AUSCERT External Security Bulletin Redistribution

                 ESB-2002.705 -- CERT Advisory CA-2002-36
              Multiple Vulnerabilities in SSH Implementations
                             17 December 2002


        AusCERT Security Bulletin Summary

Product:                SSH
Impact:                 Root Compromise
                        Administrator Compromise
                        Denial of Service
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------


CERT Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations

   Original issue date: December 16, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.

Systems Affected

     * Secure  shell  (SSH)  protocol  implementations in SSH clients and
       servers from multiple vendors


   Multiple  vendors' implementations of the secure shell (SSH) transport
   layer  protocol  contain  vulnerabilities  that  could  allow a remote
   attacker  to  execute  arbitrary  code  with the privileges of the SSH
   process  or  cause a denial of service. The vulnerabilities affect SSH
   clients  and  servers, and they occur before user authentication takes

I. Description

   The SSH protocol enables a secure communications channel from a client
   to a server. From the IETF draft SSH Transport Layer Protocol:

     The  SSH  transport layer is a secure low level transport protocol.
     It  provides  strong encryption, cryptographic host authentication,
     and  integrity  protection....  Key  exchange  method,  public  key
     algorithm,  symmetric  encryption algorithm, message authentication
     algorithm, and hash algorithm are all negotiated. 

   Rapid7  has  developed  a suite (SSHredder) of test cases that examine
   the  connection  initialization,  key  exchange, and negotiation phase
   (KEX,  KEXINIT)  of  the SSH transport layer protocol. The suite tests
   the  way  an  SSH  transport  layer  implementation handles invalid or
   incorrect  packet  and  string  lengths,  padding  and padding length,
   malformed strings, and invalid algorithms.

   The  test  suite  has  demonstrated  a  number  of  vulnerabilities in
   different  vendors' SSH products. These vulnerabilities include buffer
   overflows,  and they occur before any user authentication takes place.
   SSHredder  was  primarily  designed  to  test  key  exchange and other
   processes that are specific to version 2 of the SSH protocol; however,
   certain classes of tests are also applicable to version 1.

   Further  information about this set of vulnerabilities may be found in
   Vulnerability Note VU#389665.

   Rapid7  has  published a detailed advisory (R7-0009) and the SSHredder
   test suite.

   Common  Vulnerabilities and Exposures (CVE) has assigned the following
   candidate numbers for several classes of tests performed by SSHredder:

     * CAN-2002-1357 - incorrect field lengths
     * CAN-2002-1358 - lists with empty elements or multiple separators
     * CAN-2002-1359 - "classic" buffer overflows
     * CAN-2002-1360 - null characters in strings

II. Impact

   The  impact  will vary for different vulnerabilities and products, but
   in  severe  cases,  remote attackers could execute arbitrary code with
   the  privileges  of  the SSH process. Both SSH servers and clients are
   affected,  since  both  implement the SSH transport layer protocol. On
   Microsoft  Windows  systems,  SSH  servers  commonly  run  with SYSTEM
   privileges,  and  on UNIX systems, SSH daemons typically run with root
   privileges.  In  the  case  of SSH clients, any attacker-supplied code
   would  run  with  the  privileges  of  the user who started the client
   program,  with  the  possible  exception  of  SSH  clients that may be
   configured  with an effective user ID of root (setuid root). Attackers
   could  also  crash  a  vulnerable  SSH  process,  causing  a denial of

III. Solution

Apply a patch or upgrade

   Apply  the  appropriate  patch or upgrade as specified by your vendor.
   See Appendix A below and the Systems Affected section of VU#389665 for
   specific information.

Restrict access

   Limit  access  to  SSH  servers  to  trusted  hosts and networks using
   firewalls or other packet-filtering systems. Some SSH servers may have
   the  ability  to  restrict  access  based  on IP addresses, or similar
   effects  may  be  achieved  by  using  TCP  wrappers  or other related

   SSH  clients  can  reduce  the  risk  of attacks by only connecting to
   trusted servers by IP address.

   While  these  workarounds  will  not  prevent  exploitation  of  these
   vulnerabilities,  they  will  make attacks somewhat more difficult, in
   part by limiting the number of potential sources of attacks.

Appendix A. Vendor Information

   This  appendix  contains information provided by vendors. When vendors
   report  new  information,  this section is updated and the changes are
   noted  in  the  revision  history. If a vendor is not listed below, we
   have  not  received  their  comments.  The Systems Affected section of
   VU#389665 contains additional vendor status information.

Cisco Systems, Inc.

     The   official   statement  regarding  this  is  that  we  are  not

Cray Inc.

     Cray  Inc.  supports  the  OpenSSH  product through their Cray Open
     Software  (COS)  package.  COS  3.3,  available the end of December
     2002,  is  not vulnerable. If a site is concerned, they can contact
     their  local  Cray  representive  to  obtain  an  early copy of the
     OpenSSH contained in COS 3.3.


     F-Secure  SSH products are not exploitable via these attacks. While
     F-Secure  SSH  versions  3.1.0  build 11 and earlier crash on these
     malicious  packets,  we  did  not find ways to exploit this to gain
     unauthorized  access  or  to  run  arbitrary code. Furthermore, the
     crash  occurs  in a forked process so the denial of service attacks
     are not possible.


     Fujitsu's  UXP/V  OS  is not vulnerable because it does not support


     IBM's  AIX  is  not  vulnerabible  to  the issues discussed in CERT
     Vulnerability Note VU#389665.


     I've now tried the testsuite with the latest stable release of lsh,
     lsh-1.4.2. Both the client and the server seem NOT VULNERABLE.

NetScreen Technologies Inc.

     Tested latest versions. Not Vulnerable.


     From  my testing it seems that the current version of OpenSSH (3.5)
     is not vulnerable to these problems, and some limited testing shows
     that no version of OpenSSH is vulnerable.

Pragma Systems, Inc.

     December 16, 2002

     Rapid 7 and CERT Coordination Center Vulnerability report VU#389665

     Pragma Systems Inc. of Austin, Texas, USA, was notified regarding a
     possible  vulnerability  with  Version  2.0  of Pragma SecureShell.
     Pragma  Systems  tested Pragma SecureShell 2.0 and the upcoming new
     Version  3.0,  and found that the attacks did cause a memory access
     protection fault on Microsoft platforms.

     After   research,   Pragma   Systems  corrected  the  problem.  The
     correction of the problem leads us to believe that any attack would
     not cause a Denial of Service, or the ability of random code to run
     on the server.

     The  problem  is  corrected  in Pragma SecureShell Version 3.0. Any
     customers  with concerns regarding this vulnerability report should
     contact   Pragma   Systems,   Inc   at   support@pragmasys.com  for
     information  on  obtaining  an upgrade free of charge. Pragma's web
     site is located at www.pragmasys.com and the company can be reached
     at 1-512-219-7270.


     PuTTY 0.53b addresses vulnerabilities discovered by SSHredder.

SSH Communications Security

     SSH Secure Shell products are not exploitable via these attacks.

Appendix B. References

     * CERT/CC Vulnerability Note: VU#389665 -
     * Rapid 7 Advisory: R7-0009 -
     * Rapid 7 SSHredder test suite -
     * IETF     Draft:     SSH     Transport     Layer     Protocol     -
     * IETF Draft: SSH Protocol Architecture -
     * Privilege Separated OpenSSH -


   The  CERT  Coordination  Center  thanks  Rapid7  for  researching  and
   reporting these vulnerabilities.

   Author: Art Manion.

   This document is available from:

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

Getting security information

   CERT  publications  and  other security information are available from
   our web site

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

   Revision History

   December 16, 2002: Initial release

Version: PGP 6.5.8


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author\'s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967