Re: Does OpenSSH Vulnerability Affect IDS Sensors?

cgiulini · ‎09-17-2003

I am wondering if the OpenSSH vulnerability affects IDS sensors configured to use SSH for remote connections?

I saw the notification from PSIRT and did not see any mention of the IDS sensors one way or the other.

Regards,

Chad Giulini

picketfence · ‎09-17-2003

The 3.x sensors at least run OpenSSH, and thus should be vulnerable. I guess Cisco forgot about them. I'm not sure about 4.x.

-ben

cgiulini · ‎09-17-2003

I'm running 4.x here and it looks to me like OpenSSH is running on them too. I am just looking for confirmation and hopefully a recommended resolution (either upgrade the SSH on the sensors directly or a patch from Cisco).

Chad

brhamon · ‎09-17-2003

The PSIRT announcement was recently updated to include the status of IDS sensors.

Here is our announcement:

Symptom:

========

None, although an attacker might theoretically cause the SSH server to terminate, resulting in a denial of service.

Conditions:

===========

IDS-42xx appliances, NM-CIDS and WS-SVS-IDSM2:

Software versions from 3.0(1) through 4.1(1) are affected because they include a vulnerable version of OpenSSH.

WS-X6381-IDS:

Not affected.

The vulnerability was announced 16-Sep-2003 by members of the OpenSSH development team. Their announcement is at:

http://www.openssh.com/txt/buffer.adv

Workaround:

===========

It is generally recommended to restrict access to the SSH server on an IDS sensor to a limited number of allowed hosts, using the access list mechanism in IDS.

Further problem information:

============================

From the OpenSSH advisory:

"All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management errors. It is uncertain whether these errors are potentially exploitable, however, we prefer to see bugs fixed proactively."

The OpenSSH executables in IDS software will be updated to at least version 3.7.1 in a future service pack.

msmitha · ‎09-18-2003

Here's what I read on PSIRT today:

Cisco Secure Intrusion Detection System (NetRanger) appliance—Software version 4.1(2), due out end of October will have the fix. Software version 3.1(5) will have the fix for software version 3.1, release date to be determined.

I think end-of-October is just too late to get a fix. Every other vendor whose product is vulnerable has released or is in the course of coming out with one within a couple of days. I strongly urge Cisco employees on this forum to push for an update soon.

5mlattimore · ‎09-18-2003

By using sysconfig-sensor on our 3.x sensors we defined the Access Control List and limited the source addresses that can connect to the sensors.

Our understanding is that an attacker could only initiate a DOS from this trusted network.

Am I correct?

If not , we will then need to implement ACLs at the router to deny ssh traffic from all sources other than the trusted source.

So far our tests show that one can only connect to the sensor from a trusted source/network defined in the Access Control List.

Hope this helps.

Mike

brhamon · ‎09-18-2003

That's correct, Mike. The attacker must establish a TCP connection with the OpenSSH service before it can send data to exercise this vulnerability. Access control lists on all versions of IDS sensor only allow data to pass from an allowed host.