Security

For more information, see the OpenBSD Security page.

• OpenSSH versions 6.2 and 6.3 are vulnerable to the memory corruption problem described in the gcmrekey.adv advisory and the OpenSSH 6.4 release notes.

• Portable OpenSSH prior to version 5.8p2 is vulnerable to the local host key theft attack described in portable-keysign-rand-helper.adv advisory and the OpenSSH 5.8p2 release notes.

• OpenSSH versions 5.6 and 5.7 are vulnerable to a potential leak of private key data described in the legacy-cert.adv advisory and the OpenSSH 5.8 release notes.

• OpenSSH prior to version 5.2 is vulnerable to the protocol weakness described in CPNI-957037 "Plaintext Recovery Attack Against SSH". However, based on the limited information available it appears that this described attack is infeasible in most circumstances. For more information please refer to the cbc.adv advisory and the OpenSSH 5.2 release notes.

• Portable OpenSSH 5.1 and newer are not vulnerable to the X11UseLocalhost=no hijacking attack on HP/UX (and possibly other systems) described in the OpenSSH 5.1 release notes.

• OpenSSH 5.0 and newer are not vulnerable to the X11 hijacking attack described in CVE-2008-1483 and the OpenSSH 5.0 release notes.

• OpenSSH 4.9 and newer do not execute ~/.ssh/rc for sessions whose command has been overridden with a sshd_config(5) ForceCommand directive. This was a documented, but unsafe behaviour (described in OpenSSH 4.9 release notes).

• OpenSSH 4.7 and newer do not fall back to creating trusted X11 authentication cookies when untrusted cookie generation fails (e.g. due to deliberate resource exhaustion), as described in the OpenSSH 4.7 release notes.

• OpenSSH 4.5 and newer fix a weakness in the privilege separation monitor that could be used to spoof successful authentication (described in the OpenSSH 4.5 release notes). Note that exploitation of this vulnerability would require an attacker to have already subverted the network-facing sshd(8) process, and no vulnerabilities permitting this are known.

• OpenSSH 4.4 and newer is not vulnerable to the unsafe signal handler vulnerability described in the OpenSSH 4.4 release notes.

• OpenSSH 4.4 and newer is not vulnerable to the SSH protocol 1 denial of service attack described in the OpenSSH 4.4 release notes.

• OpenSSH 4.3 and newer are not vulnerable to shell metacharacter expansion in scp(1) local-local and remote-remote copies (CVE-2006-0225), as described in the OpenSSH 4.3 release notes.

• OpenSSH 4.2 and newer does not allow delegation of GSSAPI credentials after authentication using a non-GSSAPI method as described in the OpenSSH 4.2 release notes.

• OpenSSH 4.2 and newer do not incorrectly activate GatewayPorts for dynamic forwardings (bug introduced in OpenSSH 4.0) as described in the OpenSSH 4.2 release notes.

• Portable OpenSSH 3.7.1p2 and newer are not vulnerable to "September 23, 2003: Portable OpenSSH Multiple PAM vulnerabilities", OpenSSH Security Advisory. (This issue does not affect OpenBSD versions)

• OpenSSH 3.7.1 and newer are not vulnerable to "September 16, 2003: OpenSSH Buffer Management bug", OpenSSH Security Advisory and CERT Advisory CA-2003-24.

• OpenSSH 3.4 and newer are not vulnerable to "June 26, 2002: OpenSSH Remote Challenge Vulnerability", OpenSSH Security Advisory.

• OpenSSH 3.2.1 and newer are not vulnerable to "April 21, 2002: Buffer overflow in AFS/Kerberos token passing code", OpenSSH Security Advisory: Versions prior to OpenSSH 3.2.1 allow privileged access if AFS/Kerberos token passing is compiled in and enabled (either in the system or in sshd_config).

• OpenSSH 3.1 and newer are not vulnerable to "March 7, 2002: Off-by-one error in the channel code", OpenSSH Security Advisory.

• OpenSSH 3.0.2 and newer do not allow users to pass environment variables to login(1) if UseLogin is enabled. The UseLogin option is disabled by default in all OpenSSH releases.

• OpenSSH 2.9.9 and newer are not vulnerable to "Sep 26, 2001: Weakness in OpenSSH's source IP based access control for SSH protocol v2 public key authentication.", OpenSSH Security Advisory.

• OpenSSH 2.9.9 and newer do not allow users to delete files named "cookies" if X11 forwarding is enabled. X11 forwarding is disabled by default.

• OpenSSH 2.3.1, a development snapshot which was never released, was vulnerable to "Feb 8, 2001: Authentication By-Pass Vulnerability in OpenSSH-2.3.1", OpenBSD Security Advisory. In protocol 2, authentication could be bypassed if public key authentication was permitted. This problem does exist only in OpenSSH 2.3.1, a three week internal development release. OpenSSH 2.3.0 and versions newer than 2.3.1 are not vulnerable to this problem.

• OpenSSH 2.3.0 and newer do not allow malicious servers to access the client's X11 display or ssh-agent. This problem has been fixed in OpenSSH 2.3.0.

• OpenSSH 2.3.0 and newer are not vulnerable to the "Feb 8, 2001: SSH-1 Daemon CRC32 Compensation Attack Detector Vulnerability", RAZOR Bindview Advisory CAN-2001-0144. A buffer overflow in the CRC32 compensation attack detector can lead to remote root access. This problem has been fixed in OpenSSH 2.3.0. However, versions prior to 2.3.0 are vulnerable.

• OpenSSH 2.2.0 and newer are not vulnerable to the "Feb 7, 2001: SSH-1 Session Key Recovery Vulnerability", CORE-SDI Advisory CORE-20010116. OpenSSH imposes limits on the connection rate, making the attack unfeasible. Additionally, the Bleichenbacher oracle has been closed completely since January 29, 2001.

• OpenSSH 2.1.1 and newer do not allow a remote attacker to execute arbitrary commands with the privileges of sshd if UseLogin is enabled by the administrator. UseLogin is disabled by default. This problem has been fixed in OpenSSH 2.1.1.

• OpenSSH was never vulnerable to the "Feb 5, 2001: SSH-1 Brute Force Password Vulnerability", Crimelabs Security Note CLABS200101.

• OpenSSH was not vulnerable to the RC4 cipher password cracking, replay, or modification attacks. At the time that OpenSSH was started, it was already known that SSH 1 used the RC4 stream cipher completely incorrectly, and thus RC4 support was removed.

• OpenSSH was not vulnerable to client forwarding attacks in unencrypted connections, since unencrypted connection support was removed at OpenSSH project start.

• OpenSSH was not vulnerable to IDEA-encryption algorithm attacks on the last packet, since the IDEA algorithm is not supported. The patent status of IDEA makes it unsuitable for inclusion in OpenSSH.

• OpenSSH does not treat localhost as exempt from host key checking, thus making it not vulnerable to the host key authentication bypass attack.

• OpenSSH was not vulnerable to uncontrollable X11 forwarding attacks because X11-forwarding is disabled by default and the user can de-permit it.

• OpenSSH has the SSH 1 protocol deficiency that might make an insertion attack difficult but possible. The CORE-SDI deattack mechanism is used to eliminate the common case. Ways of solving this problem are being investigated, since the SSH 1 protocol is not dead yet.