oh oh ... rumor of ssh1 daemon buffer overflow (fwd)

Dave Dittrich dittrich at cac.washington.edu
Mon Feb 12 16:27:06 PST 2001


FYI.

--
Dave Dittrich Computing & Communications
dittrich at cac.washington.edu Client Services
http://staff.washington.edu/dittrich University of Washington

PGP key http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

---------- Forwarded message ----------
Date: Mon, 12 Feb 2001 16:20:29 -0800 (PST)
Subject: Re: oh oh ... rumor of ssh1 daemon buffer overflow
From: Dave Dittrich <dittrich at cac.washington.edu>
To: Ed Mulligan <mulligan at geology.washington.edu>
Cc: Network System Adminstrators list <netsys at atmos.washington.edu>


> oh oh ... our favorite "reliable" news site /. is reporting a buffer

> overflow in all SSH1 (ie ssh.com ssh 1.2.x) daemons except OpenSSH2.3.

>

> this COULD be very serious and and needs watching


Yes, Ed, it was Friday!

There are two vulnerabilities that were discovered and reported last
week on BUGTRAQ by Ivan Arce of CORE SDI. This lead to a great deal
of attention and some quick patches, one of which introduced a denial
of service problem. I will forward the three threads from BUGTRAQ as
separate messages in a moment.

A scanner for SSH versions has even shown up, so as soon as an exploit
is publically available this will be a huge security hole.

As for what to do, it appears the time has long passed to switch to
SSH version 2 (either the Finnish version, or OpenSSH). Red Hat Linux
7.0 even comes with OpenSSH pre-installed now. Part of the
vulnerability is fallback (the default) to SSH version 1 protocol,
which is very weak, now has tools like Dsniff to remind us of this,
and has been deprecated for some time. I am switching all my
workstations over to it, and will see if we can accelerate the switch
over on Uniform Access systems. (Continuing to wait because vendors
are slow to move on SSH version 2 is NOT helping the situation.)

--
Dave Dittrich Computing & Communications
dittrich at cac.washington.edu Client Services
http://staff.washington.edu/dittrich University of Washington

PGP key http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5




More information about the Linux mailing list