[KLUG Members] Anyone know anything about this?

Tony Gettig members@kalamazoolinux.org
Fri, 3 Jan 2003 08:02:35 -0500 (EST)

Previous message: [KLUG Members] Anyone know anything about this?
Next message: [KLUG Members] KLUG Meeting Notes for 12/31/2002
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Below is what the SANS Critical Vulnerability Analysis Vol 1 No 22 had to
say about it. I thought it ironic that the very tool from Rapid7 used to
identify this vulnerability can be used for a DoS attack for this exploit.

Note that it says OpenSSH is not affected. As far as server side
ramifications, I guess that would be a problem for those servers NOT
running OpenSSH, like all of the software listed below. Am I correct in
thinking that OpenSSH is distinctly different than what is used in
commercial products?

<---------SNIP------------>
1) HIGH: Multi-Vendor SSH Multiple Vulnerabilities (SSHredder)


Affected Products (from the Rapid7 Advisory):
  o F-Secure Corp. SSH servers and clients for UNIX
       v3.1.0 (build 11) and earlier
  o F-Secure Corp. SSH for Windows
       v5.2 and earlier
  o SSH Communications Security, Inc. SSH for Windows
       v3.2.2 and earlier
  o SSH Communications Security, Inc. SSH for UNIX
       v3.2.2 and earlier
  o FiSSH SSH client for Windows
       v1.0A and earlier
  o InterSoft Int'l, Inc. SecureNetTerm client for Windows
       v5.4.1 and earlier
  o NetComposite ShellGuard SSH client for Windows
       v3.4.6 and earlier
  o Pragma Systems, Inc. SecureShell SSH server for Windows
       v2 and earlier
  o PuTTY SSH client for Windows
       v0.53 and earlier (v0.53b not affected)
  o WinSCP SCP client for Windows
       v2.0.0 and earlier
Note: OpenSSH is not affected.


Description:
SSHv2 client/server implementations from multiple vendors contain
various vulnerabilities that could allow remote, unauthenticated
attackers to execute arbitrary code with the privileges of the SSH
process or cause a denial of service. Successful exploitation of
code-execution vulnerabilities against SSH servers would typically
provide attackers with SYSTEM privileges under Windows and root
privileges under Unix. Exploitation of clients would provide the
privileges of the user running the client.


All vulnerabilities were discovered using the automated SSHredder
test suite, which has been made publicly available by Rapid7.
SSHredder contains over 600 distinct test cases that stress an SSH
implementation by sending invalid or atypical packets during the
connection initialization, key exchange, and negotiation phases of
the protocol. These phases occur prior to user authentication.


Risk: Remote root/SYSTEM-level compromise of SSH servers, SSH client
compromise, and denial of service.


Deployment: Significant.
The vulnerabilities affect many popular products in use today, however
some products are affected more severely than others. The advisories do
not discuss the problems with particular implementations individually.


Ease of Exploitation: Straightforward.
No code execution exploits are known to exist, but an attacker can use
the SSHredder test suite to determine how a particular implementation
is vulnerable, and go from there to craft an exploit. Attackers can
also use the existing test suite to wage denial of service attacks.


Status: Vendor confirmed, patches available in some cases.
See the following link for vendor specific information:
http://www.kb.cert.org/vuls/id/389665#systems


References:
Rapid7 Advisory:
http://www.rapid7.com/advisories/R7-0009.txt


CERT Advisory:
http://www.cert.org/advisories/CA-2002-36.html


Rapid7 SSHredder Test Suite:
http://www.rapid7.com/perl/DownloadRequest.pl?PackageChoice=666


Council Site Actions:
All Council sites are using one or more of the SSH vendor products,
but not all sites were running affected versions. All sites reported
that inbound SSH connections were blocked at the perimeters;
therefore it was not necessary to treat this as an urgent problem.
Several of the Council sites are using the PuTTY client on their
desktop systems. These sites already have plans in place to upgrade
to the newest version.  Other council sites plan to upgrade to the
latest vendor versions or apply patches when they become available.
One site plans to obtain the SSHredder tool and do some testing
internally to better understand their level of vulnerability.


<---------SNIP------------>


> If you know something about this, please comment, the
> article is kinda vague....
>
> http://www.eweek.com/article2/0,3959,801913,00.asp
>
> I'm interested in server-side vulnerabilities...
>
> 					Regards,
> 					---> RGB <---
>
> _______________________________________________
> Members mailing list
> Members@kalamazoolinux.org
> 


-- 
Tony Gettig
http://www.VoiceoversNow.com
GBY!

Previous message: [KLUG Members] Anyone know anything about this?
Next message: [KLUG Members] KLUG Meeting Notes for 12/31/2002
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]