===================================================================== CERT-Renater Note d'Information No. 2007/VULN181 _____________________________________________________________________ DATE : 05/04/2007 HARDWARE PLATFORM(S) : IBM. OPERATING SYSTEM(S) : AIX 5.2, 5.3 running OpenSSH 4.3p2. ====================================================================== IBM SECURITY ADVISORY First Issued: Wed Apr 4 09:05:40 CDT 2007 ========================================================================== VULNERABILITY SUMMARY VULNERABILITY: Remotely exploitable denial of service vulnerabilities in OpenSSH. PLATFORMS: OpenSSH 4.3p2 for AIX 5.2, 5.3 SOLUTION: Apply the APAR, interim fix or workaround as described below. THREAT: A remote attacker may cause a denial of service. CERT VU Number: n/a CVE Number: CVE-2006-4924 and CVE-2006-5051 ========================================================================== DETAILED INFORMATION I. Description =============== IBM provides OpenSSH for AIX. OpenSSH 4.3p2 for AIX is affected by two remotely exploitable denial of service vulnerabilities. First, CVE-2006-4924 allows a remote attacker to cause CPU consumption when sshd is configured to allow the SSH version 1 protocol. Second, CVE-2006-5051 allows a remote attacker to cause sshd to crash. If sshd is configured to allow GSSAPI based authentication, the attacker may execute arbitrary code. II. Impact ========== A remote attacker may cause a denial of service or execute arbitrary code. III. Solutions =============== A. Fix OpenSSH 4.3p2-r2 for AIX 5.2 and 5.3 is available for download from: http://sourceforge.net/projects/openssh-aix/ B. Workaround A. CVE-2006-4924 sshd uses the Protocol keyword in sshd_config to determine which version of the SSH protocol to use. To configure sshd to use only version 2 of the SSH protocol, Protocol should be set to "2". B. CVE-2006-5051 ssh uses the GSSAPIAuthentication keyword in sshd_config to determine if to allow GSSAPI authentication and it is off by default. Ensuring that GSSAPI authentication is not allowed will prevent a remote attacker from executing arbitrary code but the denial of service attack will still be possible. IV. Contact Information ======================== If you would like to receive AIX Security Advisories via email, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team send email to security-alert@austin.ibm.com with a subject of "get key". The key can also be downloaded from a PGP Public Key Server. The key id is 0x1B14F299. Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================