Users login

Create an account »


Users login

Home » Hacking News » OpenSSH Challenge-Response Buffer Overflow Vulnerability

OpenSSH Challenge-Response Buffer Overflow Vulnerability

by Nikola Strahija on June 26th, 2002 The OpenSSH team has reported that a vulnerability exists in OpenSSH. The vulnerability is remotely exploitable and may allow for unauthenticated attackers to obtain root privileges.

A buffer overflow condition exists in the OpenSSH SSH2 challenge-response mechanism. The condition is present when the OpenSSH server is configured at compile-time to support BSD_AUTH or SKEY. OpenBSD 3.0 and later ship with OpenSSH built to support BSD_AUTH.

It is possible for attackers to exploit the vulnerability by constructing a malicious response. As this occurs before the authentication process completes, it may be exploited by remote attackers without valid credentials. Successful exploitation may result in the execution of shellcode or a denial of service.

OpenSSH 3.4 has been released. Upgrading to this version will eliminate the vulnerability. If this is not possible, administrators should upgrade to version 3.3 and enable the privilege separation feature.

Note: It has been reported that hackers may be developing, or have functional exploit code. Users are advised to upgrade immediately.

Remote: Yes

Exploit: No

Solution: OpenSSH 3.4 has been released. While it should contain the fix, administrators are still advised to enable privilege separation as a preventative measure.

This vulnerablity exists whenever the option 'ChallengeResponseAuthentication' is enabled in sshd_config. As a workaround, administrators may disable this configuration option.

The OpenSSH development team has stated that OpenSSH 3.3 servers configured to use the new privilege separation feature are not exploitable. Privilege separation was introduced in OpenSSH 3.3. Administrators of systems using earlier versions are *strongly* urged to upgrade to OpenSSH 3.3 and enable privilege separation.

To enable privilege separation, the following configuration option must be in the sshd_config file (often located at /etc/ssh/sshd_config):

UsePrivilegeSeparation yes

Once this option has been enabled, the OpenSSH server should be stopped and then restarted.

Note that this ocnfiguration change may break some processes. Given the risk, it is advised that privilege separation be enabled regardless of this. If this is impossible, OpenSSH should be disabled or blocked until a patch is available.

A source code patch is also available at

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »