copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » AL-2001.16 -- SSH CRC32 Weakness
 

AL-2001.16 -- SSH CRC32 Weakness
Date: 06 November 2001
References: ESB-2001.484  ESB-2001.541  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                      AL-2001.16  --  AUSCERT ALERT
                           SSH CRC32 Weakness 
                             6 November 2001

===========================================================================

PROBLEM:  

	As quoted from the CERT/CC vulnerability note VU#945216:

	"There is a remote integer overflow vulnerability in several
	implementations of the SSH1 protocol. This vulnerability is
	located in a segment of code that was introduced to defend
	against exploitation of CRC32 weaknesses in the SSH1 protocol.
	The attack detection function (detect_attack, located in
	deattack.c) makes use of a dynamically allocated hash table to
	store connection information that is then examined to detect and
	respond to CRC32 attacks. By sending a crafted SSH1 packet to an
	affected host, an attacker can cause the SSH daemon to create a
	hash table with a size of zero. When the detection function then
	attempts to hash values into the null-sized hash table, these
	values can be used to modify the return address of the function
	call, thus causing the program to execute arbitrary code with
	the privileges of the SSH daemon, typically root."


PLATFORM: 
          
	The following vendors have been confirmed to have some
	implementations of their software vulnerable to this attack:

	- CORE SDI
	- Debian
	- FreeBSD
	- F-Secure
	- OpenSSH
	- SSH Communications Security

	Additionally, the administrators of any products which use SSH
	protocol version 1 or SSH protocol version 2 with fallback to SSH
	protocol version 1 should contact the products vendor and enquire
	about the vulnerability and the patches which may be available.


IMPACT:   

	Vulnerable systems could allow for a remote attacker to execute
	arbitrary code with the privileges of the SSH daemon, typically
	root.


RECOMMENDATIONS:

	Apply the patches available from your vendor.

	Disable support for SSH protocol version 1, including the ability
	to use SSH protocol version 1 as a fallback from version 2.

	For products using SSH as a daemon/server not previously mentioned,
	please contact the vendor for more information.

- ---------------------------------------------------------------------------
For a detailed technical explanation, please see:

	http://www.core-sdi.com/pressroom/advisories_desplegado.php?idx=81
	http://razor.bindview.com/publish/advisories/adv_ssh1crc.html

Additional information can be found at:

	http://www.kb.cert.org/vuls/id/945216

- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBO+gh6yh9+71yA2DNAQE8zAQAl+fWkq59LHtZ9rV+WvZ2jdPZ43kR0JZR
6nrrpBQ0ByKTgBFBHgwE1J+b13xqw8YTuK0p5pvMOwOPeB85ig8AmaEkCWreDmtk
aFqNxQCaKyYikVUbKDMq7ONmbmNAIUCSSSofqL9cmra1r0VH+khsQn4WL9M3cXHB
zuZV/U0q/As=
=14mI
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1&it=109