SSH transport layer protocol multiple large packet and field size buffer overflows
| ssh-transport-multiple-bo (10870) |  High Risk |
Description:
SSH (Secure Shell) is vulnerable to multiple buffer overflows, caused by improper bounds checking of packet sizes and fields. By sending an overly large packet or a packet with an overly long field size during SSH key exchange and initialization, a remote attacker could overflow a buffer in the vulnerable SSH client or server and cause the SSH service to crash or execute arbitrary code on the system with privileges of the SSH process.
*CVSS:
| Base Score: | 10 |
| Access Vector: | Remote |
| Access Complexity: | Low |
| Authentication: | Not Required |
| Confidentiality Impact: | Complete |
| Integrity Impact: | Complete |
| Availability Impact: | Complete |
| Temporal Score: | 8.3 |
| Exploitability: | Functional |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Gain Access
Remedy:
For Pragma Systems SecureShell:
Upgrade to the latest version of Secure Shell (3.0 or later), available from Pragma Systems Web site. See References.
For PuTTY:
Upgrade to the latest version of PuTTY (0.53b or later), available from the PuTTY Web page. See References.
For SecureNetTerm:
Upgrade to the latest version of SecureNetTerm (5.4.2 or later), available from the SecureNetTerm Web site. See References.
For Cisco devices running Cisco IOS:
Upgrade to the appropriate fixed version of Cisco IOS for your device, as listed in Cisco Security Advisory 2002 December 19th 23:00 GMT. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- CERT Advisory CA-2002-36: Multiple Vulnerabilities in SSH Implementations.
- CIAC Information Bulletin N-028: Vulnerabilities in SSH2 Implementations from Multiple Vendors.
- Cisco Systems Inc. Security Advisory, 2002 December 19th 23:00 GMT: SSH Malformed Packet Vulnerabilities.
- Pragma Systems Web site: Pragma SecureShell Updates.
- PuTTY Web site: PuTTY Download Page.
- Rapid 7, Inc. Security Advisory R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors.
- SecureNetTerm Web site: Downloads - InterSoft International, Inc..
- BID-6397: Multiple Vendor SSH2 Implementation Vulnerabilities
- BID-6407: Multiple Vendor SSH2 Implementation Buffer Overflow Vulnerabilities
- CVE-2002-1359: Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code via buffer overflow attacks, as demonstrated by the SSHredder SSH protocol test suite.
- OSVDB ID: 8044: Multiple Vendor SSH2 Server/Client Large Field Overflows
- SECTRACK ID: 1005812: F-Secure SSH Client and Server SSH2 Implementation Bugs Allow Only Limited Remote Denial of Service Issues
- SECTRACK ID: 1005813: SSH Communications SSH Client and Server SSH2 Implementation Bugs Allow Only Limited Denial of Service
Platforms Affected:
- FiSSH SSH Client 1.0A for Windows
- InterSoft SecureNetTerm 5.4.1
- NetComposite ShellGuard SSH 3.4.6
- Pragma Systems SecureShell 2.0
- PuTTY Putty 0.48
- PuTTY Putty 0.49
- PuTTY Putty 0.53
- WinSCP WinSCP 2.0.0
Reported:
Dec 16, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.