Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

GSI OpenSSH Vulnerability

Summary

Older versions of GSI OpenSSH contain a problem that may allow attackers to both deny service and execute arbitrary code.

Relevant Versions

This advisory affects the following VDT versions:

Date Announced

2007-04-10

Description

GSI OpenSSH versions before 3.9 contain a problem that may allow attackers to both deny service and execute arbitrary code. The details below were copied from Globus's Security Advisory 2007-02. But note that below we have a fix that is appropriate for the VDT.

Title: Globus Security Advisory 2007-02: GSI-OpenSSH vulnerability

Globus Security Advisory 2007-02: GSI-OpenSSH vulnerability

Original issue date: April 9 2007
Last revised: None

Software affected: Globus Toolkit releases 4.0.0-4.0.3 and 4.1.0-4.1.1
                   GSI-OpenSSH releases 3.8 and earlier

Specific packages: gsi_openssh

Note: Globus Toolkit 4.0.4 includes GSI-OpenSSH 3.9 which is not
      affected.  Globus Toolkit 3.2 and earlier did not include
      GSI-OpenSSH, but GSI-OpenSSH may have been installed as an
      add-on
      package.

Overview:

A signal handler race condition in OpenSSH versions prior to 4.4
allows
remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code:

  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5051

Additionally, sshd in OpenSSH versions prior to 4.4, when using the
version 1 SSH protocol, allows remote attackers to cause a denial of
service (CPU consumption) via an SSH packet that contains duplicate
blocks, which is not properly handled by the CRC compensation attack
detector:

  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4924

I. Description

According to the OpenSSH 4.4 release notes
(http://openssh.org/txt/release-4.4), a signal handler in prior
OpenSSH
releases is "vulnerable to a race condition that could be exploited to
perform a pre-authentication denial of service," and "this
vulnerability
could theoretically lead to pre-authentication remote code execution,"
"but the likelihood of successful exploitation appears remote."

II. Impact

A remote attacker may cause a denial of service or execute arbitrary
code.

III. Solution

GSI-OpenSSH 3.9, based on OpenSSH 4.5p1, is available for download
from:

  http://grid.ncsa.uiuc.edu/ssh/download.html

This GSI-OpenSSH release includes the signal handler race condition
fix
and disables the SSH version 1 protocol by default.  GSI
authentication
is performed over the SSH version 2 protocol.

We recommend that sites running GSI-OpenSSH servers version 3.8 and
earlier upgrade to GSI-OpenSSH 3.9.

Upgrade instructions are available at:

  http://grid.ncsa.uiuc.edu/ssh/install.html

Use 'gsissh -V' or 'gpt-query gsi_openssh' to determine your installed
GSI-OpenSSH version:

  $ gsissh -V
  OpenSSH_4.2p1-hpn NCSA_GSSAPI_GPT_3.7 GSI, OpenSSL 0.9.7d 17 Mar
  2004
  $ gpt-query gsi_openssh
  1 package was found in /usr/local/gt-4.0.3 that matched your query:

  packages found that matched your query
        gsi_openssh-gcc64dbg-pgm pkg version: 3.7.0 software version:
        GSI-OpenSSH 3.7 / OpenSSH 4.2p1

To determine the version of a GSI-OpenSSH server, run:
  for Bourne shells:
    gsissh -v hostname exit 2>&1 | grep "remote software version"
  for C shells:
    gsissh -v hostname exit |& grep "remote software version"
  (replacing hostname with the hostname of the remote server.)

SHA1 checksums:
a79e716c0c5eaf8445efc5f091040fbbc0e5ea4f  gsi_openssh-3.9-src.tar.gz
aa12e6118e92c9501088060d8fec862e1dbe114f
gsi_openssh_bundle-3.9-src.tar.gz
e6c43cbcf1aa3a0b335c60aac892a778587bc5e5
gsi_openssh_compat-3.9-src.tar.gz
5fb3bcfcb0829554c961e148cb64a4cece76bc96
gsi_openssh_setup-3.9-src.tar.gz

MD5 checksums:
62662a6fb1c60f01e70a0ef810b327e5  gsi_openssh-3.9-src.tar.gz
0478bd00b9679234223f9ef117256c5f  gsi_openssh_bundle-3.9-src.tar.gz
893557d99ef57d5eefa399e85fd3df5c  gsi_openssh_compat-3.9-src.tar.gz
58337fe5c4fddb12e015b449f848639e  gsi_openssh_setup-3.9-src.tar.gz 

Solution

VDT 1.6.1's version of GSI OpenSSH was upgraded to 3.9. You can get this new version by running a single command:
pacman -update GSIOpenSSH

Questions

Please contact vdt-support@opensciencegrid.org if you have any questions.