OpenSSH fails to properly handle multiple identical blocks in a SSH packet. This vulnerability may cause a denial-of-service condition.
OpenSSH is an open source client and server implementation of the Secure Shell (SSH) protocol. OpenSSH includes a cyclic redundancy check (CRC) compensation attack detection function that produces a checksum on a block of data in a SSH packet. This function was introduced to defend against exploitation of CRC weaknesses in version 1 of the SSH protocol (see VU#13877). Multiple identical blocks contained within a SSH packet may trigger a computationally expensive operation within the CRC attack detector that can lead to a denial of service. According to the OpenSSH 4.4 release notes:
[This vulnerability]...would cause sshd(8) to spin until the login grace time expired.
A remote, unauthenticated attacker could cause a denial-of service condition by sending specially crafted packets to the OpenSSH server that would cause it to use excessive CPU time until a connection timeout occurs.
Disable SSH version 1
Apple Computer, Inc. Affected
Avaya, Inc. Affected
Debian GNU/Linux Affected
FreeBSD, Inc. Affected
Gentoo Linux Affected
Hewlett-Packard Company Affected
Mandriva, Inc. Affected
Red Hat, Inc. Affected
SUSE Linux Affected
Slackware Linux Inc. Affected
Trustix Secure Linux Affected
This issue was reported in the OpenSSH 4.4 release notes. OpenSSH credits Tavis Ormandy of the Google Security Team for reporting this issue.
This document was written by Chris Taschner.
|Date First Published:||2006-10-04|
|Date Last Updated:||2007-03-13 22:01 UTC|