M-017: Multiple SSH Version 1 Vulnerabilities

[******  Start CIAC Bulletin ******]


ATTACK DESCRIPTION:

There is some confusion on the current vulnerabilities in SSH version 1 and its 
many platforms.  There are actually several vulnerabilities currently being 
exploited, which are fixed by upgrading versions of SSH version 1 to versions 
using the SSH 2 protocol.  Further, new servers with upgraded versions can 
still be vulnerable if configured with Fallback to version 1 enabled. This 
bulletin actually covers 2 of the more serious SSH version 1 vulnerabilities.  

Vulnerability 1: SSH CRC32 Compensation Attack Detector Vulnerability

The SSH CRC32 compensation attack detector exploit consists of a buffer 
overflow vulnerability in the SSH daemon (sshd). This vulnerability was 
discovered by Michal Zalewski of Bindview in February 2001.  Exploiting this 
vulnerability allows remote attackers to execute arbitrary code without a 
legitimate account or privileges on a target host. 

Essentially, attackers first remotely scan a network using tools such as rapid 
SYN scans for a response from port 22. This information is then used to 
determine IP addresses and SSH versions of potentially vulnerable hosts (i.e., 
whether the host is running version 1 of SSH).  The attackers then have enough 
information to exploit this vulnerability and can obtain up to root privileges 
on a vulnerable system.  This is done by leveraging processes running Uid 0 to 
obtain root. They "patch" the sshd on the victim client with the attacker's 
version of SSH, complete with backdoors including listening ports for shell 
access. All compromised systems show altered /usr/sbin/sshd files.  Some 
successfully compromised hosts (but not all) have /usr/sbin/atd, a backdoor 
listening on port 56275 for password protected shell access. 

Further technical description of this vulnerability is available at the 
following sites:
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=2347

Vulnerability 2:  SSH Protocol 1.5 Unauthorized Session Key Recovery

A second vulnerability is the ability to break the transient SSH version 1 
server key responsible for negotiation of session encryption parameters; this 
was discovered by CORE SDI S.A.  The remote attacker initiates large numbers of 
SSH 1 protocol connections to the SSH server and also captures encrypted SSH 
version 1 sessions on that server.  The session key is recovered by accessing 
the SSH server rapidly, and obtaining information using a ciphertext 
attack on the RSA encryption algorithm implemented in SSH version 1.  Once 
captured, the sessions can then be decrypted using the recovered session key.

This is a complex attack.  A better and complete technical description of this 
attack is available at the following site:
http://www.securityfocus.com/archive/1/161150

RECOMMENDATIONS:

CIAC recommends reviewing all SSH servers and patching vulnerable SSH version 1 
systems; most of the vulnerabilities have to do with the SSH 
version 1 protocol.  Remove any old legacy sshd version 1 binaries (i.e., those 
not currently used).  Do not enable SSH version 1 Fallback on updated systems 
if at all possible (i.e., if SSH version 1 is not used). Note: systems with
 upgraded versions of SSH, with Fallback to version 1 enabled are still vulnerable!  

Patches and Upgrades are available at:

SSH Communications Security: http://www.ssh.com
F-Secure:    http://www.f-secure.com/
OpenSSH: http://www.openssh.com
Cisco: http://www.cisco.com/warp/public/732/index.shtml

[******  End CIAC Bulletin ******]

    Voice:          +1 925-422-8193 (7 x 24)

    FAX:            +1 925-423-8002

    STU-III:        +1 925-423-2604

    E-mail:          ciac@llnl.gov

    World Wide Web:  http://www.ciac.org/

                     http://ciac.llnl.gov

                     (same machine -- either one will work)

    Anonymous FTP:   ftp.ciac.org

                     ciac.llnl.gov

                     (same machine -- either one will work)