SSH Communications Secure Shell vulnerable to DoS via malformed BER/DER packet

2003-10-03T00:00:00
ID VU:333980
Type cert
Reporter CERT
Modified 2003-10-07T00:00:00

Description

Overview

SSH Communications' Secure Shell contains vulnerabilities in ASN.1 libraries that may allow remote attackers to cause a denial-of-service situation, or potentially execute arbitrary code on the server.

Description

SSH Communications' Secure Shell contains a vulnerability in the decoding of BER/DER encoded packets. According to the SSH Communications Advisory:

BER/DER encoding is applied in digital certificates, which are used for authenticating a user to a host. Certificates are also commonly used for authenticating SSL/TLS connections.

Note that this vulnerability does not affect the non-commercial versions of SSH Secure Shell (Unix), as these versions do not contain the vulnerable ASN.1 related libraries.

This vulnerability may be related to the "Multiple vulnerabilities in SSL/TLS implementations" described in VU#104280.


Impact

A remote unauthenticated attaker may be able to crash the target server, causing a denial of service. Exploitation may also permit the execution of arbitrary code.


Solution

SSH Communications has released version 3.2.9 of SSH Secure Shell to resolve this issue. Please see the SSH Communications' Advisory for more details on upgrading. Likewise, vendors that redistribute versions of this product may provide their own patches or updates.


According to the SSH Communications' Advisory:

Your server is not vulnerable if:

* _You are using password authentication only_
* _You use the non-commercial Unix distribution that does not contain the PKI functionality._
* _You allow public key authentication WITHOUT specifying the "Pki" keyword in the server configuration file (sshd2_config)._

Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
F-Secure| | -| 07 Oct 2003
SSH Communications Security| | -| 03 Oct 2003
Stonesoft| | -| 03 Oct 2003
AppGate Network Security AB| | -| 03 Oct 2003
Bitvise| | -| 03 Oct 2003
MacSSH| | -| 07 Oct 2003
Riverstone Networks| | -| 03 Oct 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.ssh.com/company/newsroom/article/476/>
  • <http://www.stonesoft.com/document/art/3041.html>

Credit

Thanks to Stonesoft for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

  • CVE IDs: Unknown
  • Date Public: 03 Oct 2003
  • Date First Published: 03 Oct 2003
  • Date Last Updated: 07 Oct 2003
  • Severity Metric: 12.60
  • Document Revision: 6