OpenSSH fails to properly handle multiple identical blocks in a SSH packet

Overview

OpenSSH fails to properly handle multiple identical blocks in a SSH packet. This vulnerability may cause a denial-of-service condition.

Description

OpenSSH is an open source client and server implementation of the Secure Shell (SSH) protocol. OpenSSH includes a cyclic redundancy check (CRC) compensation attack detection function that produces a checksum on a block of data in a SSH packet. This function was introduced to defend against exploitation of CRC weaknesses in version 1 of the SSH protocol (see VU#13877). Multiple identical blocks contained within a SSH packet may trigger a computationally expensive operation within the CRC attack detector that can lead to a denial of service. According to the OpenSSH 4.4 release notes:

[This vulnerability]…would cause sshd(8) to spin until the login grace time expired.
The OpenSSH sshd daemon is only vulnerable when SSH protocol version 1 is enabled.

---

Impact

A remote, unauthenticated attacker could cause a denial-of service condition by sending specially crafted packets to the OpenSSH server that would cause it to use excessive CPU time until a connection timeout occurs.

---

Solution

Upgrade
See the systems affected section of this document for information about specific vendors. Users who compile OpenSSH from source are encouraged to update to the most recent version.

---

Disable SSH version 1

SSH protocol version 1 should be disabled in order to prevent this vulnerability from occurring on affected systems.

---

Vendor Information

787448

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer, Inc. __ Affected

Updated: March 13, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://docs.info.apple.com/article.html?artnum=305214&gt; for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

Avaya, Inc. __ Affected

Updated: October 23, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to Avaya Security Alert ASA-2006-216.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

Debian GNU/Linux __ Affected

Updated: October 06, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to <http://www.debian.org/security/2006/dsa-1189&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

FreeBSD, Inc. __ Affected

Updated: October 04, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to <http://security.FreeBSD.org/advisories/FreeBSD-SA-06:22.openssh.asc&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

Gentoo Linux __ Affected

Updated: October 02, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to <http://www.gentoo.org/security/en/glsa/glsa-200609-17.xml&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

Hewlett-Packard Company __ Affected

Updated: January 19, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to HPSBUX02178 SSRT061267.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

Mandriva, Inc. __ Affected

Updated: October 06, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to <http://www.mandriva.com/security/advisories?name=MDKSA-2006:179&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

OpenBSD __ Affected

Updated: November 10, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to OpenBSD 4.0 release errata & patch list.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

OpenPKG __ Affected

Updated: October 04, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to <http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.022-openssh.html&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

OpenSSH __ Affected

Updated: October 02, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to <http://www.openssh.com/txt/release-4.4&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

Red Hat, Inc. __ Affected

Updated: October 02, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207955&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

SUSE Linux __ Affected

Updated: October 23, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to SUSE Security Annoucement SUSE-SA:2006:062.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

Slackware Linux Inc. __ Affected

Updated: October 02, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.592566

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

Trustix Secure Linux __ Affected

Updated: October 06, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to <http://www.trustix.org/errata/2006/0054/&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

Ubuntu __ Affected

Updated: October 04, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to <http://www.ubuntu.com/usn/usn-355-1&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

VMware __ Affected

Updated: January 19, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to document 9986131.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

rPath __ Affected

Updated: October 02, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to <https://issues.rpath.com/browse/RPL-661&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787448 Feedback>).

View all 17 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• [http://marc.theaimsgroup.com/?l=openssh-unix-dev&amp;m=115939141729160&amp;w=2 ](<http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=115939141729160&w=2 >)
• <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207955&gt;
• <http://secunia.com/advisories/22091&gt;
• <http://www.securityfocus.com/bid/20216&gt;
• <http://www.openssh.com/txt/release-4.4&gt;
• <https://issues.rpath.com/browse/RPL-661&gt;
• http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.592566
• <http://secunia.com/advisories/22208/&gt;
• <http://secunia.com/advisories/22236/&gt;
• <http://secunia.com/advisories/22183/&gt;
• <http://support.avaya.com/elmodocs2/security/ASA-2006-216.htm&gt;
• <http://secunia.com/advisories/22362/&gt;
• <http://secunia.com/advisories/22495/&gt;
• <http://secunia.com/advisories/23241/&gt;
• <http://docs.info.apple.com/article.html?artnum=305214&gt;

Acknowledgements

This issue was reported in the OpenSSH 4.4 release notes. OpenSSH credits Tavis Ormandy of the Google Security Team for reporting this issue.

This document was written by Chris Taschner.

Other Information

CVE IDs:	CVE-2006-4924
Severity Metric:	8.82 Date Public: