perl-modperl-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wham Bang <wham_b...@yahoo.com>
Subject Re: ssh2
Date Tue, 11 Jan 2000 18:36:35 GMT

--- Vivek Khera <khera@kciLink.com> wrote:
> >>>>> "SB" == Stas Bekman <sbekman@iil.intel.com> writes:
> 
> SB> I just wanted to remind that there was a security hole
> SB>found in ssh1, [...]
> 
> Is it a hole in the protocol or the implementation?

I believe the original advisory is at the following URL:

http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-06-08&msg=199806120125.WAA05406@takeover.core.com.ar


[This is a one line URL, my and/or your mailer may split it.]

It is a flaw in the protocol, but it has apparently been patched in
such a way that there is no known attack that works against the
latest versions of ssh1.  See the following message that was
recently forwarded to me by a friend.

--8<----8<----

From: 	Emiliano Kargieman[SMTP:emiliano_kargieman@core-sdi.com]
Sent: 	Friday, December 17, 1999 6:31 PM
Subject: Re: SSH 1 Why?


> Wasn't this fixed in ssh 1.2.24? In the Changelog I see the
> following entry dated Jul 7th 98: 
>
>    * Updated deattack code to new version (fixes some bug in 
>    check_crc function. New code from CORE SDI S.A., Buenos Aires, 
>    Argentina.

Well, the answer is a little more complex than a yes or no...
deattack.c, the patch included in every version of ssh 1.x starting
from 1.2.24 doesn't patch the problem present in the protocol.
What it does is detect the attack attempts and close the connection.
The protocol is still flawed. Although i'm not aware of any
other related attacks that can evade the detection, there's
still a chance that this is possible. 

> This seems to (vaguely) refer to the advisory you quoted
> above...  *Are*  more recent versions of ssh 1.2.XX (like
> say 1.2.27) still vulnerable to this  attack? 
 
Not to the same attack, but a protocol update is still what i
recommend... flaws in protocol design tend to propagate to
implementations in unpredictable ways, even if the implementation
tries to patch the original problems. The main idea is: fix
protocol design flaws in protocol design and implementation
flaws on the implementation. This will leave you with just
configuration problems to worry about :) 

> [...]

-- 
Emiliano Kargieman <ek@core-sdi.com> 
Director de Investigacion - CoreLabs - Core-SDI S.A. 
http://www.core-sdi.com 

--8<----8<----

I hope this helps,

=====
Wham! <wham_bang@yahoo.com>



__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

Mime
View raw message