Skip to page contents

---

Select language...       English English (US) Deutsch Español Français Italiano 中文 (Chinese)

Extranet    | Home | Legal & Privacy Notice | Search | Sitemap | 

---

---

Products and Solutions    Training    Support    Partners    How to Buy Contact | About us | Press & Media | Investor Relations

---

Support Offering | Security Advisories | Technical Product Documentation | Request support | Evaluation Licenses | Product Life-cycle | License Center | Downloads |

---

---

---

Home » EN » Support » Security Advisories » 17 Nov, 2006: OpenSSH signal handler race condition advisory

---

Stonesoft Corp. Security Advisory

Date:   17 Nov, 2006

Title:  OpenSSH vulnerability in Stonesoft Products

Refs:   Debian: DSA-1212, CVE-2006-5051

Severity: Low

The information contained in this advisory is provided on an as-is basis. Stonesoft does not make any warranties of any kind with respect to the information contained in this advisory. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.

IN NO EVENT WILL STONESOFT, CORP. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS ADVISORY.

If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction.

1. Overview

Many versions of OpenSSH are vulnerable to a signal handler race condition error. By exploiting this vulnerability an attacker may cause a denial of service to the ssh daemon or possibly to execute arbitrary code on the vulnerable target host.

Stonesoft products are affected as stated below.

2. StoneGate Firewall and VPN

A vulnerable version of OpenSSH is included in the StoneGate High Availability Firewall and VPN engine. The SSH daemon does not have GSSAPI authentication enabled and therefore it is vulnerable only to the denial-of-service threat. By default the SSH daemon is not enabled at all in StoneGate engines.

Stonesoft is releasing a new Firewall and VPN engine version 3.0.3 that fixes the vulnerability. This version is estimated to be available November 28th, 2006.

StoneGate Firewall and VPN engine versions 3.0.2 and earlier use vulnerable version of OpenSSH. Crafted SSH connections to the vulnerable OpenSSH daemon may cause the daemon to stop working, thus preventing administrators from using SSH connections to the StoneGate engine. Since GSSAPI authentication is not enabled in StoneGate SSH daemon, the attacker should not be able to execute arbitrary code through this vulnerability.

Recommended Actions:

All StoneGate Firewall and VPN users should upgrade their StoneGate Firewall and VPN engines to version 3.0.3 as soon as it is available.

StoneGate Firewall and VPN customers not using StoneGate appliances or Intel-compatible StoneGate platforms can contact Stonesoft Technical Support for further information.

Stonesoft recommends using firewall rules to limit the addresses that are authorized to open SSH connections to the StoneGate engines.

3. StoneGate IPS Sensor and Analyzer

A vulnerable version of OpenSSH is included in the StoneGate IPS Sensor and Analyzer engine. The SSH daemon does not have GSSAPI authentication enabled and therefore it is vulnerable only to the denial-of-service threat. By default the SSH daemon is not enabled at all in StoneGate engines.

Stonesoft is releasing a new IPS engine version 2.0.3 that fixes the vulnerability. This version is estimated to be available November 28th, 2006.

StoneGate IPS engine versions 2.0.2 and earlier use vulnerable version of OpenSSH. Crafted SSH connections to the vulnerable OpenSSH daemon may cause the daemon to stop working, thus preventing administrators from using SSH connections to the StoneGate engine. Since GSSAPI authentication is not enabled in StoneGate SSH daemon, the attacker should not be able to execute arbitrary code through this vulnerability.

Recommended Actions:

All StoneGate IPS users should upgrade their StoneGate IPS engines to version 2.0.3 as soon as it is available.

Stonesoft recommends using firewall rules or router access lists to limit the addresses that are authorized to open SSH connections to the StoneGate engines.

4. StoneGate Management Center

The StoneGate Management Center does not contain the SSH daemon and is thus not vulnerable.

5. StoneGate VPN Client

The StoneGate VPN Client does not contain the SSH daemon and is thus not vulnerable.

6. StoneBeat HA

StoneBeat HA does not contain the SSH daemon and is thus not vulnerable.

7. StoneBeat Clustering Products

StoneBeat Clustering products do not contain the SSH daemon and are thus not vulnerable.

8. Appendices

Stonesoft Security Analysis Group's PGP key is available at:

http://www.stonesoft.com/export/download/other_files/Stonesoft-Security-Alert.asc

To report or inquire about a security problem with Stonesoft software, contact one or more of the following:

Stonesoft Support

Stonesoft Security Analysis Group: security-alert@stonesoft.com

Copyright 2006 Stonesoft, Corp. All rights reserved.

Stonesoft, StoneGate and StoneBeat are trademarks or registered trademarks of Stonesoft, Corp. in Finland and other countries. All other company and product names contained herein are property of their respective holders. This advisory may be reproduced and distributed only in its unaltered form and only for non-commercial purposes.

---