[AG-TECH] AG/OpenSSH vulnerability

Robert Olson olson at mcs.anl.gov
Mon Jan 7 20:03:57 CST 2002

Thanks -- I was hoping it was something like that, but better safe than sorry.


At 08:01 PM 1/7/2002 -0600, Stuart Levy wrote:
>It looks like the CIAC people are using some sort of
>blunt-instrument approach.  The ssh1 crc32 vulnerability
>is certainly serious, but there are implementations of ssh1 protocol
>which *do* fix it, including:
>     ssh-1.2.32
>     openssh after about 2.3, i.e. all current openssh's
>The openssh web site explicitly says that they've fixed the
>ssh1 crc32 problem (and others that aren't likely to affect AG users).
>So I don't think there's any essential reason to disable ssh1,
>*so long as* you've upgraded to one of the safe implementations,
>like Bob's openssh-3.0.2 bundle.
>     http://www.kb.cert.org/vuls/id/945216
>         (details of crc32-compensation-integer-overflow hole,
>         with pointers to vendor web pages)
>     http://www.cert.org/advisories/CA-2001-35.html
>         (summary of ssh vulnerabilities)
>     http://www.openssh.org/security.html
>         (review of openssh's status with respect to
>           assorted vulnerabilities)
>There is apparently a problem in the ssh1 protocol where,
>if a client doesn't know the server's host key (or can be
>tricked into believing that it's changed), that a session could
>be hijacked if someone can catch your traffic and process it before
>it goes to the designated server.  That could be serious, though
>it's not the kind of thing that lets random people break into your AG box
>from outside.
>     Stuart

More information about the ag-tech mailing list