OpenBSD Journal

Remote vulnerability in SSH1 implementations

Contributed by Dengue on from the security dept.

*note*: this story has been updated to more correctly represent the facts
Razor has released an advisory: Remote vulnerability in SSH daemon crc32 compensation attack detector affecting OpenSSH versions prior to 2.3.0 if SSH1 support is enabled. To quote from adv_ssh1crc.html:
" Insufficient range control calculations (16-bit unsigned variable is used instead of 32-bit, which causes integer overflow) in the detect_attack() function leads to table index overflow bug. This effectively allows an attacker to overwrite arbitrary portions of memory. The altered memory locations affect code that is executed by the daemon with uid 0, and this can be leveraged to obtain general root access to the system."
Users are advised to disable SSH1 Support in versions prior to OpenSSH 2.3.0 or upgrade to OpenSSH 2.3.0 (OpenBSD 2.8), or OpenSSH 2.3.2 (available in -current).

(Comments are closed)


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]