Globus Security Advisory 2007-02: GSI-OpenSSH vulnerability
Original issue date: April 9 2007
Last revised: None
Software affected: Globus Toolkit releases 4.0.0-4.0.3 and 4.1.0-4.1.1
GSI-OpenSSH releases 3.8 and earlier
Specific packages: gsi_openssh
Note: Globus Toolkit 4.0.4 includes GSI-OpenSSH 3.9 which is not
affected. Globus Toolkit 3.2 and earlier did not include
GSI-OpenSSH, but GSI-OpenSSH may have been installed as an add-on
package.
Overview:
A signal handler race condition in OpenSSH versions prior to 4.4 allows
remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5051
Additionally, sshd in OpenSSH versions prior to 4.4, when using the
version 1 SSH protocol, allows remote attackers to cause a denial of
service (CPU consumption) via an SSH packet that contains duplicate
blocks, which is not properly handled by the CRC compensation attack
detector:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4924
I. Description
According to the OpenSSH 4.4 release notes
(http://openssh.org/txt/release-4.4), a signal handler in prior OpenSSH
releases is "vulnerable to a race condition that could be exploited to
perform a pre-authentication denial of service," and "this vulnerability
could theoretically lead to pre-authentication remote code execution,"
"but the likelihood of successful exploitation appears remote."
II. Impact
A remote attacker may cause a denial of service or execute arbitrary code.
III. Solution
GSI-OpenSSH 3.9, based on OpenSSH 4.5p1, is available for download
from:
http://grid.ncsa.uiuc.edu/ssh/download.html
This GSI-OpenSSH release includes the signal handler race condition fix
and disables the SSH version 1 protocol by default. GSI authentication
is performed over the SSH version 2 protocol.
We recommend that sites running GSI-OpenSSH servers version 3.8 and
earlier upgrade to GSI-OpenSSH 3.9.
Upgrade instructions are available at:
http://grid.ncsa.uiuc.edu/ssh/install.html
Use 'gsissh -V' or 'gpt-query gsi_openssh' to determine your installed GSI-OpenSSH version:
$ gsissh -V
OpenSSH_4.2p1-hpn NCSA_GSSAPI_GPT_3.7 GSI, OpenSSL 0.9.7d 17 Mar 2004
$ gpt-query gsi_openssh
1 package was found in /usr/local/gt-4.0.3 that matched your query:
packages found that matched your query
gsi_openssh-gcc64dbg-pgm pkg version: 3.7.0 software version:
GSI-OpenSSH 3.7 / OpenSSH 4.2p1
To determine the version of a GSI-OpenSSH server, run:
for Bourne shells:
gsissh -v hostname exit 2>&1 | grep "remote software version"
for C shells:
gsissh -v hostname exit |& grep "remote software version"
(replacing hostname with the hostname of the remote server.)
SHA1 checksums:
a79e716c0c5eaf8445efc5f091040fbbc0e5ea4f gsi_openssh-3.9-src.tar.gz
aa12e6118e92c9501088060d8fec862e1dbe114f gsi_openssh_bundle-3.9-src.tar.gz
e6c43cbcf1aa3a0b335c60aac892a778587bc5e5 gsi_openssh_compat-3.9-src.tar.gz
5fb3bcfcb0829554c961e148cb64a4cece76bc96 gsi_openssh_setup-3.9-src.tar.gz
MD5 checksums:
62662a6fb1c60f01e70a0ef810b327e5 gsi_openssh-3.9-src.tar.gz
0478bd00b9679234223f9ef117256c5f gsi_openssh_bundle-3.9-src.tar.gz
893557d99ef57d5eefa399e85fd3df5c gsi_openssh_compat-3.9-src.tar.gz
58337fe5c4fddb12e015b449f848639e gsi_openssh_setup-3.9-src.tar.gz