Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: ciacm017.htm

Multiple SSH Version 1 Vulnerabilities
M-017: Multiple SSH Version 1 Vulnerabilities Privacy and Legal Notice


M-017: Multiple SSH Version 1 Vulnerabilities

November 16, 2001 00:00 GMT

PROBLEM: Multiple vulnerabilities exist in SSH version 1, including a CRC32 compensation attack detector vulnerability (buffer overflow) and an unauthorized session key recovery problem.
PLATFORM: SSH protocol Version 1. This includes (but is not limited to): SSH Communications Security SSH 2.x and 3.x (if configured with version 1 Fallback enabled) SSH Communications Security SSH 1.2.23-1.2.31 F-Secure SSH versions prior to 1.3.11-2 OpenSSH versions prior to 2.3.0 (if configured with version 1 Fallback enabled) Cisco 11000 Content Service Switch Family Sun Solaris 2.5.1, 2.6, 7.0, 8.0 RedHat Linux 6.2, 7.0
DAMAGE: Potential root compromise.
SOLUTION: Upgrade all SSH protocol version 1 servers to version 2. Do not enable Fallback to version 1 on the upgrades.

The risk is HIGH. This is a remotely exploitable vulnerability, currently published on the Internet and can result in a root compromise.


[******  Start CIAC Bulletin ******]


There is some confusion on the current vulnerabilities in SSH version 1 and its 
many platforms.  There are actually several vulnerabilities currently being 
exploited, which are fixed by upgrading versions of SSH version 1 to versions 
using the SSH 2 protocol.  Further, new servers with upgraded versions can 
still be vulnerable if configured with Fallback to version 1 enabled. This 
bulletin actually covers 2 of the more serious SSH version 1 vulnerabilities.  

Vulnerability 1: SSH CRC32 Compensation Attack Detector Vulnerability

The SSH CRC32 compensation attack detector exploit consists of a buffer 
overflow vulnerability in the SSH daemon (sshd). This vulnerability was 
discovered by Michal Zalewski of Bindview in February 2001.  Exploiting this 
vulnerability allows remote attackers to execute arbitrary code without a 
legitimate account or privileges on a target host. 

Essentially, attackers first remotely scan a network using tools such as rapid 
SYN scans for a response from port 22. This information is then used to 
determine IP addresses and SSH versions of potentially vulnerable hosts (i.e., 
whether the host is running version 1 of SSH).  The attackers then have enough 
information to exploit this vulnerability and can obtain up to root privileges 
on a vulnerable system.  This is done by leveraging processes running Uid 0 to 
obtain root. They "patch" the sshd on the victim client with the attacker's 
version of SSH, complete with backdoors including listening ports for shell 
access. All compromised systems show altered /usr/sbin/sshd files.  Some 
successfully compromised hosts (but not all) have /usr/sbin/atd, a backdoor 
listening on port 56275 for password protected shell access. 

Further technical description of this vulnerability is available at the 
following sites:

Vulnerability 2:  SSH Protocol 1.5 Unauthorized Session Key Recovery

A second vulnerability is the ability to break the transient SSH version 1 
server key responsible for negotiation of session encryption parameters; this 
was discovered by CORE SDI S.A.  The remote attacker initiates large numbers of 
SSH 1 protocol connections to the SSH server and also captures encrypted SSH 
version 1 sessions on that server.  The session key is recovered by accessing 
the SSH server rapidly, and obtaining information using a ciphertext 
attack on the RSA encryption algorithm implemented in SSH version 1.  Once 
captured, the sessions can then be decrypted using the recovered session key.

This is a complex attack.  A better and complete technical description of this 
attack is available at the following site:


CIAC recommends reviewing all SSH servers and patching vulnerable SSH version 1 
systems; most of the vulnerabilities have to do with the SSH 
version 1 protocol.  Remove any old legacy sshd version 1 binaries (i.e., those 
not currently used).  Do not enable SSH version 1 Fallback on updated systems 
if at all possible (i.e., if SSH version 1 is not used). Note: systems with
 upgraded versions of SSH, with Fallback to version 1 enabled are still vulnerable!  

Patches and Upgrades are available at:

SSH Communications Security:

[******  End CIAC Bulletin ******]

CIAC wishes to acknowledge the contributions of Bindview for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)

    FAX:            +1 925-423-8002

    STU-III:        +1 925-423-2604


    World Wide Web:


                     (same machine -- either one will work)

    Anonymous FTP:


                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH