Stonesoft Corp. Security Advisory
| Date: | Sep 19, 2003 |
| Title: | OpenSSH buffer management vulnerability |
| Refs: | Debian: DSA-382, DSA-383
Cert: CA-2003-24, VU#333628 CVE: CAN-2003-0693 |
The information contained in this advisory is provided on an as-is basis. Stonesoft does not make any warranties of any kind with respect to the information contained in this advisory. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL STONESOFT, CORP. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS ADVISORY.
If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction.
1. Overview
OpenSSH prior to version 3.7.1 has a vulnerability in the buffer management function that may permit a denial-of-service attack. It may be possible that the vulnerability also enables a remote attacker to execute arbitrary code.
2. StoneGate
The vulnerable version of OpenSSH is included in the StoneGate engine. The vulnerable SSH daemon is not running by default. The default firewall rule base does not allow anyone to connect to the SSH service.
All StoneGate engines up to and including version 2.2.1 have the vulnerable OpenSSH. A new version of StoneGate will be available on the first week of October, 2003 that fixes this vulnerability. The new version will be available for download from Stonesoft's web site at www.stonesoft.com. All customers with valid support and maintenance contracts will be notified.
Recommended Actions:
Stonesoft recommends all StoneGate users to limit access to the firewall SSH service. The service should be turned off on all firewall engines where it is not needed. Furthermore and for the firewall engines where the service is needed, the firewall rule base should be configured to allow the SSH connections only from the trusted IP addresses. In cases where the IP addresses can be easily spoofed, the firewall can be configured to require a separate user authentication prior to the connection to the firewall's SSH service.
All StoneGate users are encouraged to upgrade their StoneGate engines to the new version as soon as it will be available. For the Intel and S390 platforms the version 2.2.2 will fix the vulnerability. For the SPARC platform the fixed version will be 2.0.11.
3. Appendices
Stonesoft Security Analysis Group's PGP key is available at: ftp://download.stonesoft.com/web/Support/Stonesoft%20Security%20 Alert.asc
To report or inquire about a security problem with Stonesoft software, contact one or more of the following:
- Stonesoft Support
- Stonesoft Security Analysis Group. Send email to: security-alert@stonesoft.com
Copyright 2003 Stonesoft, Corp. All rights reserved.
Stonesoft, StoneGate and StoneBeat are trademarks or registered trademarks of Stonesoft, Corp. in Finland and other countries. All other company and product names contained herein are property of their respective holders. This advisory may be reproduced and distributed only in its unaltered form and only for non-commercial purposes.
