Vulnerability Note VU#389665

Multiple vendors' SSH transport layer protocol implementations contain vulnerabilities in key exchange and initialization

Original Release date: 16 Dec 2002 | Last revised: 18 Jun 2003


Secure shell (SSH) transport layer protocol implementations from different vendors contain multiple vulnerabilities in code that handles key exchange and initialization. Both SSH servers and clients are affected. A remote attacker could execute arbitrary code with the privileges of the SSH process or cause a denial of service.


From the IETF draft SSH Transport Layer Protocol:

    SSH is a protocol for secure remote login and other secure network services over an insecure network.

    This document describes the SSH transport layer protocol which typically runs on top of TCP/IP.  The protocol can be used as a basis for a number of secure network services.  It provides strong encryption, server authentication, and integrity protection.  It may also provide compression.

    Key exchange method, public key algorithm, symmetric encryption algorithm, message authentication algorithm, and hash algorithm are all negotiated.

Rapid7 has developed a suite of test cases (SSHredder) that examine the connection initialization, key exchange, and negotiation phase (KEX, KEXINIT) of the SSH transport layer protocol. The suite tests the way an SSH transport layer implementation handles invalid or incorrect packet and string lengths, padding and padding length, malformed strings, and invalid algorithms.

The test suite has demonstrated a number of vulnerabilities in different vendors' SSH products. These vulnerabilities include buffer overflows, and they occur before user authentication takes place. Common Vulnerabilities and Exposures (CVE) has assigned the following candidate numbers for several classes of tests performed by SSHredder:
    CAN-2002-1357: incorrect length fields, i.e. specified length field does not match the actual length of the input
    CAN-2002-1359: "classic" buffer overflows (length field, if present, is consistent with the actual length of buffer)
    CAN-2002-1360: null characters in strings (which trigger conflicts between delimiter-based and length-based strings)
Rapid7 has posted an advisory (R7-0009) and the SSHredder test suite.


The impact will vary for different vulnerabilities, but in some cases remote attackers could execute arbitrary code with the privileges of the SSH process. Both SSH servers and clients are affected. On Windows systems, SSH servers commonly run with SYSTEM privileges. SSH daemons on UNIX systems typically run with root privileges. In the case of SSH clients, any attacker-supplied code would run with the privileges of the user who started the client program. Additional privileges may be afforded to an attacker when the SSH client is configured to run with an effective user ID (setuid/setgid) of root. Attackers could also crash a vulnerable SSH process, causing a denial of service.
While OpenSSH does not appear to be affected, it is worth noting that privilege separation would greatly reduce the impact of arbitrary code execution during the KEXINIT phase.


Upgrade or Apply Patch

Upgrade or apply a patch as specified by your vendor.

Restrict Access

Until patches or upgrades are available, it may be possible to limit access to vulnerable SSH clients and servers using the built-in facilities of some SSH implementations, firewalls, packet-filters, TCP Wrappers, or other similar technology. Note that this workaround will not prevent exploitation of these vulnerabilities, it will only limit the number of potential sources of attacks.

Do Not Trust DNS

SSH clients can reduce the risk of attacks by only connecting to trusted servers by IP address. Again, this will not prevent attacks, but it will remove the ability of an attacker to redirect a client using DNS cache poisoning or by compromising a DNS server.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
AlcatelAffected06 Dec 200205 May 2003
Cisco Systems Inc.Affected18 Oct 200220 Dec 2002
F-SecureAffected18 Oct 200202 Dec 2002
Hewlett-Packard CompanyAffected26 Nov 200223 Dec 2002
Intersoft International Inc.Affected08 Nov 200207 Jan 2003
Juniper NetworksAffected18 Oct 200209 Jan 2003
Nortel NetworksAffected26 Nov 200220 Jan 2003
Pragma SystemsAffected13 Nov 200202 Dec 2002
PuTTYAffected06 Nov 200220 Jan 2003
Riverstone NetworksAffected23 Dec 200202 Jan 2003
SSH Communications SecurityAffected18 Oct 200217 Dec 2002
WinSCPAffected17 Dec 200220 Jan 2003
AppGate Network Security ABNot Affected-05 May 2003
Apple Computer Inc.Not Affected06 Dec 200220 Dec 2002
Cray Inc.Not Affected26 Nov 200227 Nov 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



The CERT/CC thanks Rapid7 for researching and reporting these vulnerabilities.

This document was written by Art Manion and Shawn V. Hernan.

Other Information

  • CVE IDs: CAN-2002-1357
  • CERT Advisory: CA-2002-36
  • Date Public: 16 Dec 2002
  • Date First Published: 16 Dec 2002
  • Date Last Updated: 18 Jun 2003
  • Severity Metric: 11.04
  • Document Revision: 38


If you have feedback, comments, or additional information about this vulnerability, please send us email.