Reported February 8, 2001, by BindView RAZOR Team.

VERSIONS AFFECTED
  • SSH 1.2.x Server
  • SSH 1.2.x Client
  • FSecure SSH 1.3.x Server
  • FSecure SSH 1.3.x Client
  • OSSH daemons
  • OpenSSH 2.3.0

DESCRIPTION

Implementations of SSH that include the deattack.c code, which Core SDI developed to prevent cryptography attacks, are vulnerable to an integer overflow. Insufficient range control calculations in the detect_attack() function lead to a table index overflow that can result in arbitrary commands running on the vulnerable host.

VENDOR RESPONSE

The various vendors involved have been contacted and have released patches to address the problem. Check your SSH vendor's Web site to determine whether your version of SSH is vulnerable.

 

The original RAZOR advisory is available at:

http://razor.bindview.com/publish/advisories/adv_ssh1crc.html

 

Core SDI also released an advisory available at:

 

http://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0102b&L=win2ksecadvice&F=&S=&P=544

CREDIT
Discovered by
BindView RAZOR Team.