OpenSSH fails to properly handle multiple identical blocks in a SSH packet. This vulnerability may cause a denial-of-service condition.
OpenSSH is an open source client and server implementation of the Secure Shell (SSH) protocol. OpenSSH includes a cyclic redundancy check (CRC) compensation attack detection function that produces a checksum on a block of data in a SSH packet. This function was introduced to defend against exploitation of CRC weaknesses in version 1 of the SSH protocol (see VU#13877). Multiple identical blocks contained within a SSH packet may trigger a computationally expensive operation within the CRC attack detector that can lead to a denial of service. According to the OpenSSH 4.4 release notes:
[This vulnerability]...would cause sshd(8) to spin until the login grace time expired.
A remote, unauthenticated attacker could cause a denial-of service condition by sending specially crafted packets to the OpenSSH server that would cause it to use excessive CPU time until a connection timeout occurs.
Disable SSH version 1
This issue was reported in the OpenSSH 4.4 release notes. OpenSSH credits Tavis Ormandy of the Google Security Team for reporting this issue.
This document was written by Chris Taschner.
|Date First Published:||2006-10-04|
|Date Last Updated:||2007-03-13 22:01 UTC|