Source: SANS Newsletter
(1) HIGH: Multi-Vendor SSH Multiple Vulnerabilities (SSHredder)
Affected Products (from the Rapid7 Advisory):
o F-Secure Corp. SSH servers and clients for UNIX
v3.1.0 (build 11) and earlier
o F-Secure Corp. SSH for Windows
v5.2 and earlier
o SSH Communications Security, Inc. SSH for Windows
v3.2.2 and earlier
o SSH Communications Security, Inc. SSH for UNIX
v3.2.2 and earlier
o FiSSH SSH client for Windows
v1.0A and earlier
o InterSoft Int'l, Inc. SecureNetTerm client for Windows
v5.4.1 and earlier
o NetComposite ShellGuard SSH client for Windows
v3.4.6 and earlier
o Pragma Systems, Inc. SecureShell SSH server for Windows
v2 and earlier
o PuTTY SSH client for Windows
v0.53 and earlier (v0.53b not affected)
o WinSCP SCP client for Windows
v2.0.0 and earlier
Note: OpenSSH is not affected.
SSHv2 client/server implementations from multiple vendors contain
various vulnerabilities that could allow remote, unauthenticated
attackers to execute arbitrary code with the privileges of the SSH
process or cause a denial of service. Successful exploitation of
code-execution vulnerabilities against SSH servers would typically
provide attackers with SYSTEM privileges under Windows and root
privileges under Unix. Exploitation of clients would provide the
privileges of the user running the client.
All vulnerabilities were discovered using the automated SSHredder
test suite, which has been made publicly available by Rapid7.
SSHredder contains over 600 distinct test cases that stress an SSH
implementation by sending invalid or atypical packets during the
connection initialization, key exchange, and negotiation phases of
the protocol. These phases occur prior to user authentication.
Risk: Remote root/SYSTEM-level compromise of SSH servers, SSH client
compromise, and denial of service.
The vulnerabilities affect many popular products in use today, however
some products are affected more severely than others. The advisories do
not discuss the problems with particular implementations individually.
Ease of Exploitation: Straightforward.
No code execution exploits are known to exist, but an attacker can use
the SSHredder test suite to determine how a particular implementation
is vulnerable, and go from there to craft an exploit. Attackers can
also use the existing test suite to wage denial of service attacks.
Status: Vendor confirmed, patches available in some cases.
See the following link for vendor specific information:
Rapid7 SSHredder Test Suite:
Council Site Actions:
All Council sites are using one or more of the SSH vendor products,
but not all sites were running affected versions. All sites reported
that inbound SSH connections were blocked at the perimeters;
therefore it was not necessary to treat this as an urgent problem.
Several of the Council sites are using the PuTTY client on their
desktop systems. These sites already have plans in place to upgrade
to the newest version. Other council sites plan to upgrade to the
latest vendor versions or apply patches when they become available.
One site plans to obtain the SSHredder tool and do some testing
internally to better understand their level of vulnerability.