SSH CRC-32 Compensation Attack Detector Vulnerability

Secure Shell, or SSH, is an encrypted remote access protocol. SSH or code based on SSH is used by many systems all over the world and in a wide variety of commercial applications. An integer-overflow bug in the CRC32 compensation attack detection code may allow remote attackers to write values to arbitrary locations in memory.

This would occur in situations where large SSH packets are recieved by either a client or server, and a 32 bit representation of the SSH packet length is assigned to a 16 bit integer. The difference in data representation in these situations will cause the 16 bit variable to be assigned to zero (or a really low value).

As a result, future calls to malloc() as well as an index used to reference locations in memory can be corrupted by an attacker. This could occur in a manner that can be exploited to write certain numerical values to almost arbitrary locations in memory.

This can lead to an attacker executing arbitrary code with the privileges of the SSH server (usually root) or the SSH client.

**UPDATE**:

There have been reports suggesting that exploitation of this vulnerability may be widespread.

Since early september, independent, reliable sources have confirmed that this vulnerability is being exploited by attackers on the Internet. Security Focus does not currently have the exploit code being used, however this record will be updated if and when it becomes available.

NOTE: Cisco 11000 Content Service Switch family is vulnerable to this issue. All WebNS releases prior, but excluding, versions: 4.01 B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable.

Secure Computing SafeWord Agent for SSH is reportedly prone to this issue, as it is based on a vulnerable version of SSH.

** NetScreen ScreenOS is not directly vulnerable to this issue, however the referenced exploit will cause devices using vulnerable versions of the software to stop functioning properly. This will result in a denial of service condition for NetScreen devices. This issue is in the Secure Command Shell (SCS) administrative interface, which is an implementation of SSHv1. SCS is not enabled on NetScreen devices by default.


 

Privacy Statement
Copyright 2010, SecurityFocus