Original release date: December 13, 2001<BR>
Last revised: December 14, 2001<br>
Source: CERT/CC<BR>

<P>A complete revision history can be found at the end of this file.

<A NAME="affected">
<H3>Systems Affected</H3>
<p>Systems running implementations of the Secure Shell (SSH) 
protocol</p>

<A NAME="overview">
<H2>Overview</H2>

<P>There are multiple vulnerabilities in several implementations of the
Secure Shell (SSH) protocol. The SSH protocol enables a secure
communications channel from a client to a server. We are seeing a high
amount of scanning for SSH daemons, and we are receiving reports of
exploitation. System administrators should review their configurations to
ensure that they have applied all relevant patches prior to the holiday
break.

<A NAME="description">
<H2>I. Description</H2>

<P>There are multiple vulnerabilities in several implementations of the
Secure Shell (SSH) protocol. While these problems have been previously
disclosed, we believe many system and network administrators may have
overlooked one or more of these vulnerabilities. We are issuing this
document primarily to encourage system and network administrators to
check their systems, prior to the holiday break, for exposure to each of
these vulnerabilities.  The CERT/CC is still seeing active scanning and
exploitation of vulnerabilities related to SSH.

<p>We also believe that it is important for system administrators to
realize that several implementations of SSH version 2 will use their
implementation of SSH version 1 if it is present and requested by the
client. Therefore, upgrading to SSH version 2 is not necessarily a
sufficient means to patch vulnerabilities that are present in the SSH
version 1 implementation.

<p>The following vulnerability note and incident note describe activity
regarding the SSH CRC32 attack detection code integer overflow
vulnerability.

<br> <br> <b><a
href="http://www.kb.cert.org/vuls/id/945216">VU#945216</a> - SSH CRC32
attack detection code contains remote integer overflow</b> 
<br> 
<br>

There is a remote integer overflow vulnerability in several
implementations of the SSH1 protocol.  This vulnerability is located in a
segment of code that was introduced to defend against exploitation of
CRC32 weaknesses in the SSH1 protocol (see <a
href="http://www.kb.cert.org/vuls/id/13877">VU#13877</a>).  The attack
detection function (detect_attack, located in deattack.c) makes use of a
dynamically allocated hash table to store connection information that is
then examined to detect and respond to CRC32 attacks.  By sending a
crafted SSH1 packet to an affected host, an attacker can cause the SSH
daemon to create a hash table with a size of zero.  When the detection
function then attempts to hash values into the null-sized hash table,
these values can be used to modify the return address of the function
call, thus causing the program to execute arbitrary code with the
privileges of the SSH daemon, typically root. 
</P>

<p><b><a
href="http://www.cert.org/incident_notes/IN-2001-12.html">IN-2001-12</a> 
- Exploitation of vulnerability in SSH1 CRC-32 compensation attack 
detector</b></p>



<p>In reports received by the CERT/CC, systems compromised via this
vulnerablity have exhibited the following pattern in system log messages:

<DL><DD>
<pre>
hostname sshd[xxx]: Disconnecting: Corrupted check bytes on input.
hostname sshd[xxx]: Disconnecting: crc32 compensation attack: network attack detected
hostname sshd[xxx]: Disconnecting: crc32 compensation attack: network attack detected
...
</pre>
</DL>

<p>Some exploits for this vulnerability appear to use a brute force
method, so many messages of this type may be logged before a system is
successfully compromised.

<p>The following artifacts have been discovered on systems that were
successfully compromised:

<ul> 

<li>Installation of rootkits that modify standard system utilities to
hide the intruder's actions

<li>Installation of Trojan horse versions of the SSH software, compiled
from the latest OpenSSH source code plus intruder-supplied modifications
                      
<li>Installation of tools to scan large network blocks for other systems
that are vulnerable to compromise. Log files left behind from these tools
indicate that they operate by looking for the banner displayed upon
connection to the sshd service.

</ul>


<p>For a list of vulnerability notes related to SSH vulnerabilities,
please see the <a href="#references">References section</a>.

<A NAME="impact">
<H2>II. Impact</H2>

<p> The CRC32 attack detection code integer overflow vulnerability, as
well as some of the vulnerabilities listed in the <a
href="#references">References section</a>, can be exploited remotely. In
some cases, they allow an intruder to execute arbitrary code with the
privileges of the SSH application daemon, usually root. In some cases, an
intruder must be an authorized user of the system.

<p>For specific information about the impacts of each of these
vulnerabilities, please consult the CERT Vulnerability Notes Database (<a
href="http://www.kb.cert.org/vuls">http://www.kb.cert.org/vuls</a>).  
</p>


<A NAME="solution">
<H2>III. Solution</H2>

<H4>Update to the latest version</h4>

<P>If possible, update your implementation of SSH to the latest release.  
If you are unable to update to the latest version, apply all relevant
patches to your current version. It is also recommended that you look 
at the security or support section on each vendor's site.</p>

<p>Note that it is important for system administrators to
realize that several implementations of SSH version 2 will use their
implementation of SSH version 1 if it is present and requested by the
client. Therefore, upgrading to SSH version 2 is not necessarily a
sufficient means to patch vulnerabilities that are present in the SSH
version 1 implementation.


<p>Current versions for Data Fellows (F-Secure) can be found at <a 
href="http://www.f-secure.com/products/ssh/">http://www.f-secure.com/products/ssh/</a>.

<p>Current versions for SSH Communications Security can be found at <a 
href="http://www.ssh.com/products/ssh/download.cfm">http://www.ssh.com/products/ssh/download.cfm</a>.

<p>Current versions for OpenSSH can be found at <a 
href="http://www.openssh.com">http://www.openssh.com</a>.

<p>Please visit your vendor's web site for the latest version.</p>

<h4> Apply a patch from your vendor</H4>

<p><A HREF="#vendors">Appendix A</A> contains information provided by
vendors for this advisory.  As vendors report new information to the
CERT/CC, we will update this section and note the changes in our revision
history.  If a particular vendor is not listed below, we have not
received their comments for the advisory. Please review the CERT
Vulnerability Notes Database (<a
href="http://www.kb.cert.org/vuls">http://www.kb.cert.org/vuls</a>) or
contact your vendor directly.</P>

<H4>Restrict access to the SSH service</H4>

<p>As a general practice, we recommend disabling all services that are
not explicitly required. You may wish to disable the SSH access if 
there is not a patch available from your vendor.</P>

<p>If you cannot disable the service, you can limit your exposure to
these vulnerabilities by using a router or firewall to restrict access to
port 22/TCP (SSH). Use <a
href="ftp://ftp.porcupine.org/pub/security/">tcp wrappers</a> or a program
that provides similar functionality, or use the key-based IP restriction
offered by your implementation. Note that this does not protect you
against attackers from within your network.


<A NAME="vendors">
<H2>Appendix A. - Vendor Information</H2>

<P>This appendix contains information provided by vendors for this
advisory.  As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history.  If a
particular vendor is not listed below, we have not received their
comments for the advisory. Please review the CERT Vulnerability Notes
Database (<a
href="http://www.kb.cert.org/vuls">http://www.kb.cert.org/vuls</a>) or
contact your vendor directly.</P>


<!-- end vendor -->

<A NAME="bsdi">
<H4>Berkeley Software Design, Inc. (BSDI)</H4>
The current 3.0.2p1 version of OpenSSH is available for BSD/OS version
4.2 in patch M420-018 and for BSD/OS 4.3 in patch M430-001.  Patches are
available via ftp from <a 
href="ftp://ftp.bsdi.com/bsdi/patches">ftp://ftp.bsdi.com/bsdi/patches</a> 
or via our web site at <a 
href="http://www.bsdi.com/support">http://www.bsdi.com/support</a>.
<!-- end vendor -->

<A NAME="fujitsu">
<H4>Fujitsu</H4>

<p>Fujitsu's UXP/V operating system is not affected by the SSH
security vulnerabilities because it does not support the SSH package.
<!-- end vendor -->

<A NAME="hp">
<H4>Hewlett-Packard Company</H4>

<p>This issue does not apply to HP-UX. HP does not ship SSH.

<!-- end vendor -->


<A NAME="ibm">
<H4>IBM Corporation</H4>

<p>IBM's AIX operating system does not ship with OpenSSH; however,
OpenSSH isavailable for installation on AIX via the Linux
Affinity Toolkit. The version included on the CD containing
the Toolkit is vulnerable to the latest discovered vulnerability
discussed here, VU#157447, as was the version of OpenSSH
available for downloading from the IBM Linux Affinity
website. We have updated this version on the website to
one that is not vulnerable to this security exposure. This
version also fixes the other vulnerabilities described in
this advisory. Customers can download this version by going to:</p>

<a 
href="http://www6.software.ibm.com/dl/aixtbx/aixtbx-p">http://www6.software.ibm.com/dl/aixtbx/aixtbx-p</a>


<p>This site contains Linux Affinity applications containing
cryptographic algorithms, and new users of this site are asked
to register first.


<!-- end vendor -->

<A NAME="netbsd">
<H4>NetBSD</H4>
<p>The CRC32 attack vulnerability was patched in NetBSD-current on October
30, 2000.  NetBSD 1.5 and later already include the patch. Users
maintaining earlier revisions of NetBSD should update their systems
using the security/openssh package from NetBSD pkgsrc if they have not
already done so.

<p>Up to date NetBSD security information on SSH, and other
vulnerabilities is available from <a 
href="http://www.netbsd.org/Security/">http://www.netbsd.org/Security/</a>
<!-- end vendor -->

<A NAME="openssh">
<H4>OpenSSH</H4>

<p>The CRC32 problem has been fixed in the November 2000 release of
OpenSSH 2.3.0.

<!-- end vendor -->

<A NAME="sun">
<H4>Sun Microsystems</H4>

<p>Sun does not ship the Secure Shell (SSH), thus Solaris is not affected
by this issue.

<!-- end vendor -->
<p></P>
<HR NOSHADE>

<p>The CERT Coordination Center thanks Markus Friedl of OpenSSH for the technical assistance he provided.</P>


<HR NOSHADE>

<P>Feedback on this document can be directed to the authors, <A
HREF="mailto:cert@cert.org?subject=CA-2001-35%20Feedback%20info%2301.115652%20VU%23945216">Jason
A. Rafail and Chad Dougherty</A>

<p></p>

<HR NOSHADE>

<A NAME="references">
<h2>References</h2>

<TABLE WIDTH=100%>
<BR>

<TR><TH BGCOLOR="#DCDCDC" VALIGN=BOTTOM>ID</TH><TH 
BGCOLOR="#DCDCDC">Date<BR>Public</TH><TH BGCOLOR="#DCDCDC" ALIGN=LEFT 
WIDTH=100% VALIGN=BOTTOM>Name</TH></TR><TR><TD VALIGN=TOP><A 
 HREF="http://www.kb.cert.org/vuls/id/19124">VU#19124</A></TD><TD 
VALIGN=TOP>01/20/98</TD><TD>SSH authentication agent follows symlinks via 
a UNIX domain socket</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/13877">VU#13877</A></TD><TD 
VALIGN=TOP>06/11/98</TD><TD>Weak CRC allows packet injection into SSH 
sessions encrypted with block ciphers</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/40327">VU#40327</A></TD><TD 
VALIGN=TOP>06/09/2000</TD><TD>OpenSSH UseLogin option allows remote 
execution of commands as root</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/363181">VU#363181</A></TD><TD 
VALIGN=TOP>12/07/2000</TD><TD>OpenSSH disregards client configuration and 
allows server access to ssh-agent and/or X11 after session 
negotiation</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/850440">VU#850440</A></TD><TD 
VALIGN=TOP>01/16/2001</TD><TD>SSH1 may generate weak passphrase when 
using Secure RPC</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/684820">VU#684820</A></TD><TD 
VALIGN=TOP>01/18/2001</TD><TD>SSH-1 allows client authentication to be 
forwarded by a malicious server to another server</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/565052">VU#565052</A></TD><TD 
VALIGN=TOP>01/18/2001</TD><TD>Passwords sent via SSH encrypted with RC4 
can be easily cracked</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/786900">VU#786900</A></TD><TD 
VALIGN=TOP>01/18/2001</TD><TD>SSH host key authentication can be bypassed 
when DNS is used to resolve localhost</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/25309">VU#25309</A></TD><TD 
VALIGN=TOP>01/18/2001</TD><TD>Weak CRC allows RC4 encrypted SSH1 packets 
to be modified without notice</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/118892">VU#118892</A></TD><TD 
VALIGN=TOP>01/18/2001</TD><TD>Older SSH clients do not allow users to 
disable X11 forwarding</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/665372">VU#665372</A></TD><TD 
VALIGN=TOP>01/18/2001</TD><TD>SSH connections using RC4 and password 
authentication can be replayed</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/315308">VU#315308</A></TD><TD 
VALIGN=TOP>01/18/2001</TD><TD>Weak CRC allows last block of 
IDEA-encrypted SSH packet to be changed without notice</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/945216">VU#945216</A></TD><TD 
VALIGN=TOP>02/08/2001</TD><TD>SSH CRC32 attack detection code contains 
remote integer overflow</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/596827">VU#596827</A></TD><TD 
VALIGN=TOP>03/19/2001</TD><TD>Weaknesses in the SSH protocol simplify 
brute-force attacks against passwords typed in an existing SSH 
session</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/655259">VU#655259</A></TD><TD 
VALIGN=TOP>06/12/2001</TD><TD>OpenSSH allows arbitrary file deletion via 
symlink redirection of temporary file</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/737451">VU#737451</A></TD><TD 
VALIGN=TOP>07/20/2001</TD><TD>SSH Secure Shell sshd2 does not adequately 
authenticate logins to accounts with encrypted password fields containing 
two or fewer characters</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/279763">VU#279763</A></TD><TD 
VALIGN=TOP>11/19/2001</TD><TD>RhinoSoft Serv-U remote administration 
client transmits password in plaintext</TD></TR>

<TR><TD VALIGN=TOP><A 
HREF="http://www.kb.cert.org/vuls/id/157447">VU#157447</A></TD><TD 
VALIGN=TOP>12/04/2001</TD><TD>OpenSSH UseLogin directive permits 
privilege escalation</TD></TR>

</TABLE>

<P></P>

<!--#include virtual="/include/footer_nocopyright.html" -->

<P>Copyright 2001 Carnegie Mellon University.</P>

<P>Revision History
<PRE>
December 13, 2001:  Initial release
December 14, 2001:  Added OpenSSH Vendor Statement
</PRE>