On Wed, 21 Nov 2001, Lewis E. Wolfgang wrote: hi,
Hi Folks,
Washington University has a nice analysis of the ssh "crc32" vulnerability at staff.washington.edu/dittrich/misc/ssh-analysis.txt.
I've included a list of the various ssh versions and their vulnerability status. Note: Not all ssh v1 servers are affected. For example, the ssh v1 fallback for OpenSSH_2.3.0 and newer are okay.
You can determine what version you are using by telnetting to the computer in question on port number 22. For example:
telnet somehost.somedomain.com 22 This is not correct. Some fixed sshd's still welcome the client with the old banner. Theres no way to see whether or not the remote sshd is vulnerable to crc32 overflow by just looking at the banner.
will give you a welcome banner identifying the version of the server. I'm not sure if telnetting like this works on Windoze boxes, you might have to RTFM.
Also, there are good reasons to support ssh v1 as a fallback. Many Windoze ssh clients (TTssh, etc) don't support ssh v2 yet.
This is a serious problem folks, if you have a vulnerable version and you are connected to the Internet, the chances are you will get rOOteD.
Regards, Lew Wolfgang
Version Table from Washington University
'SSH-1.4-1.2.13', 'not affected', 'SSH-1.4-1.2.14', 'not affected', 'SSH-1.4-1.2.15', 'not affected', 'SSH-1.4-1.2.16', 'not affected', 'SSH-1.5-1.2.17', 'not affected', 'SSH-1.5-1.2.18', 'not affected', 'SSH-1.5-1.2.19', 'not affected', 'SSH-1.5-1.2.20', 'not affected', 'SSH-1.5-1.2.21', 'not affected', 'SSH-1.5-1.2.22', 'not affected', 'SSH-1.5-1.2.23', 'not affected', 'SSH-1.5-1.2.24', 'affected', 'SSH-1.5-1.2.25', 'affected', 'SSH-1.5-1.2.26', 'affected', 'SSH-1.5-1.2.27', 'affected',
This for example. The fixed version still says it's SSH-1.5-1.2.27. Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~