[AG-TECH] AG/OpenSSH vulnerability
Robert Olson
olson at mcs.anl.gov
Mon Jan 7 20:03:57 CST 2002
Thanks -- I was hoping it was something like that, but better safe than sorry.
--bob
At 08:01 PM 1/7/2002 -0600, Stuart Levy wrote:
>It looks like the CIAC people are using some sort of
>blunt-instrument approach. The ssh1 crc32 vulnerability
>is certainly serious, but there are implementations of ssh1 protocol
>which *do* fix it, including:
>
> ssh-1.2.32
> openssh after about 2.3, i.e. all current openssh's
>
>The openssh web site explicitly says that they've fixed the
>ssh1 crc32 problem (and others that aren't likely to affect AG users).
>
>So I don't think there's any essential reason to disable ssh1,
>*so long as* you've upgraded to one of the safe implementations,
>like Bob's openssh-3.0.2 bundle.
>
>References:
>
> http://www.kb.cert.org/vuls/id/945216
> (details of crc32-compensation-integer-overflow hole,
> with pointers to vendor web pages)
>
> http://www.cert.org/advisories/CA-2001-35.html
> (summary of ssh vulnerabilities)
>
> http://www.openssh.org/security.html
> (review of openssh's status with respect to
> assorted vulnerabilities)
>
>There is apparently a problem in the ssh1 protocol where,
>if a client doesn't know the server's host key (or can be
>tricked into believing that it's changed), that a session could
>be hijacked if someone can catch your traffic and process it before
>it goes to the designated server. That could be serious, though
>it's not the kind of thing that lets random people break into your AG box
>from outside.
>
> Stuart
More information about the ag-tech
mailing list