VARIoT IoT vulnerabilities database

jobs.c in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not properly use the strncat function call when processing the options string, which allows remote attackers to execute arbitrary code via a buffer overflow attack. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Common Unix Printing System (CUPS) Some UNIX Included in the UNIX Can be used universally in the environment Internet Printing Protocol version 1.1 (IPP/1.1) Is a printing system that supports Red Hat Linux 7.3 as well as 8.0 It is also bundled with. this CUPS Has the following security issues: still, Red Hat Linux Then CUPS Is disabled in the default installation. 1. Overflow due to overflow of integer digits * [CAN-2002-1383] CUPS There are a few problems with overflowing integer digits. For example, HTTP By exploiting this issue through the interface, a remote attacker can CUPSd Execute permission ( A user lp) Can execute arbitrary code. 2. Resource race condition for temporary file generation processing (race condition) Problem * [CAN-2002-1366] CUPS Is /etc/cups/certs/ less than pid ( Generation time CUPS Process ID) Creates a temporary file with a file name of, so a local attacker can predict how the temporary file name is determined. Therefore, by creating a file with the same name as the temporary file that points to the intended file, root Any file can be overwritten or created with authority. In order to execute this attack, 1. In advance, lp User rights are required. 3. Printer addition mechanism / Problems with the access control function * [CAN-2002-1367] Malicious maliciously created remotely UDP Packet CUPS By sending to, you can bypass the authentication and add a printer. Furthermore, there is a problem that the access control mechanism of the printer addition mechanism neglects the validity check. The added printer information is root Since it is interpreted by the authority, any print can be added by using these problems together. As a result, local attackers root Elevation to privilege is possible. 4. Intentionally created HTTP By communication CUPSd That crashes [CAN-2002-1368] CUPS Then IPP To accept connections on the backend HTTP server (CUPSd) Is included. this HTTP Server HTTP The remote attacker is not able to verify the validity of the range of received values in the handling part of Contents-Length: The field was set to a negative value, or intentionally assembled and chunked HTTP By trying to communicate with the protocol, CUPS Can be put into a denial of service. To restore normal operation CUPSd Needs to be restarted. 5. strncat Problem of buffer overflow caused by function [CAN-2002-1369] CUPS Has a buffer overflow problem when receiving a printer job with a specific attribute value. By using this issue, a remote attacker can root It is possible to execute arbitrary code with authority. To take advantage of this issue, 3. Need to take advantage of the problem. 6.GIF Problems when handling file formats [CAN-2002-1371] CUPS In GIF Width in the part that handles format files (width) There is a problem with the process of validating the value of. For this reason, remote attackers are deliberately assembled (width) But '0' Is GIF Overwrite the allocated memory contents by interpreting the format file, CUPS An arbitrary code may be executed with the execution right. 7. File descriptor issues with sockets and files * [CAN-2002-1372] CUPS Has a problem that does not properly close file descriptors for sockets and files. For this reason, local attackers can use this issue to cause memory leaks, CUPS It is possible to put the entire system running in a service out of service state.Please refer to the “Overview” for the impact of this vulnerability. Reportedly, some functions in the CUPS daemon use the strncat() function call improperly. The system is based on the Internet Printing Protocol (IPP) and provides most PostScript and raster printer services

Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows remote attackers to add printers without authentication via a certain UDP packet, which can then be used to perform unauthorized activities such as stealing the local root certificate for the administration server via a "need authorization" page, as demonstrated by new-coke. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Common Unix Printing System (CUPS) Some UNIX Included in the UNIX Can be used universally in the environment Internet Printing Protocol version 1.1 (IPP/1.1) Is a printing system that supports Red Hat Linux 7.3 as well as 8.0 It is also bundled with. this CUPS Has the following security issues: still, Red Hat Linux Then CUPS Is disabled in the default installation. 1. Overflow due to overflow of integer digits * [CAN-2002-1383] CUPS There are a few problems with overflowing integer digits. For example, HTTP By exploiting this issue through the interface, a remote attacker can CUPSd Execute permission ( A user lp) Can execute arbitrary code. 2. Resource race condition for temporary file generation processing (race condition) Problem * [CAN-2002-1366] CUPS Is /etc/cups/certs/ less than pid ( Generation time CUPS Process ID) Creates a temporary file with a file name of, so a local attacker can predict how the temporary file name is determined. Therefore, by creating a file with the same name as the temporary file that points to the intended file, root Any file can be overwritten or created with authority. In order to execute this attack, 1. In advance, lp User rights are required. 3. Printer addition mechanism / Problems with the access control function * [CAN-2002-1367] Malicious maliciously created remotely UDP Packet CUPS By sending to, you can bypass the authentication and add a printer. Furthermore, there is a problem that the access control mechanism of the printer addition mechanism neglects the validity check. The added printer information is root Since it is interpreted by the authority, any print can be added by using these problems together. As a result, local attackers root Elevation to privilege is possible. 4. Intentionally created HTTP By communication CUPSd That crashes [CAN-2002-1368] CUPS Then IPP To accept connections on the backend HTTP server (CUPSd) Is included. this HTTP Server HTTP The remote attacker is not able to verify the validity of the range of received values in the handling part of Contents-Length: The field was set to a negative value, or intentionally assembled and chunked HTTP By trying to communicate with the protocol, CUPS Can be put into a denial of service. To restore normal operation CUPSd Needs to be restarted. 5. strncat Problem of buffer overflow caused by function [CAN-2002-1369] CUPS Has a buffer overflow problem when receiving a printer job with a specific attribute value. By using this issue, a remote attacker can root It is possible to execute arbitrary code with authority. To take advantage of this issue, 3. Need to take advantage of the problem. 6.GIF Problems when handling file formats [CAN-2002-1371] CUPS In GIF Width in the part that handles format files (width) There is a problem with the process of validating the value of. For this reason, remote attackers are deliberately assembled (width) But '0' Is GIF Overwrite the allocated memory contents by interpreting the format file, CUPS An arbitrary code may be executed with the execution right. 7. File descriptor issues with sockets and files * [CAN-2002-1372] CUPS Has a problem that does not properly close file descriptors for sockets and files. For this reason, local attackers can use this issue to cause memory leaks, CUPS It is possible to put the entire system running in a service out of service state.Please refer to the “Overview” for the impact of this vulnerability. CUPS is prone to a vulnerability which may allow attackers to add printers. It has been reported that an attacker may send a specially crafted UDP packet to the CUPS server which will cause a printer to be temporarily added and configured to listen on a high port. This certificate may be used to authenticate to the web administrative interface, where it is possible to create a printer with root privileges. Successful exploitation may provide an attacker with means to exploit other known issues in CUPS. The system is based on the Internet Printing Protocol (IPP) and provides most PostScript and raster printer services. There is a design problem in CUPS. Then it will return to the \"need authorization\" page. After receiving the certificate, the client can add a printer, and execute arbitrary commands with root user privileges combined with other CUPS vulnerabilities

Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows local users with lp privileges to create or overwrite arbitrary files via file race conditions, as demonstrated by ice-cream. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Common Unix Printing System (CUPS) Some UNIX Included in the UNIX Can be used universally in the environment Internet Printing Protocol version 1.1 (IPP/1.1) Is a printing system that supports Red Hat Linux 7.3 as well as 8.0 It is also bundled with. this CUPS Has the following security issues: still, Red Hat Linux Then CUPS Is disabled in the default installation. 1. Overflow due to overflow of integer digits * [CAN-2002-1383] CUPS There are a few problems with overflowing integer digits. For example, HTTP By exploiting this issue through the interface, a remote attacker can CUPSd Execute permission ( A user lp) Can execute arbitrary code. 2. Resource race condition for temporary file generation processing (race condition) Problem * [CAN-2002-1366] CUPS Is /etc/cups/certs/ less than pid ( Generation time CUPS Process ID) Creates a temporary file with a file name of, so a local attacker can predict how the temporary file name is determined. Therefore, by creating a file with the same name as the temporary file that points to the intended file, root Any file can be overwritten or created with authority. In order to execute this attack, 1. In advance, lp User rights are required. 3. Printer addition mechanism / Problems with the access control function * [CAN-2002-1367] Malicious maliciously created remotely UDP Packet CUPS By sending to, you can bypass the authentication and add a printer. Furthermore, there is a problem that the access control mechanism of the printer addition mechanism neglects the validity check. The added printer information is root Since it is interpreted by the authority, any print can be added by using these problems together. As a result, local attackers root Elevation to privilege is possible. 4. Intentionally created HTTP By communication CUPSd That crashes [CAN-2002-1368] CUPS Then IPP To accept connections on the backend HTTP server (CUPSd) Is included. this HTTP Server HTTP The remote attacker is not able to verify the validity of the range of received values in the handling part of Contents-Length: The field was set to a negative value, or intentionally assembled and chunked HTTP By trying to communicate with the protocol, CUPS Can be put into a denial of service. To restore normal operation CUPSd Needs to be restarted. 5. strncat Problem of buffer overflow caused by function [CAN-2002-1369] CUPS Has a buffer overflow problem when receiving a printer job with a specific attribute value. By using this issue, a remote attacker can root It is possible to execute arbitrary code with authority. To take advantage of this issue, 3. Need to take advantage of the problem. 6.GIF Problems when handling file formats [CAN-2002-1371] CUPS In GIF Width in the part that handles format files (width) There is a problem with the process of validating the value of. For this reason, remote attackers are deliberately assembled (width) But '0' Is GIF Overwrite the allocated memory contents by interpreting the format file, CUPS An arbitrary code may be executed with the execution right. 7. File descriptor issues with sockets and files * [CAN-2002-1372] CUPS Has a problem that does not properly close file descriptors for sockets and files. For this reason, local attackers can use this issue to cause memory leaks, CUPS It is possible to put the entire system running in a service out of service state.Please refer to the “Overview” for the impact of this vulnerability. It has been reported that some versions of CUPS may create temporary files in an insecure manner. An attacker can exploit this vulnerability to create or overwrite any file with elevated privileges. Successful exploitation is time dependent and require the attacker to obtain the 'lp' user privileges. The system is based on the Internet Printing Protocol (IPP) and provides most PostScript and raster printer services. Can cause system denial of service or gain root user privileges

Multiple integer overflows in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allow remote attackers to execute arbitrary code via (1) the CUPSd HTTP interface, as demonstrated by vanilla-coke, and (2) the image handling code in CUPS filters, as demonstrated by mksun. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Common Unix Printing System (CUPS) Some UNIX Included in the UNIX Can be used universally in the environment Internet Printing Protocol version 1.1 (IPP/1.1) Is a printing system that supports Red Hat Linux 7.3 as well as 8.0 It is also bundled with. this CUPS Has the following security issues: still, Red Hat Linux Then CUPS Is disabled in the default installation. 1. Overflow due to overflow of integer digits * [CAN-2002-1383] CUPS There are a few problems with overflowing integer digits. 2. Resource race condition for temporary file generation processing (race condition) Problem * [CAN-2002-1366] CUPS Is /etc/cups/certs/ less than pid ( Generation time CUPS Process ID) Creates a temporary file with a file name of, so a local attacker can predict how the temporary file name is determined. Therefore, by creating a file with the same name as the temporary file that points to the intended file, root Any file can be overwritten or created with authority. In order to execute this attack, 1. In advance, lp User rights are required. 3. Printer addition mechanism / Problems with the access control function * [CAN-2002-1367] Malicious maliciously created remotely UDP Packet CUPS By sending to, you can bypass the authentication and add a printer. Furthermore, there is a problem that the access control mechanism of the printer addition mechanism neglects the validity check. The added printer information is root Since it is interpreted by the authority, any print can be added by using these problems together. As a result, local attackers root Elevation to privilege is possible. 4. Intentionally created HTTP By communication CUPSd That crashes [CAN-2002-1368] CUPS Then IPP To accept connections on the backend HTTP server (CUPSd) Is included. this HTTP Server HTTP The remote attacker is not able to verify the validity of the range of received values in the handling part of Contents-Length: The field was set to a negative value, or intentionally assembled and chunked HTTP By trying to communicate with the protocol, CUPS Can be put into a denial of service. To restore normal operation CUPSd Needs to be restarted. 5. strncat Problem of buffer overflow caused by function [CAN-2002-1369] CUPS Has a buffer overflow problem when receiving a printer job with a specific attribute value. By using this issue, a remote attacker can root It is possible to execute arbitrary code with authority. To take advantage of this issue, 3. Need to take advantage of the problem. 6.GIF Problems when handling file formats [CAN-2002-1371] CUPS In GIF Width in the part that handles format files (width) There is a problem with the process of validating the value of. For this reason, remote attackers are deliberately assembled (width) But '0' Is GIF Overwrite the allocated memory contents by interpreting the format file, CUPS An arbitrary code may be executed with the execution right. 7. File descriptor issues with sockets and files * [CAN-2002-1372] CUPS Has a problem that does not properly close file descriptors for sockets and files. For this reason, local attackers can use this issue to cause memory leaks, CUPS It is possible to put the entire system running in a service out of service state.Please refer to the “Overview” for the impact of this vulnerability. Successful attacks may grant local access to adversaries with user 'lp' and group 'sys' privileges. It is significantly easier for attackers to obtain superuser privileges once local access has been obtained. Depending on system configuration, other privileges may be gained. The system is based on the Internet Printing Protocol (IPP) and provides most PostScript and raster printer services. The http component contains the cgi-bin/var.c file, which has the following variables: var = form_vars + form_count; var->name = strdup(name); var->nvalues ​​= element + 1; var->avalues ​​= element + 1 ; var->values ​​= calloc(element + 1, sizeof(char *)); var->values[element] = strdup(value); Since the attacker can control the element and value, the stack address of the calling function can be overwritten instead execute arbitrary commands

The web interface in the Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Module allows remote attackers to obtain "internal web page information" and "internal information about the module" via unspecified vectors. NOTE: this may overlap CVE-2002-1603. This issue is also referenced in VU#124059. GoAhead WebServer contains vulnerabilities that may allow an attacker to view source files containing sensitive information or bypass authentication. The information disclosure vulnerability was previously published as VU#975041. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. A vulnerability in GoAhead webserver may result in the disclosure of the source code of ASP script files. The vulnerability occurs because the application fails to sanitize HTTP requests. An attacker can append certain characters to the end of an HTTP request for a specific ASP file. As a result, GoAhead webserver will disclose the contents of the requested ASP script file to the attacker. GoAhead WebServer is a small and exquisite embedded Web server of American Embedthis Company, which supports embedding in various devices and applications. By adding some URL encoding characters after ASP files, such as \'\'\\%00, \\%2f, \\%5c, /\'\', it will cause The server program returns information containing source code data to the attacker. Attackers can use this information to further attack the system. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: ControlLogix 1756-ENTB/A Ethernet/IP Bridge Vulnerabilities SECUNIA ADVISORY ID: SA33783 VERIFY ADVISORY: http://secunia.com/advisories/33783/ CRITICAL: Less critical IMPACT: Cross Site Scripting, Exposure of sensitive information WHERE: >From remote OPERATING SYSTEM: ControlLogix 1756-ENTB/A Ethernet/IP Bridge http://secunia.com/advisories/product/21337/ DESCRIPTION: Some vulnerabilities and a weakness have been reported in ControlLogix 1756-ENTB/A Ethernet/IP Bridge, which can be exploited by malicious people to conduct cross-site scripting attacks or to disclose potentially sensitive information. 1) Certain unspecified input passed to the web interface is not properly sanitised before being returned to the user. SOLUTION: A fixed firmware version is scheduled for release July, 2009. Filter malicious characters and character sequences in a proxy. PROVIDED AND/OR DISCOVERED BY: 1) US-CERT credits Daniel Peck of Digital Bond, Inc. 2) Reported by the vendor. ORIGINAL ADVISORY: US-CERT VU#882619: http://www.kb.cert.org/vuls/id/882619 Rockwell Automation: http://rockwellautomation.custhelp.com/cgi-bin/rockwellautomation.cfg/php/enduser/std_adp.php?p_faqid=57729 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple SSH2 servers and clients do not properly handle lists with empty elements or strings, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code, as demonstrated by the SSHredder SSH protocol test suite. Secure shell (SSH) transport layer protocol implementations from different vendors contain multiple vulnerabilities in code that handles key exchange and initialization. Both SSH servers and clients are affected. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ TCP/IP Used by higher layers SSH The transport layer protocol is SSH This is the protocol that forms the basis of the entire protocol. Key exchange, encryption technology to be used, message authentication algorithm, etc. have been agreed, and functions such as encrypted data transfer and server authentication are provided. Provided by many vendors SSH There is a deficiency in the implementation method in products that implement the protocol. Remote attackers are responsible for various malicious packets that are handled during the initial setup, key exchange, and connection phase related to this protocol. ( Packet length padding Packets with unusual lengths, packets with malformed character strings or values inserted, packets for which the algorithm is not properly defined, etc. However, the impact of this issue is provided by each vendor SSH It depends on the product. Details are currently unknown, SSH Communications Security Provided by SSH Secure Shell in the case of, SSH It can lead to server child processes or client crashes. Also F-Secure of F-Secure SSH In the case of, SSH If you use both products as a result, it may cause the server child process to crash, SSH The connection between the server and client may be lost. However, the client can connect by trying to reconnect. At this time, SSH Secure Shell and F-Secure SSH of Windows The effect of the edition is unknown. OpenSSH Is not affected by this issue. Cisco IOS In the case of SSH Because the server is disabled, the default setting is not affected by this issue.Please refer to the “Overview” for the impact of this vulnerability. A vulnerability has been reported for multiple SSH2 vendors. The vulnerability is a result of SSH2 packets containing empty elements/multiple separators. The vulnerability has been reported to affect initialization, key exchange, and negotiation phases of SSH communications. Further details about this vulnerability are currently unknown. This BID will be updated as more information becomes available. This vulnerability was originally described in BugTraq ID 6397. -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations Original issue date: December 16, 2002 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. I. It provides strong encryption, cryptographic host authentication, and integrity protection.... These vulnerabilities include buffer overflows, and they occur before any user authentication takes place. SSHredder was primarily designed to test key exchange and other processes that are specific to version 2 of the SSH protocol; however, certain classes of tests are also applicable to version 1. Rapid7 has published a detailed advisory (R7-0009) and the SSHredder test suite. Common Vulnerabilities and Exposures (CVE) has assigned the following candidate numbers for several classes of tests performed by SSHredder: * CAN-2002-1357 - incorrect field lengths * CAN-2002-1358 - lists with empty elements or multiple separators * CAN-2002-1359 - "classic" buffer overflows * CAN-2002-1360 - null characters in strings II. On Microsoft Windows systems, SSH servers commonly run with SYSTEM privileges, and on UNIX systems, SSH daemons typically run with root privileges. III. Solution Apply a patch or upgrade Apply the appropriate patch or upgrade as specified by your vendor. See Appendix A below and the Systems Affected section of VU#389665 for specific information. Restrict access Limit access to SSH servers to trusted hosts and networks using firewalls or other packet-filtering systems. Some SSH servers may have the ability to restrict access based on IP addresses, or similar effects may be achieved by using TCP wrappers or other related technology. SSH clients can reduce the risk of attacks by only connecting to trusted servers by IP address. While these workarounds will not prevent exploitation of these vulnerabilities, they will make attacks somewhat more difficult, in part by limiting the number of potential sources of attacks. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. The Systems Affected section of VU#389665 contains additional vendor status information. Cisco Systems, Inc. The official statement regarding this is that we are not vulnerable. Cray Inc. Cray Inc. supports the OpenSSH product through their Cray Open Software (COS) package. COS 3.3, available the end of December 2002, is not vulnerable. If a site is concerned, they can contact their local Cray representive to obtain an early copy of the OpenSSH contained in COS 3.3. F-Secure F-Secure SSH products are not exploitable via these attacks. While F-Secure SSH versions 3.1.0 build 11 and earlier crash on these malicious packets, we did not find ways to exploit this to gain unauthorized access or to run arbitrary code. Furthermore, the crash occurs in a forked process so the denial of service attacks are not possible. Fujitsu Fujitsu's UXP/V OS is not vulnerable because it does not support SSH. IBM IBM's AIX is not vulnerabible to the issues discussed in CERT Vulnerability Note VU#389665. lsh I've now tried the testsuite with the latest stable release of lsh, lsh-1.4.2. Both the client and the server seem NOT VULNERABLE. NetScreen Technologies Inc. Tested latest versions. Not Vulnerable. OpenSSH From my testing it seems that the current version of OpenSSH (3.5) is not vulnerable to these problems, and some limited testing shows that no version of OpenSSH is vulnerable. Pragma Systems, Inc. December 16, 2002 Rapid 7 and CERT Coordination Center Vulnerability report VU#389665 Pragma Systems Inc. of Austin, Texas, USA, was notified regarding a possible vulnerability with Version 2.0 of Pragma SecureShell. Pragma Systems tested Pragma SecureShell 2.0 and the upcoming new Version 3.0, and found that the attacks did cause a memory access protection fault on Microsoft platforms. After research, Pragma Systems corrected the problem. The problem is corrected in Pragma SecureShell Version 3.0. Any customers with concerns regarding this vulnerability report should contact Pragma Systems, Inc at support@pragmasys.com for information on obtaining an upgrade free of charge. Pragma's web site is located at www.pragmasys.com and the company can be reached at 1-512-219-7270. PuTTY PuTTY 0.53b addresses vulnerabilities discovered by SSHredder. Appendix B. References * CERT/CC Vulnerability Note: VU#389665 - http://www.kb.cert.org/vuls/id/389665 * Rapid 7 Advisory: R7-0009 - http://www.rapid7.com/advisories/R7-0009.txt * Rapid 7 SSHredder test suite - http://www.rapid7.com/perl/DownloadRequest.pl?PackageChoice=666 * IETF Draft: SSH Transport Layer Protocol - http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-15. txt * IETF Draft: SSH Protocol Architecture - http://www.ietf.org/internet-drafts/draft-ietf-secsh-architecture- 13.txt * Privilege Separated OpenSSH - http://www.citi.umich.edu/u/provos/ssh/privsep.html _________________________________________________________________ The CERT Coordination Center thanks Rapid7 for researching and reporting these vulnerabilities. _________________________________________________________________ Author: Art Manion. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-36.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History December 16, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPf4qimjtSoHZUTs5AQEGbAQAiJcA+QFf2mOElaPIFwEmSRC83xlKifq/ PlmaGbUx2UnwTIi8s2ETF8KjlfQjjgO20B4ms1MMaJ/heyxklOgpeBOQ2mpa2Tnd yIY7sxpBuRjF1qS6yQ8/OrcsSqVxdxZWkPLAypV11WcJlMmSxxLdKi5t86EsWic3 xazIo8XEipc= =Nj+0 -----END PGP SIGNATURE-----

Multiple SSH2 servers and clients do not properly handle packets or data elements with incorrect length specifiers, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code, as demonstrated by the SSHredder SSH protocol test suite. Secure shell (SSH) transport layer protocol implementations from different vendors contain multiple vulnerabilities in code that handles key exchange and initialization. Both SSH servers and clients are affected. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ TCP/IP Used by higher layers SSH The transport layer protocol is SSH This is the protocol that forms the basis of the entire protocol. Key exchange, encryption technology to be used, message authentication algorithm, etc. have been agreed, and functions such as encrypted data transfer and server authentication are provided. Provided by many vendors SSH There is a deficiency in the implementation method in products that implement the protocol. Remote attackers are responsible for various malicious packets that are handled during the initial setup, key exchange, and connection phase related to this protocol. ( Packet length padding Packets with unusual lengths, packets with malformed character strings or values inserted, packets for which the algorithm is not properly defined, etc. ) By sending SSH Cause a server or client to go out of service, and SSH It is possible to execute arbitrary code with the execution authority of the server or client. However, the impact of this issue is provided by each vendor SSH It depends on the product. Details are currently unknown, SSH Communications Security Provided by SSH Secure Shell in the case of, SSH It can lead to server child processes or client crashes. Also F-Secure of F-Secure SSH In the case of, SSH If you use both products as a result, it may cause the server child process to crash, SSH The connection between the server and client may be lost. However, the client can connect by trying to reconnect. At this time, SSH Secure Shell and F-Secure SSH of Windows The effect of the edition is unknown. OpenSSH Is not affected by this issue. Cisco IOS In the case of SSH Because the server is disabled, the default setting is not affected by this issue.Please refer to the “Overview” for the impact of this vulnerability. A vulnerability with incorrect lengths of fields in SSH packets has been reported for multiple products that use SSH2 for secure communications. The vulnerability has been reported to affect initialization, key exchange, and negotiation phases of SSH communications. An attacker may exploit the vulnerability to perform denial-of-service attacks against vulnerable systems and possibly to execute malicious, attacker-supplied code. Further details about the vulnerability are currently unknown. This BID will be updated as more information becomes available. This vulnerability was originally described in Bugtraq ID 6397. -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations Original issue date: December 16, 2002 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. I. It provides strong encryption, cryptographic host authentication, and integrity protection.... These vulnerabilities include buffer overflows, and they occur before any user authentication takes place. SSHredder was primarily designed to test key exchange and other processes that are specific to version 2 of the SSH protocol; however, certain classes of tests are also applicable to version 1. Rapid7 has published a detailed advisory (R7-0009) and the SSHredder test suite. Common Vulnerabilities and Exposures (CVE) has assigned the following candidate numbers for several classes of tests performed by SSHredder: * CAN-2002-1357 - incorrect field lengths * CAN-2002-1358 - lists with empty elements or multiple separators * CAN-2002-1359 - "classic" buffer overflows * CAN-2002-1360 - null characters in strings II. On Microsoft Windows systems, SSH servers commonly run with SYSTEM privileges, and on UNIX systems, SSH daemons typically run with root privileges. III. Solution Apply a patch or upgrade Apply the appropriate patch or upgrade as specified by your vendor. See Appendix A below and the Systems Affected section of VU#389665 for specific information. Restrict access Limit access to SSH servers to trusted hosts and networks using firewalls or other packet-filtering systems. Some SSH servers may have the ability to restrict access based on IP addresses, or similar effects may be achieved by using TCP wrappers or other related technology. SSH clients can reduce the risk of attacks by only connecting to trusted servers by IP address. While these workarounds will not prevent exploitation of these vulnerabilities, they will make attacks somewhat more difficult, in part by limiting the number of potential sources of attacks. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. The Systems Affected section of VU#389665 contains additional vendor status information. Cisco Systems, Inc. The official statement regarding this is that we are not vulnerable. Cray Inc. Cray Inc. supports the OpenSSH product through their Cray Open Software (COS) package. COS 3.3, available the end of December 2002, is not vulnerable. If a site is concerned, they can contact their local Cray representive to obtain an early copy of the OpenSSH contained in COS 3.3. F-Secure F-Secure SSH products are not exploitable via these attacks. While F-Secure SSH versions 3.1.0 build 11 and earlier crash on these malicious packets, we did not find ways to exploit this to gain unauthorized access or to run arbitrary code. Furthermore, the crash occurs in a forked process so the denial of service attacks are not possible. Fujitsu Fujitsu's UXP/V OS is not vulnerable because it does not support SSH. IBM IBM's AIX is not vulnerabible to the issues discussed in CERT Vulnerability Note VU#389665. lsh I've now tried the testsuite with the latest stable release of lsh, lsh-1.4.2. Both the client and the server seem NOT VULNERABLE. NetScreen Technologies Inc. Tested latest versions. Not Vulnerable. OpenSSH From my testing it seems that the current version of OpenSSH (3.5) is not vulnerable to these problems, and some limited testing shows that no version of OpenSSH is vulnerable. Pragma Systems, Inc. December 16, 2002 Rapid 7 and CERT Coordination Center Vulnerability report VU#389665 Pragma Systems Inc. of Austin, Texas, USA, was notified regarding a possible vulnerability with Version 2.0 of Pragma SecureShell. Pragma Systems tested Pragma SecureShell 2.0 and the upcoming new Version 3.0, and found that the attacks did cause a memory access protection fault on Microsoft platforms. After research, Pragma Systems corrected the problem. The problem is corrected in Pragma SecureShell Version 3.0. Any customers with concerns regarding this vulnerability report should contact Pragma Systems, Inc at support@pragmasys.com for information on obtaining an upgrade free of charge. Pragma's web site is located at www.pragmasys.com and the company can be reached at 1-512-219-7270. PuTTY PuTTY 0.53b addresses vulnerabilities discovered by SSHredder. Appendix B. References * CERT/CC Vulnerability Note: VU#389665 - http://www.kb.cert.org/vuls/id/389665 * Rapid 7 Advisory: R7-0009 - http://www.rapid7.com/advisories/R7-0009.txt * Rapid 7 SSHredder test suite - http://www.rapid7.com/perl/DownloadRequest.pl?PackageChoice=666 * IETF Draft: SSH Transport Layer Protocol - http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-15. txt * IETF Draft: SSH Protocol Architecture - http://www.ietf.org/internet-drafts/draft-ietf-secsh-architecture- 13.txt * Privilege Separated OpenSSH - http://www.citi.umich.edu/u/provos/ssh/privsep.html _________________________________________________________________ The CERT Coordination Center thanks Rapid7 for researching and reporting these vulnerabilities. _________________________________________________________________ Author: Art Manion. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-36.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History December 16, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPf4qimjtSoHZUTs5AQEGbAQAiJcA+QFf2mOElaPIFwEmSRC83xlKifq/ PlmaGbUx2UnwTIi8s2ETF8KjlfQjjgO20B4ms1MMaJ/heyxklOgpeBOQ2mpa2Tnd yIY7sxpBuRjF1qS6yQ8/OrcsSqVxdxZWkPLAypV11WcJlMmSxxLdKi5t86EsWic3 xazIo8XEipc= =Nj+0 -----END PGP SIGNATURE-----

Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code via buffer overflow attacks, as demonstrated by the SSHredder SSH protocol test suite. Secure shell (SSH) transport layer protocol implementations from different vendors contain multiple vulnerabilities in code that handles key exchange and initialization. Both SSH servers and clients are affected. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ TCP/IP Used by higher layers SSH The transport layer protocol is SSH This is the protocol that forms the basis of the entire protocol. Key exchange, encryption technology to be used, message authentication algorithm, etc. have been agreed, and functions such as encrypted data transfer and server authentication are provided. Provided by many vendors SSH There is a deficiency in the implementation method in products that implement the protocol. Remote attackers are responsible for various malicious packets that are handled during the initial setup, key exchange, and connection phase related to this protocol. ( Packet length padding Packets with unusual lengths, packets with malformed character strings or values inserted, packets for which the algorithm is not properly defined, etc. ) By sending SSH Cause a server or client to go out of service, and SSH It is possible to execute arbitrary code with the execution authority of the server or client. However, the impact of this issue is provided by each vendor SSH It depends on the product. Details are currently unknown, SSH Communications Security Provided by SSH Secure Shell in the case of, SSH It can lead to server child processes or client crashes. Also F-Secure of F-Secure SSH In the case of, SSH If you use both products as a result, it may cause the server child process to crash, SSH The connection between the server and client may be lost. However, the client can connect by trying to reconnect. At this time, SSH Secure Shell and F-Secure SSH of Windows The effect of the edition is unknown. OpenSSH Is not affected by this issue. Cisco IOS In the case of SSH Because the server is disabled, the default setting is not affected by this issue.Please refer to the “Overview” for the impact of this vulnerability. Multiple vendor SSH2 implementations are reported to be prone to buffer overflows. These buffer overflows are alleged to be exploitable prior to authentication. These conditions were discovered during tests of the initialization, key exchange, and negotiation phases (KEX, KEXINIT) of a SSH2 transaction between client and server. These issues are known to affect various client and server implementations of the protocol. Further details about this vulnerability are currently unknown. This BID will be updated as more information becomes available. This vulnerability was originally described in BugTraq ID 6397. -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations Original issue date: December 16, 2002 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. I. It provides strong encryption, cryptographic host authentication, and integrity protection.... SSHredder was primarily designed to test key exchange and other processes that are specific to version 2 of the SSH protocol; however, certain classes of tests are also applicable to version 1. Rapid7 has published a detailed advisory (R7-0009) and the SSHredder test suite. Common Vulnerabilities and Exposures (CVE) has assigned the following candidate numbers for several classes of tests performed by SSHredder: * CAN-2002-1357 - incorrect field lengths * CAN-2002-1358 - lists with empty elements or multiple separators * CAN-2002-1359 - "classic" buffer overflows * CAN-2002-1360 - null characters in strings II. On Microsoft Windows systems, SSH servers commonly run with SYSTEM privileges, and on UNIX systems, SSH daemons typically run with root privileges. III. Solution Apply a patch or upgrade Apply the appropriate patch or upgrade as specified by your vendor. See Appendix A below and the Systems Affected section of VU#389665 for specific information. Restrict access Limit access to SSH servers to trusted hosts and networks using firewalls or other packet-filtering systems. Some SSH servers may have the ability to restrict access based on IP addresses, or similar effects may be achieved by using TCP wrappers or other related technology. SSH clients can reduce the risk of attacks by only connecting to trusted servers by IP address. While these workarounds will not prevent exploitation of these vulnerabilities, they will make attacks somewhat more difficult, in part by limiting the number of potential sources of attacks. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. The Systems Affected section of VU#389665 contains additional vendor status information. Cisco Systems, Inc. The official statement regarding this is that we are not vulnerable. Cray Inc. Cray Inc. supports the OpenSSH product through their Cray Open Software (COS) package. COS 3.3, available the end of December 2002, is not vulnerable. If a site is concerned, they can contact their local Cray representive to obtain an early copy of the OpenSSH contained in COS 3.3. F-Secure F-Secure SSH products are not exploitable via these attacks. While F-Secure SSH versions 3.1.0 build 11 and earlier crash on these malicious packets, we did not find ways to exploit this to gain unauthorized access or to run arbitrary code. Furthermore, the crash occurs in a forked process so the denial of service attacks are not possible. Fujitsu Fujitsu's UXP/V OS is not vulnerable because it does not support SSH. IBM IBM's AIX is not vulnerabible to the issues discussed in CERT Vulnerability Note VU#389665. lsh I've now tried the testsuite with the latest stable release of lsh, lsh-1.4.2. Both the client and the server seem NOT VULNERABLE. NetScreen Technologies Inc. Tested latest versions. Not Vulnerable. OpenSSH From my testing it seems that the current version of OpenSSH (3.5) is not vulnerable to these problems, and some limited testing shows that no version of OpenSSH is vulnerable. Pragma Systems, Inc. December 16, 2002 Rapid 7 and CERT Coordination Center Vulnerability report VU#389665 Pragma Systems Inc. of Austin, Texas, USA, was notified regarding a possible vulnerability with Version 2.0 of Pragma SecureShell. Pragma Systems tested Pragma SecureShell 2.0 and the upcoming new Version 3.0, and found that the attacks did cause a memory access protection fault on Microsoft platforms. After research, Pragma Systems corrected the problem. The problem is corrected in Pragma SecureShell Version 3.0. Any customers with concerns regarding this vulnerability report should contact Pragma Systems, Inc at support@pragmasys.com for information on obtaining an upgrade free of charge. Pragma's web site is located at www.pragmasys.com and the company can be reached at 1-512-219-7270. PuTTY PuTTY 0.53b addresses vulnerabilities discovered by SSHredder. Appendix B. References * CERT/CC Vulnerability Note: VU#389665 - http://www.kb.cert.org/vuls/id/389665 * Rapid 7 Advisory: R7-0009 - http://www.rapid7.com/advisories/R7-0009.txt * Rapid 7 SSHredder test suite - http://www.rapid7.com/perl/DownloadRequest.pl?PackageChoice=666 * IETF Draft: SSH Transport Layer Protocol - http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-15. txt * IETF Draft: SSH Protocol Architecture - http://www.ietf.org/internet-drafts/draft-ietf-secsh-architecture- 13.txt * Privilege Separated OpenSSH - http://www.citi.umich.edu/u/provos/ssh/privsep.html _________________________________________________________________ The CERT Coordination Center thanks Rapid7 for researching and reporting these vulnerabilities. _________________________________________________________________ Author: Art Manion. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-36.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History December 16, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPf4qimjtSoHZUTs5AQEGbAQAiJcA+QFf2mOElaPIFwEmSRC83xlKifq/ PlmaGbUx2UnwTIi8s2ETF8KjlfQjjgO20B4ms1MMaJ/heyxklOgpeBOQ2mpa2Tnd yIY7sxpBuRjF1qS6yQ8/OrcsSqVxdxZWkPLAypV11WcJlMmSxxLdKi5t86EsWic3 xazIo8XEipc= =Nj+0 -----END PGP SIGNATURE-----

Multiple SSH2 servers and clients do not properly handle strings with null characters in them when the string length is specified by a length field, which could allow remote attackers to cause a denial of service or possibly execute arbitrary code due to interactions with the use of null-terminated strings as implemented using languages such as C, as demonstrated by the SSHredder SSH protocol test suite. Secure shell (SSH) transport layer protocol implementations from different vendors contain multiple vulnerabilities in code that handles key exchange and initialization. Both SSH servers and clients are affected. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ TCP/IP Used by higher layers SSH The transport layer protocol is SSH This is the protocol that forms the basis of the entire protocol. Key exchange, encryption technology to be used, message authentication algorithm, etc. have been agreed, and functions such as encrypted data transfer and server authentication are provided. Provided by many vendors SSH There is a deficiency in the implementation method in products that implement the protocol. Remote attackers are responsible for various malicious packets that are handled during the initial setup, key exchange, and connection phase related to this protocol. ( Packet length padding Packets with unusual lengths, packets with malformed character strings or values inserted, packets for which the algorithm is not properly defined, etc. ) By sending SSH Cause a server or client to go out of service, and SSH It is possible to execute arbitrary code with the execution authority of the server or client. However, the impact of this issue is provided by each vendor SSH It depends on the product. Details are currently unknown, SSH Communications Security Provided by SSH Secure Shell in the case of, SSH It can lead to server child processes or client crashes. Also F-Secure of F-Secure SSH In the case of, SSH If you use both products as a result, it may cause the server child process to crash, SSH The connection between the server and client may be lost. However, the client can connect by trying to reconnect. At this time, SSH Secure Shell and F-Secure SSH of Windows The effect of the edition is unknown. OpenSSH Is not affected by this issue. Cisco IOS In the case of SSH Because the server is disabled, the default setting is not affected by this issue.Please refer to the “Overview” for the impact of this vulnerability. Multiple vendor SSH2 implementations are reported to be prone to issues related to the handling of null characters in strings. These issues may be used to cause unpredictable behavior to occur, such as a denial of service or memory corruption. It is reportedly possible to trigger these conditions prior to authentication. These conditions were discovered during tests of the initialization, key exchange, and negotiation phases (KEX, KEXINIT) of a SSH2 transaction between client and server. These issues are known to affect various client and server implementations of the protocol. Further details about this vulnerability are currently unknown. This BID will be updated as more information becomes available. This vulnerability was originally described in BugTraq ID 6397. -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations Original issue date: December 16, 2002 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. I. It provides strong encryption, cryptographic host authentication, and integrity protection.... These vulnerabilities include buffer overflows, and they occur before any user authentication takes place. SSHredder was primarily designed to test key exchange and other processes that are specific to version 2 of the SSH protocol; however, certain classes of tests are also applicable to version 1. Rapid7 has published a detailed advisory (R7-0009) and the SSHredder test suite. Common Vulnerabilities and Exposures (CVE) has assigned the following candidate numbers for several classes of tests performed by SSHredder: * CAN-2002-1357 - incorrect field lengths * CAN-2002-1358 - lists with empty elements or multiple separators * CAN-2002-1359 - "classic" buffer overflows * CAN-2002-1360 - null characters in strings II. On Microsoft Windows systems, SSH servers commonly run with SYSTEM privileges, and on UNIX systems, SSH daemons typically run with root privileges. III. Solution Apply a patch or upgrade Apply the appropriate patch or upgrade as specified by your vendor. See Appendix A below and the Systems Affected section of VU#389665 for specific information. Restrict access Limit access to SSH servers to trusted hosts and networks using firewalls or other packet-filtering systems. Some SSH servers may have the ability to restrict access based on IP addresses, or similar effects may be achieved by using TCP wrappers or other related technology. SSH clients can reduce the risk of attacks by only connecting to trusted servers by IP address. While these workarounds will not prevent exploitation of these vulnerabilities, they will make attacks somewhat more difficult, in part by limiting the number of potential sources of attacks. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. The Systems Affected section of VU#389665 contains additional vendor status information. Cisco Systems, Inc. The official statement regarding this is that we are not vulnerable. Cray Inc. Cray Inc. supports the OpenSSH product through their Cray Open Software (COS) package. COS 3.3, available the end of December 2002, is not vulnerable. If a site is concerned, they can contact their local Cray representive to obtain an early copy of the OpenSSH contained in COS 3.3. F-Secure F-Secure SSH products are not exploitable via these attacks. While F-Secure SSH versions 3.1.0 build 11 and earlier crash on these malicious packets, we did not find ways to exploit this to gain unauthorized access or to run arbitrary code. Furthermore, the crash occurs in a forked process so the denial of service attacks are not possible. Fujitsu Fujitsu's UXP/V OS is not vulnerable because it does not support SSH. IBM IBM's AIX is not vulnerabible to the issues discussed in CERT Vulnerability Note VU#389665. lsh I've now tried the testsuite with the latest stable release of lsh, lsh-1.4.2. Both the client and the server seem NOT VULNERABLE. NetScreen Technologies Inc. Tested latest versions. Not Vulnerable. OpenSSH From my testing it seems that the current version of OpenSSH (3.5) is not vulnerable to these problems, and some limited testing shows that no version of OpenSSH is vulnerable. Pragma Systems, Inc. December 16, 2002 Rapid 7 and CERT Coordination Center Vulnerability report VU#389665 Pragma Systems Inc. of Austin, Texas, USA, was notified regarding a possible vulnerability with Version 2.0 of Pragma SecureShell. Pragma Systems tested Pragma SecureShell 2.0 and the upcoming new Version 3.0, and found that the attacks did cause a memory access protection fault on Microsoft platforms. After research, Pragma Systems corrected the problem. The problem is corrected in Pragma SecureShell Version 3.0. Any customers with concerns regarding this vulnerability report should contact Pragma Systems, Inc at support@pragmasys.com for information on obtaining an upgrade free of charge. Pragma's web site is located at www.pragmasys.com and the company can be reached at 1-512-219-7270. PuTTY PuTTY 0.53b addresses vulnerabilities discovered by SSHredder. Appendix B. References * CERT/CC Vulnerability Note: VU#389665 - http://www.kb.cert.org/vuls/id/389665 * Rapid 7 Advisory: R7-0009 - http://www.rapid7.com/advisories/R7-0009.txt * Rapid 7 SSHredder test suite - http://www.rapid7.com/perl/DownloadRequest.pl?PackageChoice=666 * IETF Draft: SSH Transport Layer Protocol - http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-15. txt * IETF Draft: SSH Protocol Architecture - http://www.ietf.org/internet-drafts/draft-ietf-secsh-architecture- 13.txt * Privilege Separated OpenSSH - http://www.citi.umich.edu/u/provos/ssh/privsep.html _________________________________________________________________ The CERT Coordination Center thanks Rapid7 for researching and reporting these vulnerabilities. _________________________________________________________________ Author: Art Manion. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-36.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History December 16, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPf4qimjtSoHZUTs5AQEGbAQAiJcA+QFf2mOElaPIFwEmSRC83xlKifq/ PlmaGbUx2UnwTIi8s2ETF8KjlfQjjgO20B4ms1MMaJ/heyxklOgpeBOQ2mpa2Tnd yIY7sxpBuRjF1qS6yQ8/OrcsSqVxdxZWkPLAypV11WcJlMmSxxLdKi5t86EsWic3 xazIo8XEipc= =Nj+0 -----END PGP SIGNATURE-----

Multiple buffer overflows in Symantec Raptor Firewall 6.5 and 6.5.3, Enterprise Firewall 6.5.2 and 7.0, VelociRaptor 500/700/1000 and 1100/1200/1300, and Gateway Security 5110/5200/5300 allow remote attackers to cause a denial of service (service termination) via (1) malformed RealAudio (rad) packets that are not properly handled by the RealAudio Proxy, or (2) crafted packets to the statistics service (statsd). A vulnerability has been reported for Symantec Enterprise Firewall. A buffer overflow vulnerability occurs in the RealAudio Proxy installed on Symantec Enterprise Firewall. Reportedly when the Proxy is sent a specially formatted stream of data, it will trigger a buffer overflow condition. An attacker can exploit this vulnerability and send a specially crafted stream of data to the Proxy . This will result in a local buffer to be overrun with attacker supplied values and will trigger the buffer overflow condition. Although unconfirmed, it may be possible for an attacker to gain control over the execution of the vulnerable RealAudio Proxy process. There is a problem in the RealAudio proxy service program when processing special scans. Remote attackers can use this vulnerability to carry out buffer overflow attacks, which can cause denial of service attacks on the system. When scanning firewalls with the Qualys tool, the rad (RealAudio) and statsd (statistics) services were incorrectly terminated. Dr. Watson can record this core dump, scanning the sent data can cause the RealAudio service to destroy the buffer, and the statistical service, statsd, will stop responding due to an access violation. All other services function normally

The Cisco Optical Service Module (OSM) for the Catalyst 6500 and 7600 series running Cisco IOS 12.1(8)E through 12.1(13.4)E allows remote attackers to cause a denial of service (hang) via a malformed packet. A vulnerability has been discovered in OSM Line Cards when installed in various Cisco devices. Cisco has reported that a denial of service may occur when processing an irregularly constructed network packet. Exploitation of this issue will cause the Cisco device to no longer forward legitimate packets. Precise technical details regarding this vulnerability are not yet known. This BID will be updated as further information becomes available. An issue in the Fiber Services module's handling of specially crafted or corrupted packets from the internal network could allow a remote attacker to exploit this vulnerability to conduct a denial of service attack. When some malformed data frames arrive at the interface, the packet forwarding engine specifies the line card (line card) to rewrite the data frame. By using this method, legitimate information can be overwritten, causing the interface to stop accepting and forwarding network communications. The BUG ID of this vulnerability is: CSCdy29717

Mac OS X 10.2.2 allows local users to gain privileges via a mounted ISO 9600 CD, aka "User Privilege Elevation via Mounting an ISO 9600 CD.". Mac OS X is prone to a local security vulnerability

Unknown vulnerability in NetInfo Manager application in Mac OS X 10.2.2 allows local users to access restricted parts of a filesystem. A local user could exploit this vulnerability to access restricted areas of system files

Mac OS X 10.2.2 allows remote attackers to cause a denial of service by accessing the CUPS Printing Web Administration utility, aka "CUPS Printing Web Administration is Remotely Accessible.". Mac OS X is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service conditions

Mac OS X 10.2.2 allows local users to gain privileges by mounting a disk image file that was created on another system, aka "Local User Privilege Elevation via Disk Image File.". Mac OS X is prone to a local security vulnerability

Mac OS X 10.2.2 allows local users to read files that only allow write access via the map_fd() Mach system call. Mac OS X is prone to a local security vulnerability

Windows XP settings automatically search for available access points (APs) when using a wireless LAN. IEEE 802.11b is currently the most widely used wireless transmission protocol, operating in the 2.4 GHz band, and can reach a transmission rate of up to 11 Mbps. Windows XP's wireless LAN does not fully check when accessing the access point. A remote attacker can use this vulnerability to configure its XP system to access the access point device and intercept the transmitted information. The Windows XP system uses a wireless LAN to automatically search for an access point. If the AP device cannot be found, the request is continuously sent until the connection is established. If a Windows XP system is configured to have the same SSID as the access point, Windows XP will not confirm that it is the correct access point and use WEP encryption to begin the transfer session. The information of the registered SSID can be obtained by intercepting the wireless LAN information by using a network sniffing tool. In addition, WEP already has some well-known vulnerabilities. Data encrypted with a 40-bit key can be brute-forced in a short period of time, and 104-bit encrypted data may be cracked within two weeks according to the report. For this so-called \"Rouge Access Point\" attack, only two-way authentication can be used to avoid: APs must authenticate users and users must authenticate APs. The EAP authentication protocol used in IEEE 802.1x can do this. An information disclosure vulnerability has been reported for systems using the IEEE 802.11b standard for wireless communications. An attacker can exploit this vulnerability to set up an AP with the same SSID (Service Set ID) of a previously configured AP. When the vulnerable system recognizes this malicious AP, it will then begin transmission of data. This can be exploited by an attacker to intercept and decrypt any transmissions received from a vulnerable system. Information obtained in this manner may be used to launch further, destructive attacks against a vulnerable system. ** Microsoft has stated that this issue is not platform specific. Rather, it is an issue with the IEEE 802.11b standard

Linksys has developed a variety of broadband router devices, including BEFW11S4, BEFSRU31, etc., which includes a WEB management interface managed by HTTP. Multiple Linksys device management interfaces have problems handling the strcat() function. Remote attackers can exploit this vulnerability to perform denial of service attacks on devices and stop responding to normal communications. Since the strcat() function lacks the correct boundary buffer check for the input parameters, an attacker can exploit this vulnerability to send a malformed request to a Linksys device that has this vulnerability. When the device attempts to process malicious input, it can cause the memory information to be corrupted and the device to crash. Stop responding. This vulnerability can only be exploited when the device has UPnP (Universal Plug and Play) enabled.

Buffer overflow in traceroute-nanog (aka traceroute-ng) may allow local users to execute arbitrary code via a long hostname argument. Traceroute is a tool that is used to track packets in a TCP/IP network to determine the path of network connections. This vulnerability affects the Traceroute-Nanog program, written for Unix and Linux operating systems. It has been reported that a buffer overflow exists in Traceroute-Nanog. Due to insufficient bounds checking in the Traceroute-Nanog program, a user may execute the program with a hostname of arbitrary length, and cause the overwriting of stack memory within the process. This could result in the execution of attacker-supplied instructions

The spray mode in traceroute-nanog (aka traceroute-ng) may allow local users to overwrite arbitrary memory locations via an array index overflow using the nprobes (number of probes) argument. Traceroute is a tool that is used to track packets in a TCP/IP network to determine the path of network connections. This vulnerability affects the Traceroute-Nanog program, written for Unix and Linux operating systems. It has been reported that a buffer overflow exists in Traceroute-Nanog. Due to insufficient bounds checking in the Traceroute-Nanog program, a user may execute the program with a spray packets amount of excessive size, and cause the overwriting of stack memory within the process. This could result in the execution of attacker-supplied instructions. The spray mode in traceroute-nanog (also known as traceroute-ng) is vulnerable