• All versions of OpenSSH's sshd prior to 3.7
• Systems that use or derive code from vulnerable versions of OpenSSH

OpenSSH is a free version of the SSH protocol suite of network connectivity tools. OpenSSH encrypts all traffic including passwords to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods. `ssh' is the client application, while `sshd' is the server. All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable; however, it is preferable to fix the bugs proactively.

Impact

This vulnerability may result in heap corruption, leading to a denial of service. If an attacker can execute arbitrary code using this vulnerability, then they may be able to so, with the privileges of the user running the sshd process, typically root. This impact may be limited on systems using the privilege separation privsep feature available in OpenSSH.

Vendor provided patch if available, is preferred, rather than using the patch from OpenSSH.

System administrators running OpenSSH versions 3.2 or higher may be able to reduce the impact of this vulnerability by enabling the "UsePrivilegeSeparation" configuration option in their sshd configuration file. Typically, this is accomplished by creating a privsep user, setting up a restricted (chroot) environment, and adding the following line to /etc/ssh/sshd_config:

UsePrivilegeSeparation yes

This workaround does not prevent this vulnerability from being exploited, however due to the privilege separation mechanism; the intruder may be limited to a constrained chroot environment with restricted privileges. This workaround will not prevent this vulnerability from creating a denial-of-service condition. Not all operating system vendors have implemented the privilege separation code, and on some operating systems it may limit the functionality of OpenSSH. System administrators are encouraged to carefully review the implications of using the workaround in their environment and use a more comprehensive solution if one is available. The use of privilege separation to limit the impact of future vulnerabilities is encouraged.