SSH protocol 1.5 deattack.c allows memory to be overwritten

ssh-deattack-overwrite-memory (6083)

High Risk

Description:

SSH (Secure Shell) could allow an attacker to overwrite arbitrary memory locations, due to a vulnerability in the deattack.c daemon. Insufficient range control calculations could allow an attacker to cause an integer overflow in the detect_attack function in deattack.c and overwrite arbitrary memory locations that contain code executed with UID 0, which the attacker could use to gain root privileges on the system.

Platforms Affected:

• SSH, SSH

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
SshDeattackOverwriteMemory

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
SSH_Deattack_IO

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 22

For Manual Protection:

For SSH-1.2.24 through 1.2.31:
Upgrade to SSH2, available from the SSH Secure Shell Download Page. See References.

For Debian GNU/Linux 2.2 (potato):
Upgrade to the latest version of openssh (1.2.3-9.2 or later), as listed in DSA-027-1, or ssh-nonfree (1.2.26-6.2 or later), as listed in DSA 086-1. See References.

For FreeBSD:
Upgrade to the latest version of sshd (4.2 or later), as listed in FreeBSD Security Advisory FreeBSD-SA-01:24. See References.

For NetBSD:
Upgrade to the latest version of ssh, as listed in NetBSD Security Advisory 2001-003. See References.

For SuSE Linux:
Upgrade to the latest version of ssh (1.2.27 or later), as listed in SuSE Security Announcement SuSE-SA:2001:04. See References.

For OSSH 1.5.7 and earlier:
Upgrade to the latest version of OSSH (1.5.8 or later), available at OSSH FTP site. See References.

For OpenSSH prior to 2.3.0:
Upgrade to the latest version of OpenSSH (2.3.0 or later), available from the OpenSSH Web site. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• BindView RAZOR Security Advisory, February 8, 2001, Remote vulnerability in SSH daemon crc32 compensation attack detector at http://razor.bindview.com/publish/advisories/adv_ssh1crc.html.
• BugTraq Mailing List, Thu Nov 22 2001 - 02:22:51 CST, Secure Computing SafeWord uses vulnerable ssh server at http://archives.neohapsis.com/archives/bugtraq/2001-11/0186.html.
• BugTraq Mailing List, Wed Feb 21 2001 - 00:38:15 CST, SSH CRC-32 Compensation Attack Detector Vulnerability Exploit at http://archives.neohapsis.com/archives/bugtraq/2001-02/0362.html.
• CIAC Information Bulletin L-047, OpenSSH SSH1 Coding Error and Server Key Vulnerability at http://www.ciac.org/ciac/bulletins/l-047.shtml.
• CIAC Information Bulletin M-017, Multiple SSH Version 1 Vulnerabilities at http://www.ciac.org/ciac/bulletins/m-017.shtml.
• Cisco Systems Inc. Security Advisory, 2001 June 27 08:00 (UTC -0800), Multiple SSH Vulnerabilities at http://www.cisco.com/warp/public/707/SSH-multiple-pub.html.
• CORE SDI S.A. Security Advisory CORE-20010207, SSH1 CRC-32 compensation attack detector vulnerability at http://www.core-sdi.com/common/showdoc.php?idx=81&idxseccion=10&CORE-ST=3d29a31a07ee6b7786073ef140a5f4e1.
• FreeBSD Security Advisory FreeBSD-SA-01:24, ssh at http://archives.neohapsis.com/archives/freebsd/2001-02/0207.html.
• Internet Security Systems Security Alert #100, Widespread Exploitation of SSH CRC32 Compensation Attack at http://www.iss.net/xforce/alerts/id/advise100.
• NetBSD Security Advisory 2001-003, Secure Shell vulnerabilities and key generation at http://archives.neohapsis.com/archives/netbsd/2001-q1/0094.html. (From neohapsis archive)
• OpenSSH Web site, OpenSSH information at http://www.openssh.com/.
• OSSH FTP site, FTP directory /pub/krypto/ossh/ at ftp.pdc.kth.se at ftp://ftp.pdc.kth.se/pub/krypto/ossh/.
• SuSE Security Announcement SuSE-SA:2001:004, ssh at http://www.suse.com/de/security/2001_045_openssh_txt.html.
• BID-2347: SSH CRC-32 Compensation Attack Detector Vulnerability
• CVE-2001-0144: CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow.
• OSVDB ID: 795: Multiple Vendor SSH CRC-32 detect_attack() Function Overflow
• US-CERT VU#945216: SSH CRC32 attack detection code contains remote integer overflow

Reported:

Feb 08, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page