Vulnerability Note VU#389665
Multiple vendors' SSH transport layer protocol implementations contain vulnerabilities in key exchange and initialization
Overview
Secure shell (SSH) transport layer protocol implementations from different vendors contain multiple vulnerabilities in code that handles key exchange and initialization. Both SSH servers and clients are affected. A remote attacker could execute arbitrary code with the privileges of the SSH process or cause a denial of service.
Description
From the IETF draft SSH Transport Layer Protocol: SSH is a protocol for secure remote login and other secure network services over an insecure network. The test suite has demonstrated a number of vulnerabilities in different vendors' SSH products. These vulnerabilities include buffer overflows, and they occur before user authentication takes place. Common Vulnerabilities and Exposures (CVE) has assigned the following candidate numbers for several classes of tests performed by SSHredder:
|
Impact
The impact will vary for different vulnerabilities, but in some cases remote attackers could execute arbitrary code with the privileges of the SSH process. Both SSH servers and clients are affected. On Windows systems, SSH servers commonly run with SYSTEM privileges. SSH daemons on UNIX systems typically run with root privileges. In the case of SSH clients, any attacker-supplied code would run with the privileges of the user who started the client program. Additional privileges may be afforded to an attacker when the SSH client is configured to run with an effective user ID (setuid/setgid) of root. Attackers could also crash a vulnerable SSH process, causing a denial of service. |
Solution
|
|
Systems Affected (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Alcatel | Affected | 06 Dec 2002 | 05 May 2003 |
Cisco Systems Inc. | Affected | 18 Oct 2002 | 20 Dec 2002 |
F-Secure | Affected | 18 Oct 2002 | 02 Dec 2002 |
Hewlett-Packard Company | Affected | 26 Nov 2002 | 23 Dec 2002 |
Intersoft International Inc. | Affected | 08 Nov 2002 | 07 Jan 2003 |
Juniper Networks | Affected | 18 Oct 2002 | 09 Jan 2003 |
Nortel Networks | Affected | 26 Nov 2002 | 20 Jan 2003 |
Pragma Systems | Affected | 13 Nov 2002 | 02 Dec 2002 |
PuTTY | Affected | 06 Nov 2002 | 20 Jan 2003 |
Riverstone Networks | Affected | 23 Dec 2002 | 02 Jan 2003 |
SSH Communications Security | Affected | 18 Oct 2002 | 17 Dec 2002 |
WinSCP | Affected | 17 Dec 2002 | 20 Jan 2003 |
AppGate Network Security AB | Not Affected | - | 05 May 2003 |
Apple Computer Inc. | Not Affected | 06 Dec 2002 | 20 Dec 2002 |
Cray Inc. | Not Affected | 26 Nov 2002 | 27 Nov 2002 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | N/A | N/A |
Temporal | N/A | N/A |
Environmental | N/A | N/A |
References
- http://www.rapid7.com/advisories/R7-0009.txt
- http://www.rapid7.com/perl/DownloadRequest.pl?PackageChoice=666
- http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-15.txt
- http://www.ietf.org/internet-drafts/draft-ietf-secsh-architecture-13.txt
- http://www.citi.umich.edu/u/provos/ssh/privsep.html
Credit
The CERT/CC thanks Rapid7 for researching and reporting these vulnerabilities.
This document was written by Art Manion and Shawn V. Hernan.
Other Information
- CVE IDs: CAN-2002-1357
- CERT Advisory: CA-2002-36
- Date Public: 16 Dec 2002
- Date First Published: 16 Dec 2002
- Date Last Updated: 18 Jun 2003
- Severity Metric: 11.04
- Document Revision: 38
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.