On Fri, 13 Jun 2003 17:52:21 -0400, Tim Peeler wrote:

>On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote:
>> 
>> On Fri, 13 Jun 2003 14:18:44 -0400
>> Tim Peeler <[EMAIL PROTECTED]> wrote:
>> > In the last 4-5 days we have had 8 servers come under attack.  We are
>> > working frantically to keep ahead of these attacks.  We have come to the
>> > conclusion that the SSH in woody is likely vulnerable.  
[...]
>> > We have not had time
>> > to analyze where the exploit occurs in sshd, but we are very confident
>> > that this is the location of the exploit.  We have begun upgrading to
>> > a backport of the testing version of ssh which appears to be helping.
>> 
>> Could you provide your /etc/ssh/sshd_config, the version of your "ssh"
>> package, and the output from 'debsums ssh'? Thanks.
>> 
>
>sshd_config for comprimized server attached, as well as the output of
>debsums ssh
>
>SSH Version: 3.4p1-1
[snip]

From your sshd_config :

> Protocol 2,1

Um, aren't there known *unfixable* problems with the SSH1 protocol ?

http://www.cert.org/advisories/CA-2001-35.html
http://list.cobalt.com/pipermail/cobalt-security/2001-November/003857.html
http://groups.google.com/groups?q=ssh1+unfixable&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=m1lsmv0faft.fsf%40syrinx.oankali.net&rnum=1
http://groups.google.com/groups?q=ssh1+deprecated&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=Pine.LNX.4.10.10102101444180.22997-100000%40mystery.acr.fi&rnum=1

I may be wrong (not expert, etc) but I'm under the impression that
SSH1 is unfixably broken and should not now be used - certainly we
only have protocol 2 listed in all our server configs.

Having protocol 1 second in the list doesn't stop a client from
insisting on using it.

Tatu Ylonen says in the 4th reference above :

  "The whole CRC32 vulnerability is once again a 
  manifestation of certain fundamental problems 
  in the SSH1 key exchange and message authentication
  mechanism. The SSH2 protocol was created to fix 
  these (and other) problems. The old SSH1 protocol 
  is deprecated, and people are strongly urged to 
  move to using the SSH2 protocol.

  .. some cryptographers that I know have been 
  speculating whether it would be possible to 
  construct attack patterns that would get around 
  the CRC32 deattack mechanism entirely.  The 
  original CRC32 attack works obtaining some known
  plaintext-ciphertext pairs, and constructing a
  special pattern that defeats the CRC32 that was 
  used as MAC in SSH1.  The deattack code detects 
  the particular pattern used to defeat the CRC32
  check.  However, some people are speculating 
  that there may be other patterns (e.g. 
  involving more known plaintext-ciphertext pairs) 
  that would also compensate for CRC32 but would 
  not be detected by the deattack code.
  I cannot confirm whether this is the case, but 
  I personally do not fully trust that the 
  deattack code will be able to prevent all 
  variations of the attack (even without the 
  bug in the deattack code).  The real fix is to
  move to using the SSH2 protocol."

My 2p, etc.   You probably already know all this.

Do you *have* to have SSH1 enabled ?

(Sorry if this is all off-target)

Good luck
Nick Boyce
Bristol, UK

Reply via email to