Re: Attacks against SSH?

From: Jason Baker (jbaker@filonet.ca)
Date: 12/04/01 

From: Jason Baker <jbaker@filonet.ca>
To: incidents@securityfocus.com
Date: Tue, 4 Dec 2001 11:27:13 -0800

On December 3, 2001 10:45 pm, you wrote:
>
> This exploit is indeed a different crc32 exploit than the one I
> analyzed a couple weeks ago, but it affects the same set of systems as
> the one I analyzed. For those who haven't seen it, the analysis
> includes examples and a script for scanning your network to identify
> *potentially* vulnerable systems (you need to check the version of
> your protocol 1 fallback server separately, if you allow fallback):
>
> http://staff.washington.edu/dittrich/misc/ssh-analysis.txt

From this analysis, SSH-1.5-OpenSSH-1.2.3 is listed as vulnerable, but that's
what you get when you install the SSH update from Debian, listed in DSA-027.
I'd normally expect that just fixed a different problem, but the text of
their advisory for "ssh-nonfree" (DSA-086-1) states:

  "We have received reports that the "SSH CRC-32 compensation attack detector
   vulnerability" is being actively exploited. This is the same integer type
   error previously corrected for OpenSSH in DSA-027-1. OpenSSH (the Debian
   ssh package) was fixed at that time, but ssh-nonfree and ssh-socks were
   not."

I took a quick look around and didn't see the exploit code, is there anyone
who can confirm if debian with ssh 1:1.2.3-9.2 is vulnerable? (Or point me
at the exploit and I'll test myself)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Quantcast