CVE-2002-0640
Description
Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
27cpe:2.3:a:openbsd:openssh:1.2.2:*:*:*:*:*:*:*+ 25 more
- cpe:2.3:a:openbsd:openssh:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:2.5:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:2.9:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:2.9.9:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:2.9p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:2.9p2:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.0.1p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.0.2p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.0p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.1p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.2:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.2.2p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.2.3p1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.3:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:3.3p1:*:*:*:*:*:*:*
- Range: 2.3.1 - 3.3
Patches
Vulnerability mechanics
Root cause
"Buffer overflow in sshd's handling of a large number of responses during challenge-response authentication when PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt) are used."
Attack vector
An attacker can trigger a buffer overflow by sending a large number of responses during challenge-response authentication. This occurs when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt). The overflow may allow remote code execution. The advisory does not specify the exact payload shape or network path beyond that the attack is remote and targets the pre-authentication phase of sshd.
Affected code
The vulnerability exists in sshd's challenge-response authentication path when PAMAuthenticationViaKbdInt is enabled. The patch modifies sshd.c and srclink.c to add per-source penalty tracking, but does not alter the vulnerable code path itself. The advisory does not specify the exact function or file containing the overflow.
What the fix does
The patch does not directly fix the buffer overflow described in CVE-2002-0640. Instead, it introduces a per-source penalty system (PerSourcePenalties) that monitors child process exit statuses and penalizes client addresses that cause sshd to crash (e.g., via signal termination or abnormal exit) [patch_id=2191240]. When a penalty threshold is exceeded, connections from that address are refused, making it harder for attackers to exploit bugs in sshd. The patch also improves tracking of pre-auth child processes, logging crashes and authentication failures, and adds a SIGINFO handler for diagnostic visibility. No direct fix for the overflow itself is present in this patch.
Preconditions
- configOpenBSD system using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt)
- networkAttacker must be able to establish a TCP connection to sshd
- inputAttacker must send a large number of responses during challenge-response authentication
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
18- www.cert.org/advisories/CA-2002-18.htmlnvdUS Government Resource
- www.kb.cert.org/vuls/id/369347nvdUS Government Resource
- ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txtnvd
- distro.conectiva.com.br/atualizacoes/nvd
- marc.infonvd
- marc.infonvd
- marc.infonvd
- marc.infonvd
- www.debian.org/security/2002/dsa-134nvd
- www.linuxsecurity.com/advisories/other_advisory-2177.htmlnvd
- www.mandrakesoft.com/security/advisoriesnvd
- www.novell.com/linux/security/advisories/2002_024_openssh_txt.htmlnvd
- www.openwall.com/lists/oss-security/2024/07/01/3nvd
- www.osvdb.org/839nvd
- www.redhat.com/support/errata/RHSA-2002-127.htmlnvd
- www.redhat.com/support/errata/RHSA-2002-131.htmlnvd
- www.securityfocus.com/bid/5093nvd
- www1.itrc.hp.com/service/cki/docDisplay.donvd
News mentions
0No linked articles in our index yet.