Nokia Information for VU#333628

OpenSSH contains buffer management errors

Status

Affected

Vendor Statement

Nokia confirms that IPSO and IPSO-SX are affected by the vulnerability described in CERT Coordination Center Vulnerability Note VU#333628. We are currently backporting the patches provided by the OpenSSH team into the OpenSSH versions deployed within IPSO and IPSO-SX.

According to CERT/CC, the most likely impact of the vulnerability is the potential for a DoS attack if an exploit script is repeatedly executed against the same device. This potential can be eliminated by restricting access to SSH, allowing access only from trusted workstations by using either Access Control Lists (ACLs) or firewall rules to restrict access to TCP port 22.

To prevent automated scanners from successfully exploiting this vulnerability, ensure that the SSH server does not run on the default port of TCP 22 and is running on an alternate port, preferably above port 1024. In IPSO, this can be done by going to the "Security and Access Configuration" section in Voyager and selecting "SSH (Secure Shell)," then click on the "Go to the advanced server options page" link. From here, under the "Configure Server Protocol Details" heading, the TCP port number for the SSH service can be changed to a different value.

We expect to provide updated releases of IPSO and IPSO-SX the week of September 22, 2003.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.