Multiple Vendor SSH2 Implementation Buffer Overflow Vulnerabilities
Cray Inc. supports an OpenSSH implementation via the Cray Open Software (COS) package. COS 3.3 will reportedly address these issues and is expected to be released at the end of December 2002. Those affected by the issues may also contact Cray Inc. to obtain a fixed version of the OpenSSH implementation that will be made available in COS 3.3.
SSH Secure Shell products do not appear to be prone to any of the vulnerabilities that have been reported.
F-Secure SSH products are not vulnerable to arbitrary code execution or denial of service attacks via exploitation of these issues.
Some versions of Cisco IOS support SSH, though it is not enabled by default. Fixed versions have been made available. See the referenced advisory for more information.
Cisco has released an updated advisory. Cisco Aironet software rebuild version 12.01T1 is not vulnerable to this issue. This software will be available in the near future and will be available for download from the Software Center.
Cisco has released Content Switching Software updates. WebNS 5.20.0.06s and 7.10.0.06s address the issues. These updates can be found at the following location:
Cisco has updated their advisory to include Cisco PIX Firewall as being vulnerable. PIX Firewall has been fixed in software versions 6.0(4.101), 6.1(5), 6.2(3) and 6.3(1).
Cisco has released an updated advisory to outline vulnerable Cisco ONS products and fixes. Please see the referenced advisory for more information.
The following vendors have provided fixes:
Cisco IOS 12.2T
Cisco IOS 12.2S
Cisco IOS 12.0ST
Cisco IOS 12.2
Cisco IOS 12.1E
Cisco IOS 12.0S
Simon Tatham PuTTY 0.49
Simon Tatham PuTTY 0.53
Pragma Systems SecureShell 2.0
InterSoft SecureNetTerm 5.4.1