CERT® Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations
Original issue date: December 16, 2002
Last revised: May 5, 2003
A complete revision history is at the end of this file.
- Secure shell (SSH) protocol implementations in SSH clients and servers from multiple vendors
Multiple vendors' implementations of the secure shell (SSH) transport
layer protocol contain vulnerabilities that could allow a remote
attacker to execute arbitrary code with the privileges of the SSH
process or cause a denial of service. The vulnerabilities affect SSH
clients and servers, and they occur before user authentication takes place.
Summary vendor information can be found in the
Systems Affected section of VU#389665.
The SSH protocol enables a secure communications channel from a client to a server.
From the IETF draft SSH Transport Layer Protocol:
The SSH transport layer is a secure low level transport protocol. It
provides strong encryption, cryptographic host authentication, and
integrity protection.... Key exchange method, public key algorithm, symmetric encryption
algorithm, message authentication algorithm, and hash algorithm are
Rapid7 has developed a suite (SSHredder) of test cases that examine
the connection initialization, key exchange, and negotiation phase
(KEX, KEXINIT) of the SSH transport layer protocol. The suite tests
the way an SSH transport layer implementation handles invalid or
incorrect packet and string lengths, padding and padding length,
malformed strings, and invalid algorithms.
The test suite has demonstrated a number of vulnerabilities in
different vendors' SSH products. These vulnerabilities include buffer
overflows, and they occur before any user authentication takes place.
SSHredder was primarily designed to test key exchange and other
processes that are specific to version 2 of the SSH protocol; however, certain classes
of tests are also applicable to version 1.
Further information about this set of vulnerabilities may be found in
Vulnerability Note VU#389665.
Rapid7 has published a detailed advisory (R7-0009) and the
SSHredder test suite.
Common Vulnerabilities and Exposures (CVE)
has assigned the following candidate numbers for several classes of
tests performed by SSHredder:
The impact will vary for different vulnerabilities and products, but
in severe cases, remote attackers could execute arbitrary code with
the privileges of the SSH process. Both SSH clients and servers are
affected, since both implement the SSH transport layer protocol. On
Microsoft Windows systems, SSH servers commonly run with SYSTEM
privileges, and on UNIX systems, SSH daemons typically run with root
privileges. In the case of SSH clients, any attacker-supplied code
would run with at least the privileges of the user who started the
client program. Additional privileges may be afforded to an attacker
when the SSH client is setuid or setgid to a more privileged user,
such as root. Attackers could also crash a vulnerable SSH process,
causing a denial of service.
Apply a patch or upgrade
Apply the appropriate patch or upgrade as specified by your vendor.
See Appendix A. below and the Systems Affected
section of VU#389665 for further information.
Limit access to SSH servers to trusted hosts and networks using
firewalls or other packet-filtering systems. Some SSH servers may
have the ability to restrict access based on IP addresses, or similar
effects may be achieved by using TCP wrappers or other related
SSH clients can reduce the risk of attacks by only connecting to
trusted servers by IP address.
While these workarounds will not prevent exploitation of these
vulnerabilities, they will make attacks somewhat more difficult, in
part by limiting the number of potential sources of attacks.
Appendix A. Vendor Information
This appendix contains information provided by vendors. When vendors
report new information, this section is updated and the changes are
noted in the revision history. If a vendor is not listed below, we
have not received their comments. The
Systems Affected section of VU#389665 contains additional vendor status information.
Following CERT advisory CA-2002-36 on security vulnerabilities in the
SSH implementations, Alcatel has conducted an immediate assessment to
determine any impact this may have on our portfolio. A first analysis
showed that various Alcatel products were affected: namely the 6600,
7000 and 8000 OmniSwitches running AOS 5.1.3 and for which corrections
had been made available to customers. This issue has now been fixed
both in a AOS 5.1.3 maintenance release and in AOS 5.1.4. The security
of our customers' networks is of highest priority for
Alcatel. Therefore we continue to test our product portfolio against
potential SSH security vulnerabilities and will provide updates if
Apple: Mac OS X and Mac OS X Server do not contain the vulnerabilities described in this report.
Cisco Systems has several products that are vulnerable to the attacks
posed by the SSHredder test suite. Complete details are available at
Based on initial testing and evaluation of this vulnerability, earlier
versions of this advisory listed Cisco Systems as "Not Vulnerable."
Upon additional internal testing it was determined that some Cisco
products were indeed vulnerable.
Cray Inc. supports the OpenSSH product through their Cray Open
Software (COS) package. COS 3.3, available the end of December 2002,
is not vulnerable. If a site is concerned, they can contact their
local Cray representive to obtain an early copy of the OpenSSH
contained in COS 3.3.
From testing against the SSHredder data the invalid packets are being
caught and rejected by cryptlib's packet validity-checking code,
making it not vulnerable to the problem.
F-Secure SSH products are not exploitable via these attacks. While
F-Secure SSH versions 3.1.0 build 11 and earlier crash on these
malicious packets, we did not find ways to exploit this to gain
unauthorized access or to run arbitrary code. Furthermore, the crash
occurs in a forked process so the denial of service attacks are not
Fujitsu's UXP/V OS is not vulnerable because it does not support SSH.
SOURCE: Hewlett-Packard Company
HP Tru64 UNIX V5.1a or HP OpenVMS systems using SSH V2.4.1 should upgrade to SSH V3.2.
HP has investigated this report and find that our implementations within HP-UX are not vulnerable.
IBM's AIX is not vulnerable to the issues discussed in CERT CA-2002-36.
Juniper Networks has determined that the software on the ERX router
platforms is susceptible to this vulnerability. Patches for all
supported releases are now available to resolve the vulnerability.
Customers should contact the Juniper Networks Technical Assistance
Center to obtain the latest patch.
Initial testing of the JUNOS software on Juniper's M-, T-, and
J-series routers has not revealed any susceptibility to this
vulnerability. Juniper will continue testing, and if any problems are
found, corrective action will be taken.
The Juniper G-series Cable Modem Termination Systems are not
susceptible to this vulnerability.
I've now tried the testsuite with the latest stable release of lsh, lsh-1.4.2. Both the client and the server seem NOT VULNERABLE.
Tested latest versions. Not Vulnerable.
The following Nortel Networks products are being assessed to determine
whether they are potentially affected by the vulnerabilities
identified in CERT Advisory CA-2002-36: Shasta Broadband Service Node
and Shasta Service Creation System.
Passport 8000 Series Software is potentially affected; this issue will
be addressed in the next maintenance releases
126.96.36.199, for version 3.3, scheduled for availability January 24th, 2003.
3.2.4, for version 3.2, scheduled for availability in Mid March 2003 (target)
Releases before 3.2.1 are not affected.
A product bulletin will be issued shortly.
STORM is potentially affected; a product bulletin will be issued
shortly and this issue will be addressed in the next Maintenance
Release scheduled for availability in March, 2003.
Other Nortel Networks products implementing SSH are not affected by
the vulnerabilities identified in CERT Advisory CA-2002-36.
For more information please contact Nortel at:
North America: 1-8004NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009
Contacts for other regions are available at <http://www.nortelnetworks.com/help/contact/global/>
From my testing it seems that the current version of OpenSSH (3.5) is
not vulnerable to these problems, and some limited testing shows that
no version of OpenSSH is vulnerable.
December 16, 2002
Rapid 7 and CERT Coordination Center
Vulnerability report VU#389665
Pragma Systems Inc. of Austin,
Texas, USA, was notified regarding a possible vulnerability with
Version 2.0 of Pragma SecureShell. Pragma Systems tested Pragma
SecureShell 2.0 and the upcoming new Version 3.0, and found that the
attacks did cause a memory access protection fault on Microsoft
After research, Pragma Systems corrected the
problem. The correction of the problem leads us to believe that any
attack would not cause a Denial of Service, or the ability of random
code to run on the server.
The problem is corrected in Pragma SecureShell Version 3.0. Any
customers with concerns regarding this vulnerability report should
contact Pragma Systems, Inc at firstname.lastname@example.org for information
on obtaining an upgrade free of charge. Pragma's web site is located
at www.pragmasys.com and the company can be reached at 1-512-219-7270.
PuTTY versions 0.53 and earlier are vulnerable to a buffer overrun
discovered by SSHredder. Version 0.53b fixes this vulnerability.
Riverstone's implemention of SSH is based on OpenSSH, which is not vulnerable to any of the particular tests that are run by the SSHredder test suite. However, while running the test suite under certain conditions the router can experience a problem causing it to reload.
For more details, please see http://www.riverstonenet.com/support/support_security.shtml and the security advisory at http://www.riverstonenet.com/support/tb0239-9.shtml.
With SSH Secure Shell the worst case effect of the vulnerability is a
denial of service (DoS) for a single child-server (connection). This
cannot be exploited to gain access to the host and this does not
affect the parent server in any wa nor does it hinder the server's
ability to receive new connections - it only affects the child server
that is handling connections to the malicious client, or a client
application that is connecting to a malicious server. No arbitrary
code can be executed.
The version of Secure Shell (SSH) shipped with Solaris 9 is not
affected by the issues described in CERT VU#389665.
From our testing it seems that the current versions of VanDyke's
Secure Shell implementations are not vulnerable to these problems, and
some limited testing shows that no prior VanDyke Secure Shell
implementations are vulnerable.
Official Releases Tested:
VShell 2.1.1 October 15, 2002
SecureCRT 4.0.2 December 3, 2002
Older Releases Tested:
SecureFX 2.1.1 November 7, 2002
Entunnel 1.0.1 October 15, 2002
VShell 2.0.3 May 28, 2002
VShell 1.2.4 May 28, 2002
SecureCRT 3.4.7 November 7, 2002
A response to this advisory is available from our web site:
Appendix B. References
The CERT Coordination Center thanks Rapid7 for researching and reporting these vulnerabilities.
Authors: Art Manion.
This document is available from:
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more
Getting security information
CERT publications and other security information are available from
our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
December 16, 2002: Initial release, clarified setuid/setgid SSH client impact, updated IBM statement
December 17, 2002: Added VanDyke statement, updated SSH.com statement, removed PuTTY statement, added DoS impact, fixed Pragma link
December 18, 2002: Updated Cisco statement, added HP statement
December 20, 2002: Updated Cisco statement, added Sun statement, added Apple statement, added vendor information link to Overview
January 2, 2003: Added Riverstone statement.
January 6, 2003: Added Juniper statement
January 7, 2003: (Re-)added PuTTy statement
January 9, 2003: Updated Juniper statement
January 20, 2003: Added Nortel statement
February 25, 2003: Added Alcatel and Xerox statements
March 11, 2003: Added cryptlib statement
May 5, 2003: Updated Alcatel statement