The security hole, which affects all versions of OpenSSH prior to 3.7, could cause a denial-of-service condition and may also allow an attacker to execute arbitrary code, CERT/CC warned. Systems that use or derive code from vulnerable versions of OpenSSH are also vulnerable.

According to the advisory, the vulnerability exists in the buffer management code of OpenSSH. "The error occurs when a buffer is allocated for a large packet. When the buffer is cleared, an improperly sized chunk of memory is filled with zeros," CERT/CC explained.

OpenSSH, which is included in Linux and Unix OS distributions, is a free version of the SSH (define) tool. It is a popular replacement for Telnet, rlogin, rsh, and ftp protocols.

While the full impact of the OpenSSH vulnerability remains unclear, CERT/CC cautioned that the most likely result would be "heap corruption," which could lead to a denial-of-service (define).

"If it is possible for an attacker to execute arbitrary code, then they may be able to so with the privileges of the user running the sshd process, typically root. This impact may be limited on systems using the privilege separation (privsep) feature available in OpenSSH," it added.

Sysadmins are urged to upgrade to OpenSSH 3.7 or apply available vendor patches. OpenSSH has also issued a fix (available here).

As a temporary workaround, IT admins running vulnerable OpenSSH versions may be able to reduce the impact of the security hole by enabling the "UsePrivilegeSeparation" configuration option in their sshd configuration file. However, CERT/CC warned that the workaround does not prevent exploitation of the vulnerability.

"System administrators are encouraged to carefully review the implications of using the workaround in their environment and use a more comprehensive solution if one is available. The use of privilege separation to limit the impact of future vulnerabilities is encouraged," the Center added.