SSH deja vu

From: Max Parke (mhpat_private)
Date: Tue Oct 23 2001 - 10:17:21 PDT

Next message: Aaron C. Newman: "FW: ASI Oracle Security Alert: 3 new security alerts"

Previous message: Kurt Seifried: "Red Hat 7.2 GnuPG signed RPM verification fails on distribution files"
Next in thread: Michal Zalewski: "Re: SSH deja vu"
Reply: Michal Zalewski: "Re: SSH deja vu"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sorry if this is already a known issue.

When the vulnerabilities in ssh-1.xx were publicised, we upgraded to 
ssh-2.xx on our machines.  The process for ssh version 2.xx does NOT
erase sshd1 from /usr/local/sbin, and if an incoming client is still
running the old ssh version 1, sshd2 will hand off control to 
/usr/local/sbin/sshd1 (of course, this can be disabled).

It appears that if your old sshd from version 1 was vulnerable before
installing ssh version 2, YOU ARE STILL VULNERABLE.  We have
information that this problem is currently being actively exploited,
and scans for vulnerable machines are being conducted.

Messages such as the following (note: sshd, not sshd2) indicate that a
scan may be in progress:

sshd[6169]: fatal: Local: Corrupted check bytes on input.
sshd[6253]: fatal: Local: crc32 compensation attack: network attack
detected

Next message: Aaron C. Newman: "FW: ASI Oracle Security Alert: 3 new security alerts"
Previous message: Kurt Seifried: "Red Hat 7.2 GnuPG signed RPM verification fails on distribution files"
Next in thread: Michal Zalewski: "Re: SSH deja vu"
Reply: Michal Zalewski: "Re: SSH deja vu"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 23 2001 - 12:40:21 PDT