https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762182#M72697 This is the latest update received from HP:<BR /><BR />""OpenSSH Vulnerabilities in Challenge Response Handling If the SKEY and BSD_AUTH authentication compile-time options are explicitly enabled, it may cause a remote denial of service attack on the OpenSSH daemon. Does this security problem exist with HP-UX Secure Shell? See CERT on OpenSSH ulnerabilities in Challenge Response Handling HP-UX Secure Shell does NOT enable either of these options. There is no denial of service risk with HP-UX Secure Shell. <BR /><BR />I wanted to provide you with an update to this case. I have information<BR />regarding CERT CA-2002-18, HP is not vulnerable to the first issue described<BR />in the CERT noted below, we are vulnerable to the second issue and will have<BR />a sw update available via a patch soon ( I believe by next week but I cant<BR />supply any dates ). <BR /><BR />The HP Security Doc is HPSBUX0206-195 and will be updated when the fix is<BR />available, I'll also send you a email when it comes out.""<BR /><BR />Hope this helps Mon, 15 Jul 2002 14:19:44 GMT Daimian Woznick 2002-07-15T14:19:44Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762177#M72692 The HP-UX Secure Shell is based on and older version of Openssh. This older version has several security vulnerabilities. When will HP have a newer version out that is based on Openssh 3.4p1 ? Thu, 11 Jul 2002 17:25:20 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762177#M72692 Craig Cooper 2002-07-11T17:25:20Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762178#M72693 Craig,<BR /><BR />You can try downloading the source and compiling it yourself, or you can try emailing hpux@hpux.cs.utah.edu. Usually, it's just a hurry up and wait for it to show up.<BR /><BR />live free or die<BR />harry Thu, 11 Jul 2002 18:09:57 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762178#M72693 harry d brown jr 2002-07-11T18:09:57Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762179#M72694 I currently have a call in to support to answer this question and will post the answer when I receive it. The following is from the CERT advisory:<BR /><BR />HP has issued a security bulletin (HPSBUX0206-195) for HP 9000 Servers running HP-UX release 11.00 and 11.11 only with the T1471AA SSH product installed.<BR /><BR />It says in part: <BR /><BR />As a short-term solution, disable PAMAuthenticationViaKbdInt in the sshd_config file; i.e.,<BR /><BR />PAMAuthenticationViaKbdInt no<BR /><BR />NOTE: ChallengeResponseAuthentication is not used in the HP product.<BR />HP is working to produce a patch for its version which is based on OpenSSH release 3.1p1.<BR /><BR />HPSBUX0206-195 will be updated when the patch is available.<BR /><BR /> Thu, 11 Jul 2002 18:42:27 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762179#M72694 Daimian Woznick 2002-07-11T18:42:27Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762180#M72695 Openssh 3.4 is available in depot format from this link.<BR /><BR /><A href="http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/openssh-3.4p1/" target="_blank">http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/openssh-3.4p1/</A><BR /><BR />I have not heard when HP will release their supported bundle.<BR /><BR />Openssh requires zlib, and openssl also available from that site. I have not installed this version yet so I am unable to provide feedback on their compile options or any particulars.<BR /><BR />Best Regards!<BR />Bryan Payne<BR />Senior Unix Admin Fri, 12 Jul 2002 01:31:08 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762180#M72695 Bryan Payne 2002-07-12T01:31:08Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762181#M72696 Bryan,<BR /><BR />Thank you. I did try it and everything worked fine, except one of the files 3.4p1-run was corrupt and would not install. I removed all of the pieces and went back to the T1471AA depot from HP Fri, 12 Jul 2002 20:16:52 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762181#M72696 Craig Cooper 2002-07-12T20:16:52Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762182#M72697 This is the latest update received from HP:<BR /><BR />""OpenSSH Vulnerabilities in Challenge Response Handling If the SKEY and BSD_AUTH authentication compile-time options are explicitly enabled, it may cause a remote denial of service attack on the OpenSSH daemon. Does this security problem exist with HP-UX Secure Shell? See CERT on OpenSSH ulnerabilities in Challenge Response Handling HP-UX Secure Shell does NOT enable either of these options. There is no denial of service risk with HP-UX Secure Shell. <BR /><BR />I wanted to provide you with an update to this case. I have information<BR />regarding CERT CA-2002-18, HP is not vulnerable to the first issue described<BR />in the CERT noted below, we are vulnerable to the second issue and will have<BR />a sw update available via a patch soon ( I believe by next week but I cant<BR />supply any dates ). <BR /><BR />The HP Security Doc is HPSBUX0206-195 and will be updated when the fix is<BR />available, I'll also send you a email when it comes out.""<BR /><BR />Hope this helps Mon, 15 Jul 2002 14:19:44 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762182#M72697 Daimian Woznick 2002-07-15T14:19:44Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762183#M72698 Here is the newest update I received from HP:<BR /><BR />Regarding version 3.4 it appears there were<BR />some issues during testing of this release, its possible HP will not releas<BR />a version based on 3.4 at all and will skip to the next available version.<BR />As a general rule there will be updates to the product once a quarter via<BR />software.hp.com.<BR /> Tue, 16 Jul 2002 12:35:14 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762183#M72698 Daimian Woznick 2002-07-16T12:35:14Z https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762184#M72699 I previously opened an issue with HP on a problem I encountered with Secure Shell and mentioned the CERT Advisory issue. HP has the depot files available to address the issue at:<BR /><BR /><A href="http://www.software.hp.com/ISS_products_list.html" target="_blank">http://www.software.hp.com/ISS_products_list.html</A><BR /><BR />The following I received from HP in regards to advisory:<BR /><BR /><BR />The ssh release 3.10.02 is available on <A href="http://software.hp.com" target="_blank">http://software.hp.com</A> this fixes the second part of CA-2002-18, HP was not ulnerable to the first part of the CERT:<BR /><BR />PART I: <BR /><BR />If the SKEY and BSD_AUTH authentication compile-time options are explicitly enabled, it may cause a remote denial of service attack on the OpenSSH daemon. Does this security problem exist with HP-UX Secure Shell? See CERT on OpenSSH Vulnerabilities in Challenge Response Handling<BR />&lt;&gt; HP-UX Secure Shell does NOT enable either of these options. There is no denial of service risk with HP-UX Secure Shell. <BR /><BR />Part II, we were vulnerable to, 3.10.002 fixed it and is now out on the software.hp.com portal.<BR /><BR />Will there be a patch or a release to incorporate the fix for the Cert problem mentioned above? <BR />HP-UX Secure Shell will be updated with a license file for OpenSSL to the product and the fix for the security cert on PAMAuthenticationViaKbdInt. The next version A.03.10.002 will be available for the software depot on 7/29<BR />and the September HP-UX quarterly application release. <BR /><BR />Hope this helps anyone looking at Secure Shell. Wed, 31 Jul 2002 12:03:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/hp-ux-secure-shell/m-p/2762184#M72699 Daimian Woznick 2002-07-31T12:03:05Z