SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#389665

Multiple vendors' SSH transport layer protocol implementations contain vulnerabilities in key exchange and initialization

Overview

Secure shell (SSH) transport layer protocol implementations from different vendors contain multiple vulnerabilities in code that handles key exchange and initialization. Both SSH servers and clients are affected. A remote attacker could execute arbitrary code with the privileges of the SSH process or cause a denial of service.

I. Description

From the IETF draft SSH Transport Layer Protocol:

    SSH is a protocol for secure remote login and other secure network services over an insecure network.

    This document describes the SSH transport layer protocol which typically runs on top of TCP/IP.  The protocol can be used as a basis for a number of secure network services.  It provides strong encryption, server authentication, and integrity protection.  It may also provide compression.

    Key exchange method, public key algorithm, symmetric encryption algorithm, message authentication algorithm, and hash algorithm are all negotiated.

Rapid7 has developed a suite of test cases (SSHredder) that examine the connection initialization, key exchange, and negotiation phase (KEX, KEXINIT) of the SSH transport layer protocol. The suite tests the way an SSH transport layer implementation handles invalid or incorrect packet and string lengths, padding and padding length, malformed strings, and invalid algorithms.

The test suite has demonstrated a number of vulnerabilities in different vendors' SSH products. These vulnerabilities include buffer overflows, and they occur before user authentication takes place. Common Vulnerabilities and Exposures (CVE) has assigned the following candidate numbers for several classes of tests performed by SSHredder:
    CAN-2002-1357: incorrect length fields, i.e. specified length field does not match the actual length of the input
    CAN-2002-1359: "classic" buffer overflows (length field, if present, is consistent with the actual length of buffer)
    CAN-2002-1360: null characters in strings (which trigger conflicts between delimiter-based and length-based strings)
Rapid7 has posted an advisory (R7-0009) and the SSHredder test suite.

II. Impact

The impact will vary for different vulnerabilities, but in some cases remote attackers could execute arbitrary code with the privileges of the SSH process. Both SSH servers and clients are affected. On Windows systems, SSH servers commonly run with SYSTEM privileges. SSH daemons on UNIX systems typically run with root privileges. In the case of SSH clients, any attacker-supplied code would run with the privileges of the user who started the client program. Additional privileges may be afforded to an attacker when the SSH client is configured to run with an effective user ID (setuid/setgid) of root. Attackers could also crash a vulnerable SSH process, causing a denial of service.

While OpenSSH does not appear to be affected, it is worth noting that privilege separation would greatly reduce the impact of arbitrary code execution during the KEXINIT phase.

III. Solution

Upgrade or Apply Patch

Upgrade or apply a patch as specified by your vendor.

Restrict Access

Until patches or upgrades are available, it may be possible to limit access to vulnerable SSH clients and servers using the built-in facilities of some SSH implementations, firewalls, packet-filters, TCP Wrappers, or other similar technology. Note that this workaround will not prevent exploitation of these vulnerabilities, it will only limit the number of potential sources of attacks.

Do Not Trust DNS

SSH clients can reduce the risk of attacks by only connecting to trusted servers by IP address. Again, this will not prevent attacks, but it will remove the ability of an attacker to redirect a client using DNS cache poisoning or by compromising a DNS server.

Systems Affected

VendorStatusDate Updated
3ComUnknown20-Dec-2002
AlcatelVulnerable5-May-2003
AppGate Network Security ABNot Vulnerable5-May-2003
Apple Computer Inc.Not Vulnerable20-Dec-2002
AvayaUnknown20-Dec-2002
BitviseUnknown13-Dec-2002
Cisco Systems Inc.Vulnerable20-Dec-2002
Computer AssociatesUnknown20-Mar-2003
Cray Inc.Not Vulnerable27-Nov-2002
cryptlibNot Vulnerable11-Mar-2003
D-Link SystemsUnknown20-Dec-2002
Data GeneralUnknown27-Nov-2002
F-SecureVulnerable2-Dec-2002
Foundry Networks Inc.Unknown20-Dec-2002
FreeBSDUnknown20-Mar-2003
FujitsuNot Vulnerable2-Dec-2002
Hewlett-Packard CompanyVulnerable23-Dec-2002
IBMNot Vulnerable16-Dec-2002
IntelUnknown20-Dec-2002
InterpeakUnknown11-Mar-2003
Intersoft International Inc.Vulnerable7-Jan-2003
Juniper NetworksVulnerable9-Jan-2003
lshNot Vulnerable13-Dec-2002
Lucent TechnologiesUnknown20-Dec-2002
MacSSHNot Vulnerable17-Dec-2002
Massachusetts Institute of Technology (MIT)Unknown17-Dec-2002
NEC CorporationUnknown26-Nov-2002
NetBSDUnknown20-Mar-2003
NetcompositeUnknown11-Mar-2003
NetScreenNot Vulnerable16-Dec-2002
Network ApplianceUnknown20-Dec-2002
NokiaUnknown3-Dec-2002
Nortel NetworksVulnerable20-Jan-2003
OpenSSHNot Vulnerable13-Dec-2002
Pragma SystemsVulnerable2-Dec-2002
PuTTYVulnerable20-Jan-2003
Red Hat Inc.Unknown20-Dec-2002
Redback Networks Inc.Unknown20-Dec-2002
Riverstone NetworksVulnerable2-Jan-2003
SGIUnknown27-Nov-2002
Sony CorporationUnknown27-Nov-2002
SSH Communications SecurityVulnerable17-Dec-2002
Sun Microsystems Inc.Unknown17-Feb-2003
The SCO GroupUnknown20-Dec-2002
The SCO GroupUnknown27-Nov-2002
TTSSH/TeraTermUnknown17-Dec-2002
UnisysUnknown27-Nov-2002
VanDyke Software Inc.Not Vulnerable18-Dec-2002
WinSCPVulnerable20-Jan-2003
Xerox CorporationNot Vulnerable25-Feb-2003

References


http://www.rapid7.com/advisories/R7-0009.txt
http://www.rapid7.com/perl/DownloadRequest.pl?PackageChoice=666
http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-15.txt
http://www.ietf.org/internet-drafts/draft-ietf-secsh-architecture-13.txt
http://www.citi.umich.edu/u/provos/ssh/privsep.html

Credit

The CERT/CC thanks Rapid7 for researching and reporting these vulnerabilities.

This document was written by Art Manion and Shawn V. Hernan.

Other Information

Date Public12/16/2002
Date First Published12/16/2002 12:59:41 PM
Date Last Updated06/18/2003
CERT AdvisoryCA-2002-36
CVE NameCAN-2002-1357
US-CERT Technical Alerts 
Metric11.04
Document Revision38

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader