from
http://www.cert.org/advisories/CA-2002-18.html
___________________________________________________
Systems Affected

* OpenSSH versions 2.3.1p1 through 3.3

Overview

There are two related vulnerabilities in the challenge response
handling code in OpenSSH versions 2.3.1p1 through 3.3. They may allow
a remote intruder to execute arbitrary code as the user running sshd
(often root). The first vulnerability affects OpenSSH versions 2.9.9
through 3.3 that have the challenge response option enabled and that
use SKEY or BSD_AUTH authentication. The second vulnerability affects
PAM modules using interactive keyboard authentication in OpenSSH
versions 2.3.1p1 through 3.3, regardless of the challenge response
option setting. Additionally, a number of other possible security
problems have been corrected in OpenSSH version 3.4.


See http://www.cert.org/advisories/CA-2002-18.html

[qslack]

I upgraded to the latest OpenSSH version as soon as I heard of this. It looks like a pretty scary vulnerability. Remote root.

What's more interesting is Theo de Raadt's handling of the situation. He just said "upgrade", and didn't say why. No details of the vulnerability were released, we were just blindly told to upgrade. Theo can be a bit weird but he makes great software. I've been a happy OpenBSD user for 2 years.

[Karl]

There's a good reason for just saying upgrade, it's much better than the farce that happend with ISS and the Apache vuln. where everyone knew about it before a patch was released.