SSH flaws sighted
Print storyDON'T PANIC
Posted in Security, 19th December 2002 10:12 GMT
Free whitepaper – Vulnerability management buyer's checklist
Secure shell (SSH) protocol implementations from several vendors are subject to a number of potentially serious security flaws, security clearing house CERT warned earlier this week.
Read further down the noticeand you'll see that most major system vendors - and OpenSSH - are immune, but there's some work ahead for users of SSH implementations for Pragma Systems, F-Secure and others.
The flaws (such as they are) could allow a remote attacker to execute arbitrary code with the privileges of a particular SSH process or cause systems to crash. The vulnerabilities affect SSH clients and servers, and they occur before user authentication takes place.
The vulnerabilities, including ever-popular buffer overflow bugs, in several SSH implementations came to light after tests using a suite called SSHredder, from a firm called Rapid 7.
CERT advises affected users to apply appropriate patches or upgrade, as fixes become available. More generally, it advises access to SSH servers should be limited by firewalls and packet-filtering systems. ®
Related Stories
OpenSSH trojaned!
OpenSSH hits the fan
Crypto boffins question SSH security
The business case for application security
Reducing messaging and web security costs with managed services
Avoiding 7 common mistakes of IT security compliance
Server-gated cryptography
Airport insecurity: the case of lost laptops
Feds: Hospital hacker's 'massive' DDoS averted
Buggy 'smart meters' open door to power-grid botnet
Microsoft knew of nasty IE bug a year before attacks
BlockMaster SafeStick hardware-encrypted USB drive