OpenSSH hits the fan

A serious vulnerability in default installation of OpenSSH on the OpenBSD operating system has come to light.

A vulnerability exists within the "challenge-response" authentication mechanism in the OpenSSH daemon (sshd), according to an alert issued today by Internet Security Systems.

This mechanism, part of the SSH2 protocol, verifies a user's identity by generating a challenge and forcing the user to supply a number of responses.

However this mechanism is flawed in OpenSSH version 3.3 - it's possible for a remote attacker to send a specially-crafted reply that triggers an overflow.

According to ISS, this can result in a remote denial of service attack on the OpenSSH daemon or a complete remote compromise. The OpenSSH daemon runs with superuser privilege, so remote attackers can gain superuser access.

Worse still, the vulnerability is being "actively exploited".

ISS recommends upgrade to OpenSSH version 3.4 immediately. As a workaround, BOFHs might also consider disabling unused OpenSSH authentication mechanisms.

OpenSSH is a free version of the SSH (Secure Shell) communications suite and is used as a secure replacement for protocols such as Telnet, Rlogin, Rsh, and Ftp.

You can find more information about the problem here, and details of vendors which implement OpenSSH here. ®