[NEWS] Widespread Exploitation of SSH CRC32 Compensation Attack
From: support@securiteam.comDate: 11/03/01
- Previous message: support@securiteam.com: "[NT] Invalid Universal Plug and Play Request Can Disrupt System Operation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Widespread Exploitation of SSH CRC32 Compensation Attack Message-Id: <20011103171633.84829138BF@mail.der-keiler.de> Date: Sat, 3 Nov 2001 18:16:33 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Widespread Exploitation of SSH CRC32 Compensation Attack
------------------------------------------------------------------------
SUMMARY
Internet Security Systems (ISS) X-Force has learned of extensive
exploitation of a serious Secure Shell (SSH) remote vulnerability. This
vulnerability may allow remote attackers to execute arbitrary code on a
target system without any specific knowledge of that host. An advanced
exploit for this vulnerability exists and is being used in the wild. The
serious nature of this vulnerability is compounded by the confusing nature
of SSH product versions and patches.
DETAILS
Affected Versions:
Cisco Catalyst 6000 6.2(0.110)
Cisco IOS 12.0S
* Cisco IOS 12.1xx-12.2xx
Cisco PIX Firewall 5.2(5)
Cisco PIX Firewall 5.3(1)
SSH Communications Security SSH 2.x and 3.x (if SSH Version 1 fallback is
enabled)
SSH Communications Security SSH 1.2.23-1.2.31
F-Secure SSH versions prior to 1.3.11-2
OpenSSH versions prior to 2.3.0 (if SSH Version 1 fallback is enabled)
OSSH 1.5.7
* Note: Please refer to the Cisco Security Advisory in the "Additional
Information" section of this alert.
A serious vulnerability in the SSH daemon (SSHd) affecting most current
SSHd versions was reported in February 2001. Different implementations of
the SSH protocol are listed in the "Affected Versions" section.
Maintainers of vulnerable SSH versions issued patches soon after the
vulnerability was made public.
The vulnerability exists in affected SSH versions when integer
calculations are not handled correctly, resulting in a buffer overflow
condition. Exploitation of this vulnerability at the time was considered
extremely difficult, but not technically impossible.
X-Force has learned of extensive scanning for vulnerable SSH servers.
Lists of vulnerable servers would be extremely easy for attackers to
gather. The version information can be obtained by making a connection is
made to port 22 of SSHd, which will display a banner with SSH version
information.
The problem is compounded by the fact that newer and non-vulnerable SSH
servers can be installed in conjunction with older, vulnerable SSHd
daemons to handle legacy SSH Version 1 connections. It is important to
note that upgrading to a new SSH Version 2 daemon may not patch this
vulnerability. Please refer to the "Affected Versions" section for more
information.
Recommendations:
ISS X-Force recommends that security and network administrators examine
their SSH configurations to determine if patching is necessary and if SSH
Version 1 connection fallback is still enabled. X-Force recommends
upgrading to new SSH Version 2 support if possible. If SSH, Version 1 is
not used, disable fallback and remove old SSHd Version 1 binaries. Please
refer to your vendor to obtain patch and upgrade information.
Cisco: <http://www.cisco.com> http://www.cisco.com
OpenSSH: <http://www.openssh.com> http://www.openssh.com
SSH Communications Security: <http://www.ssh.com> http://www.ssh.com
F-Secure: <http://www.f-secure.com/support/ssh/>
http://www.f-secure.com/support/ssh/
ADDITIONAL INFORMATION
Remote vulnerability in SSH daemon crc32 compensation attack detector
<http://www.securiteam.com/securitynews/5LP042K3FY.html>
http://www.securiteam.com/securitynews/5LP042K3FY.html
Cisco Security Advisory: Multiple SSH Vulnerabilities
<http://www.securiteam.com/securitynews/5LP10004KE.html>
http://www.securiteam.com/securitynews/5LP10004KE.html
OpenSSH Security
<http://www.openssh.com/security.html>
http://www.openssh.com/security.html
The information has been provided by <mailto:xforce@iss.net> X-Force.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Invalid Universal Plug and Play Request Can Disrupt System Operation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
