Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(SGI Issues Fix) OpenSSH scp Directory Traversal Flaw Lets Remote SSH Servers Overwrite Files in Certain Cases
|
|
SecurityTracker Alert ID: 1012058 |
|
SecurityTracker URL: http://securitytracker.com/id/1012058
|
|
CVE Reference:
CAN-2004-0175
(Links to External Site)
|
Date: Nov 3 2004
|
Impact:
Modification of system information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 3.4p1
|
Description:
An input validation vulnerability was reported in 'scp' in OpenSSH. A remote SSH server can overwrite arbitrary files on the target system in certain situations.
In CLSA-2004:831 (March 2004), Conectiva reported that scp is affected by a directory traversal vulnerability. The same flaw (or a similar flaw) was originally reported by Michal Zalewski in September 2000 as affecting sshd version 1.2.x [CVE: CVE-2000-0992] and was fixed.
The newly reported vulnerability affects OpenSSH versions prior to 3.4p1.
A malicious SSH server can cause files to be written to arbitrary locations on the target user's system when the target user invokes scp against the malicious SSH server.
|
Impact:
A remote server can cause files to be written to arbitrary locations on the target user's system when the target user invokes scp against the remote server.
|
Solution:
SGI has issued a fix as part of IRIX 6.5.25.
SGI has also issued the following patches:
IRIX 6.5.20m 5535
IRIX 6.5.20f 5535
IRIX 6.5.21m 5536
IRIX 6.5.21f 5536
IRIX 6.5.22m 5533
IRIX 6.5.23m 5533
IRIX 6.5.24m 5533
The patches are available at:
http://www.sgi.com/support/security/
ftp://patches.sgi.com/support/free/security/patches/
|
Vendor URL: openssh.org/ (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
UNIX (SGI/IRIX)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 3 Nov 2004 00:43:10 -0500
Subject: [none]
|
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SGI Security Advisory
Title: OpenSSH and OpenSSL vulnerabilities
Number: 20041101-01-P
Date: November 2, 2004
Reference: SGI BUG 910579, CVE CAN-2004-0079, CVE CAN-2004-0112
Reference: SGI BUG 910757, CVE CAN-2004-0175
Fixed in: Patches 5533, 5535 & 5536
Fixed in: IRIX 6.5.25
______________________________________________________________________________
SGI provides this information freely to the SGI user community for its
consideration, interpretation, implementation and use. SGI recommends
that this information be acted upon as soon as possible.
SGI provides the information in this Security Advisory on an "AS-IS"
basis only, and disclaims all warranties with respect thereto, express,
implied or otherwise, including, without limitation, any warranty of
merchantability or fitness for a particular purpose. In no event shall
SGI be liable for any loss of profits, loss of business, loss of data or
for any indirect, special, exemplary, incidental or consequential
damages
of any kind arising from your use of, failure to use or improper use of
any of the instructions or information in this Security Advisory.
_____________________________________________________________________________
- -----------------------
- --- Issue Specifics ---
- -----------------------
It has been reported that OpenSSH and OpenSSL that ships with
IRIX has several security vulnerabilities.
SGI BUG 910579 - Two OpenSSL Denial of Service Vulnerabilities
1. Null-pointer assignment during SSL handshake
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
2. Out-of-bounds read affects Kerberos ciphersuites
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
OpenSSL was upgraded from 0.9.6j to 0.9.7d
http://www.openssl.org/news/secadv_20040317.txt
SGI BUG 910757 - scp directory traversal attack
Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows
remote malicious servers to overwrite arbitrary files.
http://www.securityfocus.com/bid/9986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0175
- ----------------
- --- Solution ---
- ----------------
SGI has provided a series of patches for these vulnerabilities and
recommends that all affected operating systems install the
appropriate patch.
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 6.5.20m yes 5535 Notes 1 & 2
IRIX 6.5.20f yes 5535 Notes 1 & 2
IRIX 6.5.21m yes 5536 Notes 1 & 2
IRIX 6.5.21f yes 5536 Notes 1 & 2
IRIX 6.5.22m yes 5533 Notes 1 & 2
IRIX 6.5.23m yes 5533 Notes 1 & 2
IRIX 6.5.24m yes 5533 Notes 1 & 2
IRIX 6.5.25m no
NOTES
1) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact
your SGI Support Provider or URL: http://support.sgi.com
2) Install the required patch(es) based on your operating release.
##### Patch File Checksums ####
Filename: README.patch.5533
Algorithm #1 (sum -r): 28904 8 README.patch.5533
Algorithm #2 (sum): 54605 8 README.patch.5533
MD5 checksum: EEA95A7B4A80089854E3B8EAC5E22C9F
Filename: patchSG0005533
Algorithm #1 (sum -r): 19898 5 patchSG0005533
Algorithm #2 (sum): 39896 5 patchSG0005533
MD5 checksum: 799D958D8B4F6F317570E2EA38718BF3
Filename: patchSG0005533.idb
Algorithm #1 (sum -r): 32996 330 patchSG0005533.idb
Algorithm #2 (sum): 64491 330 patchSG0005533.idb
MD5 checksum: 343E18547038781FF66DA629E0BD457B
Filename: patchSG0005533.openssl_man
Algorithm #1 (sum -r): 40736 2402 patchSG0005533.openssl_man
Algorithm #2 (sum): 16598 2402 patchSG0005533.openssl_man
MD5 checksum: 37C2D4B08773A595320B4D2BF77E7C4F
Filename: patchSG0005533.openssl_sw
Algorithm #1 (sum -r): 37125 9902 patchSG0005533.openssl_sw
Algorithm #2 (sum): 4752 9902 patchSG0005533.openssl_sw
MD5 checksum: 2DC08F4271CD7B3D671451079B0E83AD
Filename: README.patch.5535
Algorithm #1 (sum -r): 29458 9 README.patch.5535
Algorithm #2 (sum): 28345 9 README.patch.5535
MD5 checksum: 8A8DE529D0CAFE09B4ACD3EEF9BB0C99
Filename: patchSG0005535
Algorithm #1 (sum -r): 13601 10 patchSG0005535
Algorithm #2 (sum): 9187 10 patchSG0005535
MD5 checksum: 84CAE2D06A215478B429883055C2F7F5
Filename: patchSG0005535.idb
Algorithm #1 (sum -r): 33024 343 patchSG0005535.idb
Algorithm #2 (sum): 60731 343 patchSG0005535.idb
MD5 checksum: D4377F2DAC2C35C1EE8FF9F21F2B3BC2
Filename: patchSG0005535.openssh_man
Algorithm #1 (sum -r): 10279 308 patchSG0005535.openssh_man
Algorithm #2 (sum): 21624 308 patchSG0005535.openssh_man
MD5 checksum: 398F982FAA756B21C8C8257AAA2F36F0
Filename: patchSG0005535.openssh_sw
Algorithm #1 (sum -r): 03497 4161 patchSG0005535.openssh_sw
Algorithm #2 (sum): 496 4161 patchSG0005535.openssh_sw
MD5 checksum: 4EC10299F4179B65EF79099429F677E1
Filename: patchSG0005535.openssl_man
Algorithm #1 (sum -r): 40736 2402 patchSG0005535.openssl_man
Algorithm #2 (sum): 16598 2402 patchSG0005535.openssl_man
MD5 checksum: 37C2D4B08773A595320B4D2BF77E7C4F
Filename: patchSG0005535.openssl_sw
Algorithm #1 (sum -r): 50954 9903 patchSG0005535.openssl_sw
Algorithm #2 (sum): 45987 9903 patchSG0005535.openssl_sw
MD5 checksum: 2E495A3EBB405F7D394FA20977B7A93B
Filename: README.patch.5536
Algorithm #1 (sum -r): 31125 9 README.patch.5536
Algorithm #2 (sum): 28384 9 README.patch.5536
MD5 checksum: B435A438A53083C93B4671A23B9592F6
Filename: patchSG0005536
Algorithm #1 (sum -r): 17828 10 patchSG0005536
Algorithm #2 (sum): 6651 10 patchSG0005536
MD5 checksum: 4746BAC1A2FA03792A06A1F09829F233
Filename: patchSG0005536.idb
Algorithm #1 (sum -r): 30711 343 patchSG0005536.idb
Algorithm #2 (sum): 61917 343 patchSG0005536.idb
MD5 checksum: B42CB555D20E27C71C4EF53DE045491B
Filename: patchSG0005536.openssh_man
Algorithm #1 (sum -r): 10279 308 patchSG0005536.openssh_man
Algorithm #2 (sum): 21624 308 patchSG0005536.openssh_man
MD5 checksum: 398F982FAA756B21C8C8257AAA2F36F0
Filename: patchSG0005536.openssh_sw
Algorithm #1 (sum -r): 03497 4161 patchSG0005536.openssh_sw
Algorithm #2 (sum): 496 4161 patchSG0005536.openssh_sw
MD5 checksum: 4EC10299F4179B65EF79099429F677E1
Filename: patchSG0005536.openssl_man
Algorithm #1 (sum -r): 40736 2402 patchSG0005536.openssl_man
Algorithm #2 (sum): 16598 2402 patchSG0005536.openssl_man
MD5 checksum: 37C2D4B08773A595320B4D2BF77E7C4F
Filename: patchSG0005536.openssl_sw
Algorithm #1 (sum -r): 13359 9903 patchSG0005536.openssl_sw
Algorithm #2 (sum): 46758 9903 patchSG0005536.openssl_sw
MD5 checksum: 8E0A6DCDC74108CF51BF5E4C217B363C
- ------------------------
- --- Acknowledgments ----
- ------------------------
SGI wishes to thank OpenSSH.org & OpenSSL.org for their
assistance in this matter.
- -------------
- --- Links ---
- -------------
Patches are available via the web, anonymous FTP and from your SGI
service/support provider.
SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/
SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/
SGI patches for IRIX can be found at the following patch servers:
http://support.sgi.com/ and ftp://patches.sgi.com/
SGI freeware updates for IRIX can be found at:
http://freeware.sgi.com/
SGI fixes for SGI open sourced code can be found on:
http://oss.sgi.com/projects/
SGI patches and RPMs for Linux can be found at:
http://support.sgi.com/ or
http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/
SGI patches for Windows NT or 2000 can be found at:
http://support.sgi.com/
IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
http://support.sgi.com/ and ftp://patches.sgi.com/support/patchset/
IRIX 6.5 Maintenance Release Streams can be found at:
http://support.sgi.com/
IRIX 6.5 Software Update CDs can be obtained from:
http://support.sgi.com/
The primary SGI anonymous FTP site for security advisories and patches
is patches.sgi.com (216.32.174.211). Security advisories and patches
are located under the URL ftp://patches.sgi.com/support/free/security/
For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not
do a real-time update.
- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------
If there are questions about this document, email can be sent to
security-info@sgi.com.
------oOo------
SGI provides security information and patches for use by the entire SGI
community. This information is freely available to any person needing
the information and is available via anonymous FTP and the Web.
The primary SGI anonymous FTP site for security advisories and patches
is patches.sgi.com (216.32.174.211). Security advisories and patches
are located under the URL ftp://patches.sgi.com/support/free/security/
The SGI Security Headquarters Web page is accessible at the URL:
http://www.sgi.com/support/security/
For issues with the patches on the FTP sites, email can be sent to
security-info@sgi.com.
For assistance obtaining or working with security patches, please
contact your SGI support provider.
------oOo------
SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email)
all SGI Security Advisories when they are released. Subscribing to the
mailing list can be done via the Web
(http://www.sgi.com/support/security/wiretap.html)
or by sending email to SGI as outlined below.
% mail wiretap-request@sgi.com
subscribe wiretap <YourEmailAddress>
end
^d
In the example above, <YourEmailAddress> is the email address that you
wish the mailing list information sent to. The word end must be on a
separate line to indicate the end of the body of the message. The
control-d (^d) is used to indicate to the mail program that you are
finished composing the mail message.
------oOo------
SGI provides a comprehensive customer World Wide Web site. This site is
located at http://www.sgi.com/support/security/ .
------oOo------
If there are general security questions on SGI systems, email can be
sent to security-info@sgi.com.
For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider.
A support contract is not required for submitting a security report.
______________________________________________________________________________
This information is provided freely to all interested parties
and may be redistributed provided that it is not altered in any
way, SGI is appropriately credited and the document retains and
includes its valid PGP signature.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBQYf7r7Q4cFApAP75AQHzQAP/d4+MgPsI0D+sr7mi51/0ZCAul+ovGRzI
zs8lSDECQHtu1oiNa8tDLF47XUs6C7q9PicJ9Wxy+6McBSnNyrKi31NSK/yuX7Rh
ifNCv+9o8hPPUoDa2QnC4xAq04uWG7dx57T4alWSIxxLzXhDeDSkbtUG5Xf28V+H
kkh3NZt1m3c=
=m2/3
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
