> -----Original Message-----
> From: FreeBSD Security Advisories
> [mailto:security-advisories@xxxxxxxxxxx]
> Sent: Wednesday, March 01, 2006 7:06 PM
> To: Bugtraq
> Subject: FreeBSD Security Advisory FreeBSD-SA-06:09.openssh [REVISED]
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ==============================================================
> ===============
> FreeBSD-SA-06:09.openssh
> Security Advisory
> The
> FreeBSD Project
>
> Topic: Remote denial of service in OpenSSH
>
> Category: contrib
> Module: OpenSSH
> Announced: 2006-03-01
> Affects: FreeBSD 5.3 and 5.4
> Corrected: 2006-03-01 14:19:48 UTC (RELENG_5, 5.5-PRERELEASE)
> 2006-03-01 14:21:01 UTC (RELENG_5_4, 5.4-RELEASE-p12)
> 2006-03-01 14:24:52 UTC (RELENG_5_3, 5.3-RELEASE-p27)
> CVE Name: CVE-2006-0883
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit
> <URL:>.
>
> 0. Revision History
>
> v1.0 2006-03-01 Initial release.
> v1.1 2006-03-01 Corrected workaround instructions.
>
> I. Background
>
> OpenSSH is an implementation of the SSH protocol suite, providing an
> encrypted, authenticated transport for a variety of services,
> including remote shell access.
>
> Privilege separation is a mechanism used by OpenSSH to protect itself
> against possible future vulnerabilities. It works by splitting the
> server process in two: the child process drops its privileges and
> carries on the conversation with the client, while the parent retains
> its privileges, monitors the child, and performs privileged operations
> on behalf of the child when it is satisified that everything is in
> order. Privilege separation is enabled by default in FreeBSD.
>
> OpenPAM is an implementation of the PAM framework, which allows the
> use of loadable modules to implement user authentication and session
> management in a manner defined by the administrator. It is used by
> OpenSSH and numerous other applications in FreeBSD to provide a
> consistent and configurable authentication system.
>
> II. Problem Description
>
> Because OpenSSH and OpenPAM have conflicting designs (one is event-
> driven while the other is callback-driven), it is necessary for
> OpenSSH to fork a child process to handle calls to the PAM framework.
> However, if the unprivileged child terminates while PAM authentication
> is under way, the parent process incorrectly believes that the PAM
> child also terminated. The parent process then terminates, and the
> PAM child is left behind.
>
> Due to the way OpenSSH performs internal accounting, these orphaned
> PAM children are counted as pending connections by the master OpenSSH
> server process. Once a certain number of orphans has accumulated, the
> master decides that it is overloaded and stops accepting client
> connections.
>
> III. Impact
>
> By repeatedly connecting to a vulnerable server, waiting for a
> password prompt, and closing the connection, an attacker can cause
> OpenSSH to stop accepting client connections until the system restarts
> or an administrator manually kills the orphaned PAM processes.
>
> IV. Workaround
>
> The following command will show a list of orphaned PAM processes:
>
> # pgrep -lf 'sshd.*\[pam\]'
>
> The following command will kill orphaned PAM processes:
>
> # pkill -f 'sshd.*\[pam\]'
>
> To prevent OpenSSH from leaving orphaned PAM processes behind, perform
> one of the following:
>
> 1) Disable PAM authentication in OpenSSH. Users will still be able to
> log in using their Unix password, OPIE or SSH keys.
>
> To do this, execute the following commands as root:
>
> # echo 'UsePAM no' >>/etc/ssh/sshd_config
> # /etc/rc.d/sshd restart
>
> 2) If disabling PAM is not an option - if, for instance, you use
> RADIUS authentication, or store user passwords in an SQL database -
> you may instead disable privilege separation. However, this may
> leave OpenSSH vulnerable to hitherto unknown bugs, and should be
> considered a last resort.
>
> To do this, execute the following commands as root:
>
> # echo 'UsePrivilegeSeparation no' >>/etc/ssh/sshd_config
> # /etc/rc.d/sshd restart
>
> V. Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 5-STABLE or to the RELENG_5_4 or
> RELENG_5_3 security branch dated after the correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 5.3 and
> 5.4 systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch
> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:09/openssh.patch
> # fetch
> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:09/openss
> h.patch.asc
>
> b) Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
> # cd /usr/src/secure/lib/libssh
> # make obj && make depend && make && make install
> # cd /usr/src/secure/usr.sbin/sshd
> # make obj && make depend && make && make install
> # /etc/rc.d/sshd restart
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Branch
> Revision
> Path
> -
> --------------------------------------------------------------
> -----------
> RELENG_5
> src/crypto/openssh/auth-pam.c
> 1.14.2.1
> src/crypto/openssh/ssh_config
> 1.25.2.1
> src/crypto/openssh/ssh_config.5
> 1.15.2.1
> src/crypto/openssh/sshd_config
> 1.40.2.1
> src/crypto/openssh/sshd_config.5
> 1.21.2.1
> src/crypto/openssh/version.h
> 1.27.2.1
> RELENG_5_4
> src/UPDATING
> 1.342.2.24.2.21
> src/sys/conf/newvers.sh
> 1.62.2.18.2.17
> src/crypto/openssh/auth-pam.c
> 1.14.6.1
> src/crypto/openssh/ssh_config
> 1.25.6.1
> src/crypto/openssh/ssh_config.5
> 1.15.6.1
> src/crypto/openssh/sshd_config
> 1.40.6.1
> src/crypto/openssh/sshd_config.5
> 1.21.6.1
> src/crypto/openssh/version.h
> 1.27.6.1
> RELENG_5_3
> src/UPDATING
> 1.342.2.13.2.30
> src/sys/conf/newvers.sh
> 1.62.2.15.2.32
> src/crypto/openssh/auth-pam.c
> 1.14.4.1
> src/crypto/openssh/ssh_config
> 1.25.4.1
> src/crypto/openssh/ssh_config.5
> 1.15.4.1
> src/crypto/openssh/sshd_config
> 1.40.4.1
> src/crypto/openssh/sshd_config.5
> 1.21.4.1
> src/crypto/openssh/version.h
> 1.27.4.1
> -
> --------------------------------------------------------------
> -----------
>
> VII. References
>
>
>
>
>
> The latest revision of this advisory is available at
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-0
> 6:09.openssh.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (FreeBSD)
>
> iD8DBQFEBcVoFdaIBMps37IRAtciAJ0ZEisuqx4lAtn2vr+44e4mrWYQuQCeLLRB
> kUuFQBE4Jy3SJeI+07wnknA=
> =esdm
> -----END PGP SIGNATURE-----
>
