CERTA-2003-AVI-152

Vulnerability from certfr_avis - Published: - Updated:

Des bogues ont été découverts dans le code du serveur sshd d'OpenSSH. Il induit un risque d'exécution de code arbitraire à distance.

Description

Une mauvaise gestion dans l'allocation mémoire des tampons peut générer un état incohérent qui pourrait être exploité pour réaliser un débordement de mémoire dans des conditions bien particulières. La revue du code consécutive a donné lieu à d'autres corrections sur la libération ou l'allocation des tampons.

Contournement provisoire

Restreindre à une liste de machines considérées comme sûres, les adresses IP autorisées à se connecter au serveur.

Solution

Mettre à jour OpenSSH.

  • Code source (version 3.7.1p2 au moins) :

    http://www.openssh.com

  • Linux Red Hat :

    https://rhn.redhat.com/errata/RHSA-2003-279.html

https://rhn.redhat.com/errata/RHSA-2003-280.html

  • Mandrake Linux :

    http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:090-1

  • Debian GNU/Linux :

    http://www.debian.org/security/2003/dsa-382

http://www.debian.org/security/2003/dsa-383

  • SuSE Linux :

    http://www.suse.com/de/security/2003_039_openssh.html

  • Slackware Linux :

    http://slackware.com/security/viewer.php?l=slackware-security&y=2003&m=slackware-security.373294

  • Sun Solaris :

    http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56861

  • HP-UX :

    http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0309-282

  • SGI Irix :

    ftp://patches.sgi.com/support/free/security/advisories/20030904-01-P.asc

  • Sun :

    • Solaris :

      http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56861

    • Linux et Cobalt :

      http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56862

  • FreeBSD :

    ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.openssh.asc

  • NetBSD :

    ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-012.txt.asc

  • OpenBSD :

    http://openbsd.org/errata.html#sshbuffer

  • Cisco :

    http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml

  • Netscreen :

    http://www.netscreen.com/services/security/alerts/openssh_1.jsp

Tout système utilisant OpenSSH dans une version antérieure et incluant la 3.7.

Impacted products
Vendor Product Description
References
Avis de sécurité OpenSSH None vendor-advisory
Avis du CERT/CC : - other
Avis du CERT/CC : - other

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cP\u003eTout syst\u00e8me utilisant \u003cSPAN class=\"textit\"\u003eOpenSSH\u003c/SPAN\u003e  dans une version ant\u00e9rieure et incluant la 3.7.\u003c/P\u003e",
  "content": "## Description\n\nUne mauvaise gestion dans l\u0027allocation m\u00e9moire des tampons peut g\u00e9n\u00e9rer\nun \u00e9tat incoh\u00e9rent qui pourrait \u00eatre exploit\u00e9 pour r\u00e9aliser un\nd\u00e9bordement de m\u00e9moire dans des conditions bien particuli\u00e8res. La revue\ndu code cons\u00e9cutive a donn\u00e9 lieu \u00e0 d\u0027autres corrections sur la\nlib\u00e9ration ou l\u0027allocation des tampons.\n\n## Contournement provisoire\n\nRestreindre \u00e0 une liste de machines consid\u00e9r\u00e9es comme s\u00fbres, les\nadresses IP autoris\u00e9es \u00e0 se connecter au serveur.\n\n## Solution\n\nMettre \u00e0 jour OpenSSH.\n\n-   Code source (version 3.7.1p2 au moins) :\n\n        http://www.openssh.com\n\n-   Linux Red Hat :\n\n        https://rhn.redhat.com/errata/RHSA-2003-279.html\n\n        https://rhn.redhat.com/errata/RHSA-2003-280.html\n\n-   Mandrake Linux :\n\n        http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:090-1\n\n-   Debian GNU/Linux :\n\n        http://www.debian.org/security/2003/dsa-382\n\n        http://www.debian.org/security/2003/dsa-383\n\n-   SuSE Linux :\n\n        http://www.suse.com/de/security/2003_039_openssh.html\n\n-   Slackware Linux :\n\n        http://slackware.com/security/viewer.php?l=slackware-security\u0026y=2003\u0026m=slackware-security.373294\n\n-   Sun Solaris :\n\n        http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56861\n\n-   HP-UX :\n\n        http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0309-282\n\n-   SGI Irix :\n\n        ftp://patches.sgi.com/support/free/security/advisories/20030904-01-P.asc\n\n-   Sun :\n    -   Solaris :\n\n            http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56861\n\n    -   Linux et Cobalt :\n\n            http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56862\n\n-   FreeBSD :\n\n        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.openssh.asc\n\n-   NetBSD :\n\n        ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-012.txt.asc\n\n-   OpenBSD :\n\n        http://openbsd.org/errata.html#sshbuffer\n\n-   Cisco :\n\n        http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml\n\n-   Netscreen :\n\n        http://www.netscreen.com/services/security/alerts/openssh_1.jsp\n",
  "cves": [],
  "links": [
    {
      "title": "Avis du CERT/CC :",
      "url": "http://www.kb.cert.org/vuls/id/333628"
    },
    {
      "title": "Avis du CERT/CC :",
      "url": "http://www.cert.org/advisories/CA-2003-24.html"
    }
  ],
  "reference": "CERTA-2003-AVI-152",
  "revisions": [
    {
      "description": "version initiale ;",
      "revision_date": "2003-09-17T00:00:00.000000"
    },
    {
      "description": "mise \u00e0 jour des documents des vendeurs, ajouts de Sun, Cisco et Netscreen ;",
      "revision_date": "2003-09-24T00:00:00.000000"
    },
    {
      "description": "ajouts de HP, SGI, Sun.",
      "revision_date": "2003-10-01T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution distante de code arbitraire avec les privil\u00e8ges du service sshd (g\u00e9n\u00e9ralement root )"
    },
    {
      "description": "D\u00e9ni de service"
    }
  ],
  "summary": "Des bogues ont \u00e9t\u00e9 d\u00e9couverts dans le code du serveur \u003cspan\nclass=\"textit\"\u003esshd\u003c/span\u003e d\u0027\u003cspan class=\"textit\"\u003eOpenSSH\u003c/span\u003e. Il\ninduit un risque d\u0027ex\u00e9cution de code arbitraire \u00e0 distance.\n",
  "title": "Vuln\u00e9rabilit\u00e9 du serveur OpenSSH",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Avis de s\u00e9curit\u00e9 OpenSSH",
      "url": "http://www.openssh.com/txt/buffer.adv"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.