12055: SSH2/1 Multiple Implementation Vulnerabilities

SSH2/1 Multiple Implementation Vulnerabilities

General Info

	TC:	12055
	Description:	Multiple flaws were disclosed related to the secure shell (SSH) transport layer protocol (mostly in its Version 2). These vulnerabilities affect several vendors products and they are exploitable before user authentication is performed. They could allow a remote attacker to execute arbitrary code with the privileges of the SSH process or cause a denial of service. There are 4 identified vulnerabilities: CAN-2002-1357 - incorrect field lengths CAN-2002-1358 - lists with empty elements or multiple separators CAN-2002-1359 - "classic" buffer overflows CAN-2002-1360 - null characters in strings
	TC Impact:	Gather Info
	Service:	ssh

Specific Operations and Actions:

	Vulnerability Publication:	December 16, 2002
	Advisory Copyright:	Rapid7
	Summary:	A remote attacker can cause a denial of service or possibly execute arbitrary code via buffer overflow attacks.
	Risk:	High
	CVSS 2.0 metrics:	Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
	CVSS 2.0 Base Score:	10

	Vulnerability Impact:	Denial of Service Attack

	Host Impact:	Denial of service caused by a buffer overflow allowing attacker to execute code.
	Nature of Remediation:	Update the software.

	Step required to fix the reported vulnerability:
	*** Solution type: Upgrade Software *** You are strongly advised to upgrade or apply a patch as specified by your vendor. Until patches or upgrades are available, you should limit access to your vulnerable SSH platform by using embedded feature of your SSH product. See references for more details.

Glossary and References :

	References:
	* VULNWATCH: 20021216 R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0110.html * CERT: CA-2002-36 http://www.cert.org/advisories/CA-2002-36.html * CERT-VN: VU#389665 http://www.kb.cert.org/vuls/id/389665 * BID: 6405 http://www.securityfocus.com/bid/6405 * SECTRACK: 1005812 http://securitytracker.com/id?1005812 * SECTRACK: 1005813 http://securitytracker.com/id?1005813 * XF: ssh-transport-length-bo(10868) http://xforce.iss.net/xforce/xfdb/10868 * BID: 6407 http://www.securityfocus.com/bid/6407 * XF: ssh-transport-multiple-bo(10870) http://xforce.iss.net/xforce/xfdb/10870 * MISC: http://www.rapid7.com/advisories/R7-0009.txt * MISC: http://online.securityfocus.com/bid/6408 * MISC: IETF (Specs) http://www.ietf.org/ids.by.wg/secsh.html * MISC: Privilege Separated OpenSSH http://www.citi.umich.edu/u/provos/ssh/privsep.html * MISC: SANS Top 20 Secure Shell (SSH) http://www.sans.org/top20/2003/#u8

	CVE Link:	CVE-2002-1357 CVE-2002-1358 CVE-2002-1359 CVE-2002-1360

	Glossary:	Arbitrary Command Execution Buffer Overflow Denial of Service Privilege Escalation SSH

© 2003-2010 NexantiS Corporation (www.securescout.com)
SecureScout is a trademark of NexantiS
All Rights Reserved
All products names referenced herein are trademarks of their respective companies

SecureScout products are certified:
CVE Compatible
SANS TOP 20 Compatible
CVSS Compatible (Common Vulnerability Scoring System)