SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#787448

OpenSSH fails to properly handle multiple identical blocks in a SSH packet

Overview

OpenSSH fails to properly handle multiple identical blocks in a SSH packet. This vulnerability may cause a denial-of-service condition.

I. Description

OpenSSH is an open source client and server implementation of the Secure Shell (SSH) protocol. OpenSSH includes a cyclic redundancy check (CRC) compensation attack detection function that produces a checksum on a block of data in a SSH packet. This function was introduced to defend against exploitation of CRC weaknesses in version 1 of the SSH protocol (see VU#13877). Multiple identical blocks contained within a SSH packet may trigger a computationally expensive operation within the CRC attack detector that can lead to a denial of service. According to the OpenSSH 4.4 release notes:

    [This vulnerability]...would cause sshd(8) to spin until the login grace time expired.

The OpenSSH sshd daemon is only vulnerable when SSH protocol version 1 is enabled.

II. Impact

A remote, unauthenticated attacker could cause a denial-of service condition by sending specially crafted packets to the OpenSSH server that would cause it to use excessive CPU time until a connection timeout occurs.

III. Solution

Upgrade

See the systems affected section of this document for information about specific vendors. Users who compile OpenSSH from source are encouraged to update to the most recent version.

Disable SSH version 1

SSH protocol version 1 should be disabled in order to prevent this vulnerability from occurring on affected systems.

Systems Affected

VendorStatusDate Updated
Apple Computer, Inc.Vulnerable13-Mar-2007
Avaya, Inc.Vulnerable23-Oct-2006
Debian GNU/LinuxVulnerable6-Oct-2006
FreeBSD, Inc.Vulnerable4-Oct-2006
Gentoo LinuxVulnerable2-Oct-2006
Hewlett-Packard CompanyVulnerable19-Jan-2007
Mandriva, Inc.Vulnerable6-Oct-2006
OpenBSDVulnerable10-Nov-2006
OpenPKGVulnerable4-Oct-2006
OpenSSHVulnerable2-Oct-2006
Red Hat, Inc.Vulnerable2-Oct-2006
rPathVulnerable2-Oct-2006
Slackware Linux Inc.Vulnerable2-Oct-2006
SUSE LinuxVulnerable23-Oct-2006
Trustix Secure LinuxVulnerable6-Oct-2006
UbuntuVulnerable4-Oct-2006
VMwareVulnerable19-Jan-2007

References


http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=115939141729160&w=2
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207955
http://secunia.com/advisories/22091
http://www.securityfocus.com/bid/20216
http://www.openssh.com/txt/release-4.4
https://issues.rpath.com/browse/RPL-661
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.592566
http://secunia.com/advisories/22208/
http://secunia.com/advisories/22236/
http://secunia.com/advisories/22183/
http://support.avaya.com/elmodocs2/security/ASA-2006-216.htm
http://secunia.com/advisories/22362/
http://secunia.com/advisories/22495/
http://secunia.com/advisories/23241/
http://docs.info.apple.com/article.html?artnum=305214

Credit

This issue was reported in the OpenSSH 4.4 release notes. OpenSSH credits Tavis Ormandy of the Google Security Team for reporting this issue.

This document was written by Chris Taschner.

Other Information

Date Public09/27/2006
Date First Published10/04/2006 04:20:43 PM
Date Last Updated03/13/2007
CERT Advisory 
CVE-ID(s)CVE-2006-4924
NVD-ID(s)CVE-2006-4924
US-CERT Technical Alerts 
Metric8.82
Document Revision41

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader