SSH Vulnerability Scan Vulnerability to CRC32 compensation attack detector exploit ----------------------------------------------------------- In February 2001, Razor Bindview released their "Remote vulnerability in SSH daemon crc32 compensation attack detector" advisory, which outlined a gaping hole in deployed SSH servers that can lead to a remote attacker gaining privileged access: http://razor.bindview.com/publish/advisories/adv_ssh1crc.html In November 2001, Dave Dittrich published a detailed analysis of the "CRC32 compensation attack detector exploit." This exploit is currently widely in use. CERT released Incident Note IN-2001-12: http://staff.washington.edu/dittrich/misc/ssh-analysis.txt http://www.cert.org/incident_notes/IN-2001-12.html At the Center for Information Technology Integration, Niels Provos and Peter Honeyman have been scanning the University of Michigan for vulnerable SSH server software to identify and update vulnerable SSH servers: http://www.citi.umich.edu/ssh/ However, scans of the Internet show that system and security administrators must react and update their SSH servers: http://www.citi.umich.edu/u/provos/ssh/crc32s.png At this writing, over 30% of all SSH servers appear to have the CRC32 bug. A simple solution is to remove support for Version One of the SSH protocol. The majority of servers on the Internet support the SSH v2 protocol. To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool: http://www.monkey.org/~provos/scanssh/ References: "ScanSSH - Scanning the Internet for SSH Servers", Niels Provos and Peter Honeyman, 16th USENIX Systems Administration Conference (LISA). San Diego, CA, December 2001. http://www.citi.umich.edu/techreports/reports/citi-tr-01-13.pdf This information is also available at http://www.citi.umich.edu/u/provos/ssh/
This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 14:49:11 PST
