Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7919
Views
0
Helpful
3
Replies

Can SFTP packets trigger SSH_EVENT_RESPOVERFLOW events in IPS?

rweir0001
Level 1
Level 1

‎09-08-2016 08:59 AM - edited ‎03-10-2019 06:40 AM

I have a Cisco ASA w/FirePOWER and an IPS license. My SoureFire module version is 5.4.1-211. I get lots of SSH_EVENT_RESPOVERFLOW intrusion events. The documentation for the event states that this is the result of a buffer overflow with OpenSSH. We do not use OpenSSH in our environment. I went through all the Source and Destination IP addresses involved and it appears to be happening with devices that transmit files using SFTP. When I configured the firewall rules in the ASA to allow this traffic the protocol I used was SSH. That's because both SSH and SFTP use port 22, and the ASA by default recognizes port 22 as SSH. My theory on this is that the IPS mistakenly believes that SFTP packets are buffer overflow exploits of OpenSSH which triggers the SSH_EVENT_RESPOVERFLOW intrusion events. If anyone has any experience with this can you please confirm or deny?

2 people had this problem
Labels:
0 Helpful
3 Replies 3

chris.proudlock
Level 1
Level 1

‎09-13-2016 04:51 AM

Hi,

Its likely you will use OpenSSH in your environment - most Linux based appliances use it, if you ever SSH to a switch or something theres a good chance :)

If the only traffic on port 22 is SFTP it certainly seems the likely cause.

Signature states:

"Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt)."

The flaw itself is due to an error in handling a large number of responses during challenge response authentication and detection of which despite the signature is also set at a pre-processor level - it could simply be triggering on numerous responses from the server and with it being SSH and encrypted, you'll never know whats in the response but a legit attack would have crafted responses.

I'd say this was a false positive based on that, you can use alert suppression or a pass rule to ignore your SFTP server.

OpenSSH 3.4 addresses the problem. Upgrading to this version will eliminate the vulnerabilities. Administrators who cannot install OpenSSH 3.4 should upgrade to version 3.3 and enable the privilege-separation feature.

0 Helpful

rweir0001
Level 1
Level 1
In response to chris.proudlock

‎09-15-2016 12:53 PM

Thanks, Chris. I wanted to alter the rule so that the IPS wouldn't drop this SFTP traffic that it misidentifies as  SSH_EVENT_RESPOVERFLOW for certain servers. Like if the IPS sees SFTP traffic going to Server A it want think it is an OpenSSH exploit and drop the traffic. I tried to change the rule in the rule editor but got this message:

This preprocessor rule cannot be modified from the rule editor. If you want to modify this rule, you can change the settings in a Network Analysis policy for this preprocessor.

I'm not sure how to change this preprocessor rule so that it ignores these intrusion events going to specific servers. Any idea how to do this?

0 Helpful

itmeisterei
Level 1
Level 1
In response to chris.proudlock

‎07-25-2020 03:38 PM

i've this issue on several newer versions of openssh with pubkeyauthenticaton: https://superuser.com/questions/1568642/sftp-fails-client-loop-send-disconnect-broken-pipe-log-shows-forced-clos

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card