SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Device (Intrusion Detection)  >   NetScreen-IDP Vendors:   NetScreen
(NetScreen Issues Fix for NetScreen-IDP) Re: OpenSSH buffer_append_space() and Other Buffer Management Errors May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007767
SecurityTracker URL:  http://securitytracker.com/id/1007767
CVE Reference:   CAN-2003-0693, CAN-2003-0695, CAN-2003-0682   (Links to External Site)
Updated:  Dec 10 2003
Original Entry Date:  Sep 20 2003
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): IDP 2.1
Description:   Several buffer management vulnerabilities were reported in OpenSSH. A remote user may be able to execute arbitrary code on the target system. The NetScreen-IDP appliance uses OpenSSH and, therefore, is affected.

It is reported that there are potentially exploitable buffer management errors in OpenSSH in the buffer_append_space(), buffer_init(), and buffer_free() functions in 'buffer.c'. A similiar flaw resides in 'channels.c', the report said. (CAN-2003-0693 and CAN-2003-0695). The flaws affect version 3.7 and prior versions. The vendor reports that it is not certain if these flaws are exploitable or not.

Solar Designer has reportedly identified four additional similar bugs as the result of a review of the OpenSSH 3.6.1p2 source code for potentially incorrect uses of *realloc(). According to Solar Designer, two of the bugs are in 'sshd'. Of those two bugs, one reportedly cannot be triggered in the current code, and the other occurs after the authentication process. Solar Designer believes that none of the four bugs should give an unauthenticated shell via sshd, not even in cases where 'privsep' is not used. CVE has assigned CAN-2003-0682 to these four bugs. These four bugs have *not* been fixed in version 3.7.1, but have been fixed in the OpenBSD CVS and will be included in the next release of OpenSSH. These four additional bugs are reportedly not considered to present a security risk.
Impact:   The report indicated that it is not known whether the flaws are exploitable. If exploitable, a remote user may be able to execute arbitrary code. The report did not indicate what privileges the code would execute with and whether or not privilege separation provides protection against possible root exploitation.
Solution:   NetScreen has issued a fix for the SSH service used by NetScreen-IDP, available at:

https://www.netscreen.com/cso

For installation instructions, see the NetScreen Advisory 57961:

http://www.netscreen.com/services/security/alerts/openssh_1.jsp
Vendor URL:  www.netscreen.com/services/security/alerts/openssh_1.jsp (Links to External Site)
Cause:   Boundary error
Underlying OS:  

Message History:   This archive entry is a follow-up to the message listed below.
Sep 16 2003 OpenSSH buffer_append_space() and Other Buffer Management Errors May Let Remote Users Execute Arbitrary Code


 Source Message Contents


[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC