CERT Warns of SSH Vulnerabilities
December 17, 2002
The security alert said implementations of the SSH transport layer protocol contained vulnerabilities that affect SSH clients and servers and occur before user authentication takes place.
Vulnerable vendors include F-Secure, Intersoft International, and Pragma Systems. CERT noted that the popular OpenSSH and IBM implementations were not exploitable via these attacks.
SSH is a program used to log into another computer over a network, to execute commands in a remote machine and to move files from one machine to another. It provides authentication and secure communications over insecure channels and is widely-used as a replacement for rlogin, rsh, rcp, and rdist.
CERT said security consultants Rapid7 ran a suite of test cases, dubbed SSHredder, that examined the connection initialization, key exchange and negotiation phase of the SSH transport layer protocol and found the multiple bugs in different vendors' SSH products. "These vulnerabilities include buffer overflows, and they occur before any user authentication takes place," the Center warned.
In severe cases, CERT warned that remote attackers could execute arbitrary code with the privileges of the SSH process. "Both SSH servers and clients are affected, since both implement the SSH transport layer protocol. On Microsoft Windows systems, SSH servers commonly run with SYSTEM privileges, and on UNIX systems, SSH daemons typically run with root privileges," it added.
In the case of SSH clients, any attacker-supplied code would run with the privileges of the user who started the client program, with the possible exception of SSH clients that may be configured with an effective user ID of root (setuid root), according to the advisory. "Attackers could also crash a vulnerable SSH process, causing a denial-of-service (define:dos_attack>.
The Center urged users to apply the appropriate vendor patches or restrict access to SSH servers to trusted hosts and networks using firewalls or other packet-filtering systems.
"While these workarounds will not prevent exploitation of these vulnerabilities, they will make attacks somewhat more difficult, in part by limiting the number of potential sources of attacks," CERT said.