Vulnerability in OpenSSH daemon (sshd)

Overview

A vulnerability in the OpenSSH daemon (sshd) may give remote attackers a better chance of gaining access to restricted resources.

Description

OpenSSH is an implementation of the Secure Shell protocol. It is used to provide strong authentication and cryptographically secure communications between hosts. A vulnerability in versions up to and including 3.6.1 of OpenSSH may allow a remote attacker to circumvent security policies and attempt to or actually login from IP addresses that are not permitted to access resources.

There are two methods a client can use to authenticate to an SSH server. The first method is password authentication. This method is generally the easiest to set up, but the least secure. As long as the client has a valid username and password, they can gain access to the system running the SSH server. The second method is public key authentication. Public key authentication is one of the most secure methods available to authenticate a user. For a client to gain access to a system using public key authentication, a copy of the client’s public key must exist on the SSH server. The client must also have the private key in their possession as well as the passphrase associated with the private key.

In addition to the methods available to authenticate a user, there also exists ways in which one can restrict access to the SSH server, such that connections are permitted only from trusted hosts. One of the most common methods is by utilizing a firewall to do host-based access restriction. Additionally, sshd has the ability to restrict access by IP address or hostname. While this is not cryptographically strong security, it provides an additional layer of protection which some sites rely upon to limit their exposure.

A flaw exists in the way OpenSSH evaluates IP addresses and hostnames. We have included an excerpt of the report sent to BugTraq regarding this vulnerability:

Interestingly, when a purely numeric IP address is provided, an attacker who controls reverse DNS for his host can circumvent this controls by returning text containing a numeric IP address in the reverse DNS response. This would allow stolen keys containing numeric IP address restrictions to be used from other IP address, or external access to a system which had

AllowUsers *@192.168.*.*

set in an attempt to limit access to users in the internal 192.168/16 network.

The exploit works because the code treats both the IP address and hostname as strings, and there is no logic to indicate when a pure IP address match should be attempted.

---

Impact

An attacker can attempt to login to your system from a location that is not allowed. If the attacker has a private key in their possession that is allowed to access the system, they will be able to gain entry to the network. If the attacker does not have a legitimate private key, they may be able to guess a correct username/password pair if you allow password authentication.

---

Solution

The OpenSSH maintainers recommend enabling VerifyReverseMapping in sshd_config. You may also wish to restrict access to the secure shell service by applying packet filters for port 22/tcp at your network perimeter. While this measure will limit your exposure to attacks, blocking port 22/tcp at a network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. It is important to understand your network’s configuration and service requirements before deciding what changes are appropriate. In cases where applying packet filters is not feasible, software such as Wietse Venema’s TCP Wrappers can be used to restrict access to the secure shell daemon. Finally, it is highly advisable to use public key authentication as opposed to password authentication. In our estimation, this vulnerability does not pose an imminent threat; however, it permits a greater-than-expected level of access to a security control in your infrastructure. The next release of OpenSSH will drop the VerifyReverseMapping option and, subsequently, sshd will by default perform reverse-mapping. At this point in time, we do not know if the OpenSSH maintainers plan to make a patch available before the next release.

---

Vendor Information

978316

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Cray Inc. __ Affected

Notified: June 06, 2003 Updated: June 09, 2003

Status

Affected

Vendor Statement

Cray Inc. supports openssh through its Cray Open Software (COS) package. Cray does ship with VerifyReverseMapping set to “no”. A site should set this to “yes” in the sshd_config file and then restart sshd. Once patches are available they will be incorporated.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

IBM Corporation __ Affected

Notified: June 06, 2003 Updated: June 19, 2003

Status

Affected

Vendor Statement

The AIX operating system is vulnerable to the issues discussed in CERT Vulnerability Note VU#978316.

openSSH is available for AIX via the Bonus Pack or the Linux Affinity Toolbox.

For more information about the Linux Affinity Toolbox, please see:

<http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html&gt;

For more information about SSH for the Bonus Pack, please see:

<http://oss.software.ibm.com/developerworks/projects/opensshi&gt;

Both packages will be updated as information becomes available from OpenSSH.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

NetBSD __ Affected

Notified: June 06, 2003 Updated: June 09, 2003

Status

Affected

Vendor Statement

NetBSD ships with a version of OpenSSH which is vulnerable to the issue. We recommend users to take appropiate actions as suggested by OpenSSH team.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

OpenSSH Affected

Updated: June 06, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Sun Microsystems, Inc. __ Affected

Notified: June 06, 2003 Updated: January 16, 2007

Status

Affected

Vendor Statement

The Solaris Secure Shell, which ships with Solaris 9 and later, is based on OpenSSH and is therefore vulnerable to this issue. The advice to enable the sshd_config(4) option of VerifyReverseMapping is a valid workaround for Solaris Secure Shell as well. Similarly, the use of IP addresses instead of hostnames for the sshd_config(4) options of AllowUsers and DenyUsers will also workaround this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

VanDyke Software Inc. __ Affected

Notified: June 06, 2003 Updated: June 16, 2003

Status

Affected

Vendor Statement

VShell connection filters are vulnerable to this type of attack if hostname of domain name based filters are used in any of the connection filters.

VShell starts with the IP address provided by the TCP/IP protocol stack for the connection.

If there are no name based filters in the connection filter list, it simply uses this address to do filtering-- no name resolution is performed, and therefore, no vulnerability exists.

If there are name based filters in the connection filter list, VShell must discover all the hostnames associated with the connection IP. It does this through DNS, which is subject to trivial spoofing.

It is recommended that our customers not use hostname or domain name based filtering, but rather, use IP and netmask based filtering.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Alcatel __ Not Affected

Notified: June 06, 2003 Updated: August 01, 2003

Status

Not Affected

Vendor Statement

Following CERT vulnerability note VU#978316 on a vulnerability in OpenSSH daemon, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. A first analysis has shown that none of our products, and in particular the A7670, A7700 and OmniSwitch series which make use of SSH, is impacted. The security of our customers’ networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio and will provide updates if necessary.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Clavister __ Not Affected

Notified: June 06, 2003 Updated: June 09, 2003

Status

Not Affected

Vendor Statement

No Clavister software implements Secure Shell software. The general principle of crafted reverse DNS responses neither applies, as the ruleset of Clavister Firewall only works with numerical IP addresses, and can, as such, be trusted to apply IP-based access controls to affected SSH daemons.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Extreme Networks __ Not Affected

Notified: June 06, 2003 Updated: June 24, 2003

Status

Not Affected

Vendor Statement

Extreme Networks software is not vulnerable to advisory VU#978316.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Foundry Networks Inc. __ Not Affected

Notified: June 06, 2003 Updated: June 09, 2003

Status

Not Affected

Vendor Statement

Foundry Networks is not vulnerable to the OpenSSH issue described in VU#978316.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Fujitsu __ Not Affected

Notified: June 06, 2003 Updated: July 16, 2003

Status

Not Affected

Vendor Statement

Fujitsu’s UXP/V o.s. is not affected by the problem in VU#978316 because it does not support the SSH.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Hitachi __ Not Affected

Notified: June 06, 2003 Updated: June 18, 2003

Status

Not Affected

Vendor Statement

Hitachi GR2000 gigabit router series are NOT vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Lotus Software __ Not Affected

Notified: June 06, 2003 Updated: June 06, 2003

Status

Not Affected

Vendor Statement

Lotus products do not implement OpenSSH.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

MacSSH __ Not Affected

Notified: June 06, 2003 Updated: June 06, 2003

Status

Not Affected

Vendor Statement

This is not applicable to MacSSH, which is a client only.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Riverstone Networks __ Not Affected

Notified: June 06, 2003 Updated: June 10, 2003

Status

Not Affected

Vendor Statement

Riverstone Networks’ routers are not vulnerable to the problem.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

SSH Communications Security __ Not Affected

Notified: June 06, 2003 Updated: July 14, 2003

Status

Not Affected

Vendor Statement

Since 3.0.0, SSH Secure Shell server has had an additional specifier for matching with the host addresses, which can be used to only match IP-addresses or IP-masks. For example, one could specify

AllowUsers @\i192.168..*

Since 3.1.0, a specifier for address masks was added.

AllowUsers *@\m192.168.0.0/16

The specifiers are to be prepended to the address, and are “\i” and “\m”, respectively.

Thus, SSH Secure Shell daemon is not vulnerable to this, if these specifiers are used.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Secure Computing Corporation __ Not Affected

Notified: June 06, 2003 Updated: June 16, 2003

Status

Not Affected

Vendor Statement

This vulnerability relates to OpenSSH’s internal mechanism for restricting connections based on the source address. While Sidewinder uses OpenSSH, source address restrictions are handled by the Sidewinder policy engine. Since OpenSSH’s internal mechanism is not used, Sidewinder is not affected by this vulnerability. As a matter of policy, the updated SSH code will be included in a future patch.

The Gauntlet firewall does not include an SSH daemon, and is thus not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Stonesoft __ Not Affected

Notified: June 06, 2003 Updated: June 11, 2003

Status

Not Affected

Vendor Statement

Stonesoft’s StoneGate high availability firewall and VPN product does not enable the OpenSSH daemon by default. Furthermore, the client IP addresses are regulated by the firewall rulebase and not by the OpenSSH configuration in StoneGate. Therefore StoneGate is not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

WatchGuard __ Not Affected

Notified: June 06, 2003 Updated: June 10, 2003

Status

Not Affected

Vendor Statement

We are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Xerox Corporation __ Not Affected

Notified: June 06, 2003 Updated: July 14, 2003

Status

Not Affected

Vendor Statement

A response to this vulnerability is available from our web site: <http://www.xerox.com/security&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

3Com Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

AT&T Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Apple Computer, Inc. Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Avaya Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Berkeley Software Design, Inc. Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Bitvise Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Borderware Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Cisco Systems, Inc. Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Computer Associates Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

D-Link Systems Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Data General Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Debian Linux Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Engarde Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

F-Secure Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

F5 Networks, Inc. Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

FiSSH Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

FreSSH Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

FreeBSD, Inc. Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

FreeS/WAN Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Global Technology Associates Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Hewlett-Packard Company Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

IBM eServer __ Unknown

Updated: June 24, 2003

Status

Unknown

Vendor Statement

IBM eServer Platform Response

For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to:
https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/security=alerts?OpenDocument&pathID=3D

In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to
<http://app-06.www.ibm.com/servers/resourcelink&gt;
and follow the steps for registration.

All questions should be refered to [email protected].

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Ingrian Networks, Inc. Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Intel Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Internet Initiative Japan (IIJ) Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Interpeak Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Intersoft International Inc. Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Intoto Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Juniper Networks, Inc. Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

KAME Project Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Lachman Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Lucent Technologies Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Mandriva, Inc. Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Mandriva, Inc. Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Microsoft Corporation Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Mirapoint Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

MontaVista Software, Inc. Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Multi-Tech Systems Inc. Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Multinet Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

NEC Corporation Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

NeXT Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Netcomposite Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Netscreen Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Network Appliance Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Nokia Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Nortel Networks, Inc. Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

OpenBSD Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Openwall GNU/*/Linux Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Oracle Corporation Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Pragma Systems Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Putty Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Red Hat, Inc. Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

SCO Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

SGI Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

SUSE Linux Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

SafeNet Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Sequent Computer Systems, Inc. Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Sony Corporation Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

TTSSH/TeraTerm Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Unisys Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

WinSCP Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Wind River Systems, Inc. Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

Wirex Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

ZyXEL Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

eSoft Unknown

Notified: June 06, 2003 Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

lsh Unknown

Updated: June 06, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23978316 Feedback>).

View all 86 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/archive/1/324016/2003-06-03/2003-06-09/0&gt;
• <ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz&gt;
• <http://www.ietf.org/html.charters/secsh-charter.html&gt;
• <http://www.openssh.com/&gt;
• <http://www.iss.net/security_center/static/12196.php&gt;

Acknowledgements

This vulnerability was discovered by Mike Harding. Note that this behavior of OpenSSH was in fact noticed and published two years earlier by Richard Silverman and Dan Barrett in “SSH, The Secure Shell: The Definitive Guide” (O’Reilly 2001, ISBN 0-596-00011-1). See section 5.5.2.1, p179 in the first edition.

This document was written by Ian A Finlay.

Other Information

CVE IDs:	CVE-2003-0386
Severity Metric:	37.13 Date Public: