cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8154
Views
0
Helpful
3
Replies

Can SFTP packets trigger SSH_EVENT_RESPOVERFLOW events in IPS?

rweir0001
Level 1
Level 1

I have a Cisco ASA w/FirePOWER and an IPS license. My SoureFire module version is 5.4.1-211. I get lots of SSH_EVENT_RESPOVERFLOW intrusion events. The documentation for the event states that this is the result of a buffer overflow with OpenSSH. We do not use OpenSSH in our environment. I went through all the Source and Destination IP addresses involved and it appears to be happening with devices that transmit files using SFTP. When I configured the firewall rules in the ASA to allow this traffic the protocol I used was SSH. That's because both SSH and SFTP use port 22, and the ASA by default recognizes port 22 as SSH. My theory on this is that the IPS mistakenly believes that SFTP packets are buffer overflow exploits of OpenSSH which triggers the SSH_EVENT_RESPOVERFLOW intrusion events. If anyone has any experience with this can you please confirm or deny?

3 Replies 3

chris.proudlock
Level 1
Level 1

Hi,

Its likely you will use OpenSSH in your environment - most Linux based appliances use it, if you ever SSH to a switch or something theres a good chance :)

If the only traffic on port 22 is SFTP it certainly seems the likely cause.

Signature states:

"Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt)."

The flaw itself is due to an error in handling a large number of responses during challenge response authentication and detection of which despite the signature is also set at a pre-processor level - it could simply be triggering on numerous responses from the server and with it being SSH and encrypted, you'll never know whats in the response but a legit attack would have crafted responses.

I'd say this was a false positive based on that, you can use alert suppression or a pass rule to ignore your SFTP server.

OpenSSH 3.4 addresses the problem. Upgrading to this version will eliminate the vulnerabilities. Administrators who cannot install OpenSSH 3.4 should upgrade to version 3.3 and enable the privilege-separation feature.

Thanks, Chris. I wanted to alter the rule so that the IPS wouldn't drop this SFTP traffic that it misidentifies as  SSH_EVENT_RESPOVERFLOW for certain servers. Like if the IPS sees SFTP traffic going to Server A it want think it is an OpenSSH exploit and drop the traffic. I tried to change the rule in the rule editor but got this message:

This preprocessor rule cannot be modified from the rule editor. If you want to modify this rule, you can change the settings in a Network Analysis policy for this preprocessor.

I'm not sure how to change this preprocessor rule so that it ignores these intrusion events going to specific servers. Any idea how to do this?

i've this issue on several newer versions of openssh with pubkeyauthenticaton: https://superuser.com/questions/1568642/sftp-fails-client-loop-send-disconnect-broken-pipe-log-shows-forced-clos

Review Cisco Networking for a $25 gift card