search menu icon-carat-right cmu-wordmark

CERT Coordination Center

OpenSSH fails to properly handle multiple identical blocks in a SSH packet

Vulnerability Note VU#787448

Original Release Date: 2006-10-04 | Last Revised: 2007-03-13

Overview

OpenSSH fails to properly handle multiple identical blocks in a SSH packet. This vulnerability may cause a denial-of-service condition.

Description

OpenSSH is an open source client and server implementation of the Secure Shell (SSH) protocol. OpenSSH includes a cyclic redundancy check (CRC) compensation attack detection function that produces a checksum on a block of data in a SSH packet. This function was introduced to defend against exploitation of CRC weaknesses in version 1 of the SSH protocol (see VU#13877). Multiple identical blocks contained within a SSH packet may trigger a computationally expensive operation within the CRC attack detector that can lead to a denial of service. According to the OpenSSH 4.4 release notes:

[This vulnerability]...would cause sshd(8) to spin until the login grace time expired.
The OpenSSH sshd daemon is only vulnerable when SSH protocol version 1 is enabled.

Impact

A remote, unauthenticated attacker could cause a denial-of service condition by sending specially crafted packets to the OpenSSH server that would cause it to use excessive CPU time until a connection timeout occurs.

Solution

Upgrade
See the systems affected section of this document for information about specific vendors. Users who compile OpenSSH from source are encouraged to update to the most recent version.

Disable SSH version 1


SSH protocol version 1 should be disabled in order to prevent this vulnerability from occurring on affected systems.

Vendor Information

787448
 
Affected   Unknown   Unaffected

Apple Computer, Inc.

Updated:  March 13, 2007

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://docs.info.apple.com/article.html?artnum=305214 for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Avaya, Inc.

Updated:  October 23, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to Avaya Security Alert ASA-2006-216.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian GNU/Linux

Updated:  October 06, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.debian.org/security/2006/dsa-1189

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD, Inc.

Updated:  October 04, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://security.FreeBSD.org/advisories/FreeBSD-SA-06:22.openssh.asc

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux

Updated:  October 02, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.gentoo.org/security/en/glsa/glsa-200609-17.xml

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Updated:  January 19, 2007

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to HPSBUX02178 SSRT061267.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc.

Updated:  October 06, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.mandriva.com/security/advisories?name=MDKSA-2006:179

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Updated:  November 10, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to OpenBSD 4.0 release errata & patch list.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenPKG

Updated:  October 04, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.022-openssh.html

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSH

Updated:  October 02, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.openssh.com/txt/release-4.4

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Updated:  October 02, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207955

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux

Updated:  October 23, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to SUSE Security Annoucement SUSE-SA:2006:062.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware Linux Inc.

Updated:  October 02, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.592566

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux

Updated:  October 06, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.trustix.org/errata/2006/0054/

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubuntu

Updated:  October 04, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.ubuntu.com/usn/usn-355-1

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VMware

Updated:  January 19, 2007

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to document 9986131.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

rPath

Updated:  October 02, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to https://issues.rpath.com/browse/RPL-661

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This issue was reported in the OpenSSH 4.4 release notes . OpenSSH credits Tavis Ormandy of the Google Security Team for reporting this issue.

This document was written by Chris Taschner.

Other Information

CVE IDs: CVE-2006-4924
Severity Metric: 8.82
Date Public: 2006-09-27
Date First Published: 2006-10-04
Date Last Updated: 2007-03-13 22:01 UTC
Document Revision: 41

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.