[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


On Tue, Dec 17, 2002 at 12:02:57PM +0000, Andrew Mulholland wrote:
> On Tue, 2002-12-17 at 10:05, Adrian 'Dagurashibanipal' von Bidder wrote:
> > 
> > Well, SSH1 is still vulnerable. It's nothing to do with the current
> > advisory. So the advice not to run SSH1 is still valid.
> > 
> does this affect the ssh1 option in OpenSSH?
> (as in on a woody/sarge box, running OpenSSH, if I've the ssh1 option
> enabled, am I vulnerable? :)

The CERT Vulnerability Note is number VU#945216, and can be accessed
here[1].  Basically, this vulnerability is in the code that checks for
the CRC32 attack.  It suffers from an integer overflow.  According to
the note, SSH1 in Debian is vulnerable.  The last date they checked
was December 13, 2001.  However, according to OpenSSH's security
page[2], only versions of OpenSSH before 2.3.0 are vulnerable.

Woody ships with 3.4p1, however, unless there is no way around it,
you should restrict access to your SSH daemon to hosts that you know
are safe, and you should disable SSH1.  If you are going to be setting
up a new SSH server soon, now would be a good time to make the change.

Also, according to the previous vulnerability from December 16, those
of you using PuTTY to access your SSH accounts might want to think
about upgrading as PuTTY versions less than 0.53b are vulnerable to
the same type of attack.  They are available from PuTTY's website[3].

[1] http://www.kb.cert.org/vuls/id/945216
[2] http://www.openssh.com/security.html
[3] http://www.chiark.greenend.org.uk/~sgtatham/putty/

Edward Guldemond

Attachment: pgp_yAF77puJu.pgp
Description: PGP signature

Reply to: