Secure shell (SSH) protocol implementations from several vendors are subject to a number of potentially serious security flaws, security clearing house CERT warned [1] earlier this week.

Read further down the notice [2]and you'll see that most major system vendors - and OpenSSH - are immune, but there's some work ahead for users of SSH implementations for Pragma Systems, F-Secure and others.

The flaws (such as they are) could allow a remote attacker to execute arbitrary code with the privileges of a particular SSH process or cause systems to crash. The vulnerabilities affect SSH clients and servers, and they occur before user authentication takes place.

The vulnerabilities, including ever-popular buffer overflow bugs, in several SSH implementations came to light after tests using a suite called SSHredder, from a firm called Rapid 7 [3].

CERT advises affected users to apply appropriate patches or upgrade, as fixes become available. More generally, it advises access to SSH servers should be limited by firewalls and packet-filtering systems. ®

Related Stories

OpenSSH trojaned! [4]
OpenSSH hits the fan [5]
Crypto boffins question SSH security [6]

Links

1. http://www.cert.org/advisories/CA-2002-36.html
2. http://www.kb.cert.org/vuls/id/389665#systems
3. http://www.rapid7.com/advisories/R7-0009.txt
4. http://www.theregister.co.uk/content/archive/26492.html
5. http://www.theregister.co.uk/content/archive/25910.html
6. http://www.theregister.co.uk/content/archive/21250.html