First of August 2011 was the date when I decided to publish advisory about vulnerability in OpenSSH daemon. If someone read carefully advisory he will discover this bug was found in 2008. It took me quite a long time to publish details about vulnerability. I did it from a few reasons; at first I didn’t have a time to analyse details and bug was promising (pre-authentication). In this case advisory will never be public. Problem exists in GSSAPI module (native in OpenSSH source code). I checked many packages in many systems and it seems this method of authentication (gssapi-with-mic) is enabled by default in most of them. Everything was looking very promising 😉 After some months I returned to that problem and discovered that vulnerability is _EXACTLY_ after authentication (one call) so (un)fortunately this is post-authentication bug. Next I tried to find some other way to exploit it. Again I was starting to be busy and drop this project. Because of that finally I published the advisory maybe someone else is interesting to play with that. More information can be found here and here 🙂
I’m writing this post because I’m happy to inform that my research officially got Common Vulnerabilities and Exposures (CVE) number (CVE-2011-5000).
The latest version of OpenSSH has fix for this problem and can be found here. Fix exists only in the original source code but usually NOT in the official packages of popular systems (f.ex. like RedHat – more info here). Problem was solved by Markus Friedl and I would like to thank him for cooperation 🙂
Best regards,
Adam
Comments
Leave a Reply
Leo on 08.16.2012
Hi Adam,
Can I upgrade from openssh 5.8 to 5.9 or 6.0 to fix this bug?
thanks//leo
admin on 08.16.2012
5.9 is safe but I always recommend to upgrade to latest version 😉