CVE-2002-0640
published 2002-07-03CVE-2002-0640: Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge…
PriorityP355critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
27.32%
97.8th percentile
Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | < openssh 1:3.4 (bookworm) | openssh 1:3.4 (bookworm) |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x6E69622F (little-endian '/bin')
bytes↗
0x0068732f (little-endian '/sh\0')
- →Exploitation requires either PAMAuthenticationViaKbdInt or ChallengeResponseAuthentication to be enabled in sshd_config; audit configs for these directives as a detection/triage signal. ↗
- →Successful exploitation results in a bind shell listening on TCP port 128; detect unexpected listening services on port 128 post-SSH connection attempt. ↗
- →Exploit targets OpenSSH 2.3.1 through 3.3 (and reportedly still present in 3.4p1 and 3.5p1); flag SSH banner strings matching these version ranges. ↗
- ·Vulnerability only exists when sshd is compiled with BSD_AUTH or SKEY support, or when PAMAuthenticationViaKbdInt / ChallengeResponseAuthentication is enabled; systems without these compile-time or runtime options are not affected. ↗
- ·Enabling privilege-separation (UsePrivilegeSeparation yes) in sshd_config is a documented workaround that limits exploitability even on vulnerable versions. ↗
- ·Red Hat Enterprise Linux 2.1 shipped OpenSSH not compiled with S/Key or BSD_AUTH support, making those systems not vulnerable. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0HIGH
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q9hw-p2pq-q4p7: Buffer overflow in sshd in OpenSSH 2
ghsa_unreviewed·2022-05-03
CVE-2002-0640 [HIGH] GHSA-q9hw-p2pq-q4p7: Buffer overflow in sshd in OpenSSH 2
Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).
OSV
CVE-2002-0640: Buffer overflow in sshd in OpenSSH 2
osv·2002-07-03·CVSS 10.0
CVE-2002-0640 [CRITICAL] CVE-2002-0640: Buffer overflow in sshd in OpenSSH 2
Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).
Red Hat
security flaw
vendor_redhat·2002-06-26·CVSS 10.0
CVE-2002-0640 [CRITICAL] security flaw
security flaw
Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).
Debian
CVE-2002-0640: openssh - Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers ...
vendor_debian·2002·CVSS 10.0
CVE-2002-0640 [CRITICAL] CVE-2002-0640: openssh - Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers ...
Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).
Scope: local
bookworm: resolved (fixed in 1:3.4)
bullseye: resolved (fixed in 1:3.4)
forky: resolved (fixed in 1:3.4)
sid: resolved (fixed in 1:3.4)
trixie: resolved (fixed in 1:3.4)
Red Hat
CVE-2002-0639: Integer overflow in sshd in OpenSSH 2
vendor_redhat·CVSS 9.8
CVE-2002-0639 [CRITICAL] CVE-2002-0639: Integer overflow in sshd in OpenSSH 2
Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote attackers to execute arbitrary code during challenge response authentication (ChallengeResponseAuthentication) when OpenSSH is using SKEY or BSD_AUTH authentication.
Statement: Not vulnerable. This issue did not affect the versions of OpenSSH as shipped with Red Hat Enterprise Linux 3 or later.
This issue did not affect the OpenSSL packages as shipped with Red Hat Enterprise Linux 2.1 as they were not compiled with S/Key or BSD_AUTH support. The upstream patch for this issue and CVE-2002-0640 was included in an errata so that users recompiling OpenSSL with support for those authentication methods would also be protected:
https://rhn.redhat.com/errata/RHSA-2002-131.html
No detection rules found.
Exploit-DB
OpenSSH 3.x - Challenge-Response Buffer Overflow (1)
exploitdb·2002-06-24
CVE-2002-0640 OpenSSH 3.x - Challenge-Response Buffer Overflow (1)
OpenSSH 3.x - Challenge-Response Buffer Overflow (1)
---
source: https://www.securityfocus.com/bid/5093/info
The OpenSSH team has reported two vulnerabilities in OpenSSH that are remotely exploitable and may allow for unauthenticated attackers to obtain root privileges.
The conditions are related to the OpenSSH SSH2 challenge-response mechanism. They occur when the OpenSSH server is configured at compile time to support BSD_AUTH or SKEY. OpenBSD 3.0 and later ship with OpenSSH built to support BSD_AUTH. Systems are vulnerable when either of the following configuration options are enabled:
PAMAuthenticationViaKbdInt
ChallengeResponseAuthentication
Attackers can exploit the vulnerabilities by crafting a malicious response. Since this occurs before the authentication process completes,
Exploit-DB
OpenSSH 3.x - Challenge-Response Buffer Overflow (2)
exploitdb·2002-06-24
CVE-2002-0640 OpenSSH 3.x - Challenge-Response Buffer Overflow (2)
OpenSSH 3.x - Challenge-Response Buffer Overflow (2)
---
source: https://www.securityfocus.com/bid/5093/info
The OpenSSH team has reported two vulnerabilities in OpenSSH that are remotely exploitable and may allow for unauthenticated attackers to obtain root privileges.
The conditions are related to the OpenSSH SSH2 challenge-response mechanism. They occur when the OpenSSH server is configured at compile time to support BSD_AUTH or SKEY. OpenBSD 3.0 and later ship with OpenSSH built to support BSD_AUTH. Systems are vulnerable when either of the following configuration options are enabled:
PAMAuthenticationViaKbdInt
ChallengeResponseAuthentication
Attackers can exploit the vulnerabilities by crafting a malicious response. Since this occurs before the authentication process completes,
ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txthttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502http://marc.info/?l=bugtraq&m=102514371522793&w=2http://marc.info/?l=bugtraq&m=102514631524575&w=2http://marc.info/?l=bugtraq&m=102521542826833&w=2http://marc.info/?l=bugtraq&m=102532054613894&w=2http://www.cert.org/advisories/CA-2002-18.htmlhttp://www.debian.org/security/2002/dsa-134http://www.kb.cert.org/vuls/id/369347http://www.linuxsecurity.com/advisories/other_advisory-2177.htmlhttp://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:040http://www.novell.com/linux/security/advisories/2002_024_openssh_txt.htmlhttp://www.openwall.com/lists/oss-security/2024/07/01/3http://www.osvdb.org/839http://www.redhat.com/support/errata/RHSA-2002-127.htmlhttp://www.redhat.com/support/errata/RHSA-2002-131.htmlhttp://www.securityfocus.com/bid/5093http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0206-195ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txthttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502http://marc.info/?l=bugtraq&m=102514371522793&w=2http://marc.info/?l=bugtraq&m=102514631524575&w=2http://marc.info/?l=bugtraq&m=102521542826833&w=2http://marc.info/?l=bugtraq&m=102532054613894&w=2http://www.cert.org/advisories/CA-2002-18.htmlhttp://www.debian.org/security/2002/dsa-134http://www.kb.cert.org/vuls/id/369347http://www.linuxsecurity.com/advisories/other_advisory-2177.htmlhttp://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:040http://www.novell.com/linux/security/advisories/2002_024_openssh_txt.htmlhttp://www.openwall.com/lists/oss-security/2024/07/01/3http://www.osvdb.org/839http://www.redhat.com/support/errata/RHSA-2002-127.htmlhttp://www.redhat.com/support/errata/RHSA-2002-131.htmlhttp://www.securityfocus.com/bid/5093http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0206-195
2002-07-03
Published