__________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                     Multiple SSH Version 1 Vulnerabilities 

November 15, 2001 23:00 GMT                                       Number M-017
______________________________________________________________________________
PROBLEM:       Multiple vulnerabilities exist in SSH version 1, including a
               CRC32 compensation attack detector vulnerability (buffer
               overflow) and an unauthorized session key recovery problem.
PLATFORM:      SSH protocol Version 1. 
               This includes (but is not limited to):
               SSH Communications Security SSH 2.x and 3.x (if configured with
               version 1 Fallback enabled) 
               SSH Communications Security SSH 1.2.23-1.2.31 
               F-Secure SSH versions prior to 1.3.11-2 
               OpenSSH versions prior to 2.3.0 (if configured with version 1 
               Fallback enabled) 
               Cisco 11000 Content Service Switch Family 
DAMAGE:        Potential root compromise.
SOLUTION:      Upgrade all SSH protocol version 1 servers to version 2. Do not
               enable Fallback to version 1 on the upgrades.
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. This is a remotely exploitable vulnerability,
ASSESSMENT:    currently publicized on the Internet and can result in a root
               compromise.  CIAC recommends sites take immediate action.
______________________________________________________________________________
LINKS:
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-017.shtml
 ORIGINAL BULLETIN:
                     
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
______________________________________________________________________________

[******  Start CIAC Bulletin ******]

ATTACK DESCRIPTION:

There is some confusion on the current vulnerabilities in SSH version 1 and its 
many platforms.  There are actually several vulnerabilities currently being 
exploited, which are fixed by upgrading versions of SSH version 1 to versions 
using the SSH 2 protocol.  Further, new servers with upgraded versions can 
still be vulnerable if configured with Fallback to version 1 enabled. This 
bulletin actually covers 2 of the more serious SSH version 1 vulnerabilities.  

Vulnerability 1: SSH CRC32 Compensation Attack Detector Vulnerability 

The SSH CRC32 compensation attack detector exploit consists of a buffer 
overflow vulnerability in the SSH daemon (sshd). This vulnerability was 
discovered by Michal Zalewski of Bindview in February 2001.  Exploiting this 
vulnerability allows remote attackers to execute arbitrary code without a 
legitimate account or privileges on a target host. 

Essentially, attackers first remotely scan a network using tools such as rapid 
SYN scans for a response from port 22. This information is then used to 
determine IP addresses and SSH versions of potentially vulnerable hosts (i.e., 
whether the host is running version 1 of SSH).  The attackers then have enough 
information to exploit this vulnerability and can obtain up to root privileges 
on a vulnerable system.  This is done by leveraging processes running Uid 0 to 
obtain root. They "patch" the sshd on the victim client with the attacker's 
version of SSH, complete with backdoors including listening ports for shell 
access. All compromised systems show altered /usr/sbin/sshd files.  Some 
successfully compromised hosts (but not all) have /usr/sbin/atd, a backdoor 
listening on port 56275 for password protected shell access. 

Further technical description of this vulnerability is available at the 
following sites:
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=2347

Vulnerability 2:  SSH Protocol 1.5 Unauthorized Session Key Recovery

A second vulnerability is the ability to break the transient SSH version 1 
server key responsible for negotiation of session encryption parameters; this 
was discovered by CORE SDI S.A.  The remote attacker initiates large numbers of 
SSH 1 protocol connections to the SSH server and also captures encrypted SSH 
version 1 sessions on that server.  The session key is recovered by accessing 
the SSH server rapidly, and obtaining information using a ciphertext 
attack on the RSA encryption algorithm implemented in SSH version 1.  Once 
captured, the sessions can then be decrypted using the recovered session key.

This is a complex attack.  A better and complete technical description of this 
attack is available at the following site:
http://www.securityfocus.com/archive/1/161150

RECOMMENDATIONS:

CIAC recommends reviewing all SSH servers and patching vulnerable SSH version 1 
(i.e., SSH version 1) since most of the vulnerabilities have to do with the SSH 
version 1 protocol.  Remove any old legacy sshd version 1 binaries (i.e., those 
not currently used).  Do not enable SSH version 1 Fallback on updated systems 
if at all possible (i.e., if SSH version 1 is not used).  

Patches and Upgrades are available at:

SSH Communications Security: http://www.ssh.com
F-Secure:   http://www.f-secure.com/
OpenSSH: http://www.openssh.com
Cisco: http://www.cisco.com/warp/public/732/index.shtml 

[******  End CIAC Bulletin ******]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Bindview for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-007: Macintosh OS-X Application Manager Vulnerability
M-008: Sun rpc.yppasswdd Security Vulnerability
M-009: Red Hat Linux PAM Vulnerability
M-010: Red Hat OpenSSH Vulnerability
M-011: Oracle Trace Collection Security Vulnerability
M-012: Oracle File Overwrite Security Vulnerability
M-013: Mac OS X Downloading Applications Vulnerability
M-014: UNIX - Multiple Vulnerabilities In LPD
M-015: Microsoft Universal Plug and Play Request Vulnerability
M-016: Expose or Alter Cookie Data in IE and Zone Spoofing Vulnerabilities