SSH transport layer protocol empty lists buffer overflow
| ssh-transport-empty-lists-bo (10869) |  High Risk |
Description:
SSH (Secure Shell) is vulnerable to a buffer overflow, caused by incorrect handling of empty list fields. By sending a specially-crafted packet with a list field containing empty elements or multiple separators during SSH key exchange and initialization, a remote attacker could overflow a buffer in the vulnerable SSH client or server and cause the SSH service to crash or execute arbitrary code on the system with privileges of the SSH process.
Consequences:
Gain Access
Remedy:
For Pragma Systems SecureShell:
Upgrade to the latest version of Secure Shell (3.0 or later), available from Pragma Systems Web site. See References.
For PuTTY:
Upgrade to the latest version of PuTTY (0.53b or later), available from the PuTTY Web page. See References.
For SecureNetTerm:
Upgrade to the latest version of SecureNetTerm (5.4.2 or later), available from the SecureNetTerm Web site. See References.
For Cisco devices running Cisco IOS:
Upgrade to the appropriate fixed version of Cisco IOS for your device, as listed in Cisco Security Advisory 2002 December 19th 23:00 GMT. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- CERT Advisory CA-2002-36: Multiple Vulnerabilities in SSH Implementations.
- CIAC Information Bulletin N-028: Vulnerabilities in SSH2 Implementations from Multiple Vendors.
- Cisco Systems Inc. Security Advisory, 2002 December 19th 23:00 GMT: SSH Malformed Packet Vulnerabilities.
- Pragma Systems Web site: Pragma SecureShell Updates.
- PuTTY Web site: PuTTY Download Page.
- Rapid 7, Inc. Security Advisory R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors.
- SecureNetTerm Web site: Downloads - InterSoft International, Inc..
- BID-6397: Multiple Vendor SSH2 Implementation Vulnerabilities
- BID-6408: Multiple Vendor SSH2 Implementation Empty Elements / Multiple Separator Vulnerabilities
- CVE-2002-1358: Multiple SSH2 servers and clients do not properly handle lists with empty elements or strings, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code, as demonstrated by the SSHredder SSH protocol test suite.
- OSVDB ID: 8043: SSH2 Server/Client Empty Element List Arbitrary Command Execution
- SECTRACK ID: 1005812: F-Secure SSH Client and Server SSH2 Implementation Bugs Allow Only Limited Remote Denial of Service Issues
- SECTRACK ID: 1005813: SSH Communications SSH Client and Server SSH2 Implementation Bugs Allow Only Limited Denial of Service
Platforms Affected:
- FiSSH SSH Client 1.0A for Windows
- InterSoft SecureNetTerm 5.4.1
- NetComposite ShellGuard SSH 3.4.6
- Pragma Systems SecureShell 2.0
- PuTTY Putty 0.48
- PuTTY Putty 0.49
- PuTTY Putty 0.53
- WinSCP WinSCP 2.0.0
Reported:
Dec 16, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this