Vulnerabilities > CVE-2003-0682 - Remote Security vulnerability in OpenSSH
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
"Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CVE-2003-0693 and CVE-2003-0695.
Vulnerable Configurations
Nessus
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2003-266-01.NASL description Upgraded OpenSSH 3.7.1p2 packages are available for Slackware 8.1, 9.0 and -current. This fixes security problems with PAM authentication. It also includes several code cleanups from Solar Designer. Slackware is not vulnerable to the PAM problem, and it is not believed that any of the other code cleanups fix exploitable security problems, not nevertheless sites may wish to upgrade. These are some of the more interesting entries from OpenSSH last seen 2020-06-01 modified 2020-06-02 plugin id 18728 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18728 title Slackware 8.1 / 9.0 / current : New OpenSSH packages (SSA:2003-266-01) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2003-266-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(18728); script_version("1.16"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_xref(name:"SSA", value:"2003-266-01"); script_name(english:"Slackware 8.1 / 9.0 / current : New OpenSSH packages (SSA:2003-266-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "Upgraded OpenSSH 3.7.1p2 packages are available for Slackware 8.1, 9.0 and -current. This fixes security problems with PAM authentication. It also includes several code cleanups from Solar Designer. Slackware is not vulnerable to the PAM problem, and it is not believed that any of the other code cleanups fix exploitable security problems, not nevertheless sites may wish to upgrade. These are some of the more interesting entries from OpenSSH's ChangeLog so you can be the judge: [buffer.c] protect against double free; #660; zardoz at users.sf.net - [email protected] 2003/09/18 08:49:45 [deattack.c misc.c session.c ssh-agent.c] more buffer allocation fixes; from Solar Designer; CAN-2003-0682; ok millert@ - (djm) Bug #676: Fix PAM stack corruption - (djm) Fix bad free() in PAM code" ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2003&m=slackware-security.373294 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d0bae0a9" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh package." ); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/09/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/09/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"8.1", pkgname:"openssh", pkgver:"3.7.1p2", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.0", pkgname:"openssh", pkgver:"3.7.1p2", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"current", pkgname:"openssh", pkgver:"3.7.1p2", pkgarch:"i486", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-280.NASL description Updated OpenSSH packages are now available that fix bugs that may be remotely exploitable. [Updated 17 Sep 2003] Updated packages are now available to fix additional buffer manipulation problems which were fixed in OpenSSH 3.7.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0695 to these additional issues. We have also included fixes from Solar Designer for some additional memory bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0682 to these issues. OpenSSH is a suite of network connectivity tools that can be used to establish encrypted connections between systems on a network and can provide interactive login sessions and port forwarding, among other functions. The OpenSSH team has announced a bug which affects the OpenSSH buffer handling code. This bug has the potential of being remotely exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0693 to this issue. All users of OpenSSH should immediately apply this update which contains a backported fix for this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 12421 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12421 title RHEL 2.1 : openssh (RHSA-2003:280) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:280. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12421); script_version ("1.23"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2003-0682", "CVE-2003-0693", "CVE-2003-0695"); script_xref(name:"RHSA", value:"2003:280"); script_name(english:"RHEL 2.1 : openssh (RHSA-2003:280)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated OpenSSH packages are now available that fix bugs that may be remotely exploitable. [Updated 17 Sep 2003] Updated packages are now available to fix additional buffer manipulation problems which were fixed in OpenSSH 3.7.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0695 to these additional issues. We have also included fixes from Solar Designer for some additional memory bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0682 to these issues. OpenSSH is a suite of network connectivity tools that can be used to establish encrypted connections between systems on a network and can provide interactive login sessions and port forwarding, among other functions. The OpenSSH team has announced a bug which affects the OpenSSH buffer handling code. This bug has the potential of being remotely exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0693 to this issue. All users of OpenSSH should immediately apply this update which contains a backported fix for this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0682" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0693" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0695" ); script_set_attribute( attribute:"see_also", value:"http://www.openssh.com/txt/buffer.adv" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:280" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/09/22"); script_set_attribute(attribute:"patch_publication_date", value:"2003/09/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:280"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssh-3.1p1-14")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssh-askpass-3.1p1-14")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssh-askpass-gnome-3.1p1-14")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssh-clients-3.1p1-14")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssh-server-3.1p1-14")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc"); } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-382.NASL description A bug has been found in OpenSSH last seen 2020-06-01 modified 2020-06-02 plugin id 15219 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15219 title Debian DSA-382-3 : ssh - possible remote vulnerability NASL family Misc. NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them. last seen 2020-06-01 modified 2020-06-02 plugin id 55992 published 2011-08-29 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55992 title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure NASL family Red Hat Local Security Checks NASL id REDHAT_FIXES.NASL description This plugin writes in the knowledge base the CVE ids that we know Red Hat enterprise Linux is not vulnerable to. last seen 2020-06-01 modified 2020-06-02 plugin id 12512 published 2004-07-06 reporter This script is Copyright (C) 2004-2011 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12512 title Red Hat Enterprise Linux fixes NASL family Debian Local Security Checks NASL id DEBIAN_DSA-383.NASL description Several bugs have been found in OpenSSH last seen 2020-06-01 modified 2020-06-02 plugin id 15220 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15220 title Debian DSA-383-2 : ssh-krb5 - possible remote vulnerability NASL family Gain a shell remotely NASL id OPENSSH_36.NASL description According to its banner, the remote SSH server is running a version of OpenSSH older than 3.7.1. Such versions are vulnerable to a flaw in the buffer management functions that might allow an attacker to execute arbitrary commands on this host. An exploit for this issue is rumored to exist. Note that several distributions patched this hole without changing the version number of OpenSSH. Since Nessus solely relied on the banner of the remote SSH server to perform this check, this might be a false positive. If you are running a RedHat host, make sure that the command : rpm -q openssh-server returns : openssh-server-3.1p1-13 (RedHat 7.x) openssh-server-3.4p1-7 (RedHat 8.0) openssh-server-3.5p1-11 (RedHat 9) last seen 2020-06-01 modified 2020-06-02 plugin id 11837 published 2003-09-16 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11837 title OpenSSH < 3.7.1 Multiple Vulnerabilities
Oval
| accepted | 2010-09-20T04:00:26.670-04:00 | ||||||||||||||||
| class | vulnerability | ||||||||||||||||
| contributors |
| ||||||||||||||||
| description | "Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CVE-2003-0693 and CVE-2003-0695. | ||||||||||||||||
| family | unix | ||||||||||||||||
| id | oval:org.mitre.oval:def:446 | ||||||||||||||||
| status | accepted | ||||||||||||||||
| submitted | 2003-09-21T12:00:00.000-04:00 | ||||||||||||||||
| title | Memory Bugs in OpenSSH | ||||||||||||||||
| version | 40 |
Redhat
| advisories |
|
Statements
| contributor | Joshua Bressers |
| lastmodified | 2007-03-27 |
| organization | Red Hat |
| statement | Not vulnerable. This flaw is fixed in Red Hat Enterprise Linux 2.1 via the errata RHSA-2003:280. This flaw is fixed in Red Hat Enterprise Linux 3 as a backported patch. The source RPM contains the patch openssh-3.6.1p2-owl-realloc.diff which resolved this flaw before Red Hat Enterprise Linux 3 GA. This flaw does not affect any subsequent versions of Red Hat Enterprise Linux. |
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000741
- http://marc.info/?l=bugtraq&m=106373546332230&w=2
- http://marc.info/?l=bugtraq&m=106381409220492&w=2
- http://www.debian.org/security/2003/dsa-382
- http://www.debian.org/security/2003/dsa-383
- http://www.redhat.com/support/errata/RHSA-2003-280.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A446