-----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Brief September 16, 2003
OpenSSH Memory Corruption Vulnerability Synopsis: ISS X-Force has discovered a flaw in the OpenSSH server developed by the OpenBSD Project. OpenSSH is a freely available open source Secure Shell daemon which allows encrypted communications over networks. A flaw exists in the way OpenSSH handles buffer manipulation when dealing with very large packets resulting in a buffer overflow condition. Impact: When an unusually large packet is encountered, the OpenSSH daemon incorrectly cleans up its globally allocated buffers. This leads to heap corruption, however the possibility for remote code execution is yet unproven. There are unconfirmed rumors that there is an exploit in the wild for this vulnerability. OpenSSH is the default remote login solution distributed with most Unix- like operating systems. OpenSSH is also relied upon to provide secure communications between network administrators and network appliances, routers, and switches. Given the wide distribution of OpenSSH across multiple operating systems and architectures, it is possible that this vulnerability is exploitable in at least some cases. Affected Versions: OpenSSH versions up to and including 3.6.1, as well as the portable version of OpenSSH For the complete ISS X-Force Security Advisory, please visit: http://xforce.iss.net/xforce/alerts/id/144 ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of the Internet Security Systems X-Force. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please email [EMAIL PROTECTED] for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force [EMAIL PROTECTED] of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBP2dxFDRfJiV99eG9AQEC2wP/ZCiunSBbVwhL7JdEzuvQl7ZhDLkoY0Pz td+r7ANhNq8E8Sb5X07eWZEzOAHOk2bm7Oc3zRa8LV10Q7NX2wjKiqd/ImwNPm8k R/lTVL8POHbj6qg8jrq4iD9ryYhLyUaA8K83MAxcFL8Gg+dY1m3JpvFsdNLoHcAX vWBGMXeyQl8= =/S4n -----END PGP SIGNATURE----- _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
