On December 3, 2001 10:45 pm, you wrote: > > This exploit is indeed a different crc32 exploit than the one I > analyzed a couple weeks ago, but it affects the same set of systems as > the one I analyzed. For those who haven't seen it, the analysis > includes examples and a script for scanning your network to identify > *potentially* vulnerable systems (you need to check the version of > your protocol 1 fallback server separately, if you allow fallback): > > http://staff.washington.edu/dittrich/misc/ssh-analysis.txt From this analysis, SSH-1.5-OpenSSH-1.2.3 is listed as vulnerable, but that's what you get when you install the SSH update from Debian, listed in DSA-027. I'd normally expect that just fixed a different problem, but the text of their advisory for "ssh-nonfree" (DSA-086-1) states: "We have received reports that the "SSH CRC-32 compensation attack detector vulnerability" is being actively exploited. This is the same integer type error previously corrected for OpenSSH in DSA-027-1. OpenSSH (the Debian ssh package) was fixed at that time, but ssh-nonfree and ssh-socks were not." I took a quick look around and didn't see the exploit code, is there anyone who can confirm if debian with ssh 1:1.2.3-9.2 is vulnerable? (Or point me at the exploit and I'll test myself) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 13:19:37 PST