A security vulnerability which affects the sshd(1M) daemon when configured to use protocol version 1 may allow a remote user to cause the daemon to consume an excessive amount of CPU power. This will affect the performance and responsiveness of the system as a whole, resulting in a denial of service (DoS) to the system.

This issue is also referenced in the following document:

CVE-2006-4924 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924

This issue can occur in the following releases:

SPARC Platform

• Solaris 9 without patch 113273-15
• Solaris 10 without patch 123324-03

x86 Platform

• Solaris 9 without patch 114858-12
• Solaris 10 without patch 123325-03

Notes:

1. Solaris 8 does not include the sshd(1M) daemon and is therefore not impacted by this issue.
2. This issue only affects systems which are configured to run the SSH service with version 1 of the SSH protocol.

A command such as the following can be used to determine if the sshd daemon is running on a host:

    $ pgrep sshd || echo "sshd not running"

To determine if sshd is configured to use version 1 of the protocol, a command such as the following can be used to list the configured protocols from the default configuration file (see sshd_config(4)):

    $ grep Protocol /etc/ssh/sshd_config
    Protocol 2,1

If '1' is included in the list of configured protocols (or if no 'Protocol' line is found as the default setting is '2,1'), then the host is potentially affected by this issue; note that in order for protocol version 1 to be truly supported on the host it must be provided with a compatible host key via the HostKey directive, see sshd_config(4) for more details.

If this issue is exploited to cause a denial of service on the host, one or more sshd processes will be running and will be consuming an unusually large percentage of CPU time. In addition, the host itself may be generally unresponsive.

To determine the CPU usage of the processes running on the system, a command such as the following can be used, which will sort the running process by CPU consumption (in descending order):

    $ prstat -s cpu
    [...]

To work around the described issue, sites may choose to disable version 1 of the protocol by removing '1' from the list of supported protocols in the /etc/ssh/sshd_config file (see sshd_config(4)). E.g.:

    $ grep Protocol /etc/ssh/sshd_config
    Protocol 2

and then restart the sshd daemon:

For Solaris 9:

    # /etc/init.d/sshd stop ; /etc/init.d/sshd start

For Solaris 10:

    # svcadm restart ssh

This issue is addressed in the following releases:

SPARC Platform

• Solaris 9 with patch 113273-15 or later
• Solaris 10 with patch 123324-03 or later

x86 Platform

• Solaris 9 with patch 114858-12 or later
• Solaris 10 with patch 123325-03 or later

• Updated Contributing Factors and Resolution sections

• Updated Contributing Factors and Resolution sections

• Updated Contributing Factors and Resolution sections
• State: Resolved

This solution has no attachment