Security experts are advising Linux and Unix software users to apply an update for the OpenSSH protocol since this "Secure Shell" protocol for remote administration of software has been found to have a programming error that would let a local authorized user gain superuser root privileges.
The Open SSH Project, which is run by the OpenBSD, has corrected this vulnerability in Version 3.1 of OpenSSH, which was released last Thursday.
"FreeBSD has updated their source code," said Daniel Frasnelli, managing consultant at Herndon, Va., security firm Network Security Technologies Inc. "Anyone who uses SSH should download the latest release of SSH."
Sun, for instance, ships OpenSSH with Solaris and Sparc servers, said Frasnelli, so it would be appropriate to check with product vendors on the security issue. Several vendors have issued alerts and released updates of their own.
With the version of OpenSSH prior to the newly-issued 3.1 version, an attacker could figure out how to take control of a machine running OpenSSH through what's equivalent to a buffer-overflow attack, said Frasnelli.