Users of the Secure Shell protocol (SSH) should update their
software following the discovery of a series of flaws that could
compromise security.
SSH is a protocol found on most major operating systems including
Windows and Unix.
The warning comes from CERT (Computer Emergency Response Team)
Co-ordination Centre, the authoritative security advisory service
run by Carnegie Mellon University in the US.
SSH has been plagued by problems, with the latest difficulties
concerning the way software handles communications data.
The advisory describes multiple vulnerabilities in SSH
implementations that include "buffer overflows", in which a program
or a process used by a program is forced to store more data in a
buffer (a temporary data storage area) than it was intended to
hold.
Problems were also identified with the way that many SSH transport
layer protocol implementations handle data elements with incorrect
length specifiers, lists of data containing empty elements, and
strings of characters containing "null" or empty characters.
These flaws could enable remote attackers to crash the SSH client
or server application - a denial of service attack - or place and
execute code on the machine running the vulnerable software.
Because SSH servers run with system or root-level privileges on
both Windows and Unix systems, attackers exploiting SSH server
vulnerabilities would be able to take advantage of those elevated
privileges when carrying out their attack.
In most cases, however, attackers exploiting the vulnerabilities on
SSH clients would only inherit the permission level of the user who
started the client application, CERT said.
Some leading vendors, including Cisco and NetScreen Technologies,
said their products did not contain the transport layer protocol
vulnerabilities.
SSH products containing the vulnerabilities include some versions
of SecureShell by Pragma Systems, SecureNetTerm by Intersoft
International and SSH products by F-Secure.
These and other vendors with vulnerable products have issued
information on obtaining software upgrades or patches that close
the security holes, as did other companies with vulnerable
products.
CERT recommended applying the appropriate patch or software upgrade
provided by your software vendor to remove the SSH vulnerabilities.
In the absence of a software fix, customers can use firewalls or
packet filtering systems to limit access to SSH servers, while
limiting SSH clients to connections with trusted SSH servers by IP
(Internet Protocol) address, according to CERT.
www.cert.org/advisories/CA-2002-36.html