CVE-2002-1357
CVSS10.0
发布时间 :2002-12-23 00:00:00
修订时间 :2009-03-04 00:14:08
NMCOS    

[原文]Multiple SSH2 servers and clients do not properly handle packets or data elements with incorrect length specifiers, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code, as demonstrated by the SSHredder SSH protocol test suite.


[CNNVD]多个SSH2服务器客户端非法包长度缓冲区溢出漏洞(CNNVD-200212-040)

        
        SSH协议可以使客户端和服务端之间建立加密通信。Rapid7开发了SSHredde测试工具,针对连接初始化,KEY交换,SSH传输层协议密码字段协商等过程进行详细测试。
        在测试过程中发现多个SSH2服务器和客户端不正确处理非法长度(如零,负整数长度等)的包和数据元素,远程攻击者可以利用这个漏洞进行拒绝服务攻击或可能以进程权限执行任意代码。
        目前没有更详细的漏洞细节。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:putty:putty:0.49
cpe:/o:cisco:ios:12.2Cisco IOS 12.2
cpe:/o:cisco:ios:12.0sCisco IOS 12.0S
cpe:/o:cisco:ios:12.1eCisco IOS 12.1E
cpe:/o:cisco:ios:12.1eaCisco IOS 12.1EA
cpe:/o:cisco:ios:12.1tCisco IOS 12.1T
cpe:/a:winscp:winscp:2.0.0
cpe:/a:putty:putty:0.48
cpe:/o:cisco:ios:12.2sCisco IOS 12.2S
cpe:/a:fissh:ssh_client:1.0a_for_windows
cpe:/a:intersoft:securenetterm:5.4.1
cpe:/a:pragma_systems:secureshell:2.0
cpe:/a:netcomposite:shellguard_ssh:3.4.6
cpe:/o:cisco:ios:12.2tCisco IOS 12.2T
cpe:/a:putty:putty:0.53
cpe:/o:cisco:ios:12.0stCisco IOS 12.0ST

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5849Multiple Vendors SSH2 "ncorrect length fields" Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1357
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1357
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-040
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/389665
(UNKNOWN)  CERT-VN  VU#389665
http://www.cert.org/advisories/CA-2002-36.html
(VENDOR_ADVISORY)  CERT  CA-2002-36
http://xforce.iss.net/xforce/xfdb/10868
(UNKNOWN)  XF  ssh-transport-length-bo(10868)
http://www.securityfocus.com/bid/6405
(UNKNOWN)  BID  6405
http://securitytracker.com/id?1005813
(UNKNOWN)  SECTRACK  1005813
http://securitytracker.com/id?1005812
(UNKNOWN)  SECTRACK  1005812
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0110.html
(UNKNOWN)  VULNWATCH  20021216 R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors

- 漏洞信息

多个SSH2服务器客户端非法包长度缓冲区溢出漏洞
危急 缓冲区溢出
2002-12-23 00:00:00 2009-03-04 00:00:00
远程  
        
        SSH协议可以使客户端和服务端之间建立加密通信。Rapid7开发了SSHredde测试工具,针对连接初始化,KEY交换,SSH传输层协议密码字段协商等过程进行详细测试。
        在测试过程中发现多个SSH2服务器和客户端不正确处理非法长度(如零,负整数长度等)的包和数据元素,远程攻击者可以利用这个漏洞进行拒绝服务攻击或可能以进程权限执行任意代码。
        目前没有更详细的漏洞细节。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用防火墙或其他包过滤系统限制只有可信主机和网络对SSH SERVER进行访问。
        * SSH客户端可以通过连接可信服务器来降低危险。
        厂商补丁:
        F-Secure
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.f-secure.com

        InterSoft
        ---------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.securenetterm.com/

        SSH Communications Security
        ---------------------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.ssh.com/

        FiSSH
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://web.mit.edu/ssh/FiSSH/

        NetComposite
        ------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://telneat.lipetsk.ru/

        Pragma Systems, Inc.
        --------------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.pragmasys.com/

        PuTTY
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.chiark.greenend.org.uk/~sgtatham/putty/

        WinSCP
        ------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://winscp.vse.cz/eng/

- 漏洞信息

8042
SSH2 Server/Client Incorrect Length Specifiers Arbitrary Code Execution
Loss of Integrity

- 漏洞描述

- 时间线

2002-12-16 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor SSH2 Implementation Incorrect Field Length Vulnerabilities
Unknown 6405
Yes No
2002-12-16 12:00:00 2006-05-16 10:04:00
Discovery of this vulnerability is credited to Rapid 7, Inc.

- 受影响的程序版本

WinSCP WinSCP 2.0 .0
Simon Tatham PuTTY 0.53
Simon Tatham PuTTY 0.49
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
Simon Tatham PuTTY 0.48
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
Pragma Systems SecureShell 2.0
NetComposite Shellguard SSH 3.4.6
InterSoft SecureNetTerm 5.4.1
FiSSH SSH Client For Windows 1.0 A
Cisco ONS 15600 1.3 (0)
Cisco ONS 15600 1.1 (1)
Cisco ONS 15600 1.1 (0)
Cisco ONS 15600 1.1
Cisco ONS 15600 1.0
Cisco ONS 15454SDH 4.6 (1)
Cisco ONS 15454SDH 4.6 (0)
Cisco ONS 15454SDH 4.5
Cisco ONS 15454SDH 4.1 (3)
Cisco ONS 15454SDH 4.1 (2)
Cisco ONS 15454SDH 4.1 (1)
Cisco ONS 15454SDH 4.1 (0)
Cisco ONS 15454SDH 4.0 (2)
Cisco ONS 15454SDH 4.0 (1)
Cisco ONS 15454SDH 4.0 (0)
Cisco ONS 15454SDH 4.0
Cisco ONS 15454SDH 3.4
Cisco ONS 15454SDH 3.3
Cisco ONS 15454SDH 3.2
Cisco ONS 15454SDH 3.1
Cisco ONS 15454SDH 2.3 (5)
Cisco ONS 15454E Optical Transport Platform 0
Cisco ONS 15454 Optical Transport Platform 4.14
Cisco ONS 15454 Optical Transport Platform 4.6 (1)
Cisco ONS 15454 Optical Transport Platform 4.6 (0)
Cisco ONS 15454 Optical Transport Platform 4.5
Cisco ONS 15454 Optical Transport Platform 4.1 (3)
Cisco ONS 15454 Optical Transport Platform 4.1 (2)
Cisco ONS 15454 Optical Transport Platform 4.1 (1)
Cisco ONS 15454 Optical Transport Platform 4.1 (0)
Cisco ONS 15454 Optical Transport Platform 4.1
Cisco ONS 15454 Optical Transport Platform 4.0 (2)
Cisco ONS 15454 Optical Transport Platform 4.0 (1)
Cisco ONS 15454 Optical Transport Platform 4.0
Cisco ONS 15454 Optical Transport Platform 3.4
Cisco ONS 15454 Optical Transport Platform 3.3
Cisco ONS 15454 Optical Transport Platform 3.2 .0
Cisco ONS 15454 Optical Transport Platform 3.1 .0
Cisco ONS 15454 Optical Transport Platform 3.0
Cisco ONS 15454 Optical Transport Platform 2.3 (5)
Cisco ONS 15454 IOS-Based Blades
Cisco ONS 15327 Metro Edge Optical Transport Platform
Cisco ONS 15327 4.14
Cisco ONS 15327 4.6 (1)
Cisco ONS 15327 4.6 (0)
Cisco ONS 15327 4.1 (3)
Cisco ONS 15327 4.1 (2)
Cisco ONS 15327 4.1 (1)
Cisco ONS 15327 4.1 (0)
Cisco ONS 15327 4.0 (2)
Cisco ONS 15327 4.0 (1)
Cisco ONS 15327 4.0
Cisco ONS 15327 3.4
Cisco ONS 15327 3.3
Cisco ONS 15327 3.2
Cisco ONS 15327 3.1
Cisco ONS 15327 3.0
Cisco IOS 12.2T
Cisco IOS 12.2S
Cisco IOS 12.2
Cisco IOS 12.1T
Cisco IOS 12.1EA
Cisco IOS 12.1E
Cisco IOS 12.0ST
Cisco IOS 12.0S
Simon Tatham PuTTY 0.53 b
Pragma Systems SecureShell 3.0
OpenSSH OpenSSH 3.5
OpenSSH OpenSSH 3.4 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux Enterprise Edition 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ FreeBSD FreeBSD 5.0
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ IBM AIX 5.1 L
+ IBM AIX 4.3.3
+ Immunix Immunix OS 7+
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ Slackware Linux 8.1
OpenSSH OpenSSH 3.4
OpenSSH OpenSSH 3.3 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
OpenSSH OpenSSH 3.3
+ Openwall Openwall GNU/*/Linux (Owl)-current
OpenSSH OpenSSH 3.2.3 p1
OpenSSH OpenSSH 3.2.2 p1
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.0.4
+ Apple Mac OS X 10.0.3
+ Apple Mac OS X 10.0.2
+ Apple Mac OS X 10.0.1
+ Apple Mac OS X 10.0
OpenSSH OpenSSH 3.2
+ OpenBSD OpenBSD 3.1
OpenSSH OpenSSH 3.1 p1
+ Juniper Networks NetScreen-IDP 10 3.0 r2
+ Juniper Networks NetScreen-IDP 10 3.0 r1
+ Juniper Networks NetScreen-IDP 10 3.0
+ Juniper Networks NetScreen-IDP 100 3.0 r2
+ Juniper Networks NetScreen-IDP 100 3.0 r1
+ Juniper Networks NetScreen-IDP 100 3.0
+ Juniper Networks NetScreen-IDP 1000 3.0 r2
+ Juniper Networks NetScreen-IDP 1000 3.0 r1
+ Juniper Networks NetScreen-IDP 1000 3.0
+ Juniper Networks NetScreen-IDP 500 3.0 r2
+ Juniper Networks NetScreen-IDP 500 3.0 r1
+ Juniper Networks NetScreen-IDP 500 3.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.3
+ RedHat Linux 7.2
+ RedHat Linux 7.1
+ RedHat Linux for iSeries 7.1
+ RedHat Linux for pSeries 7.1
+ Slackware Linux 8.1
+ Sun Linux 5.0.7
+ Sun Solaris 9
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
OpenSSH OpenSSH 3.1
OpenSSH OpenSSH 3.0.2 p1
+ Guardian Digital Engarde Secure Linux 1.0.1
+ HP VirtualVault 4.6
OpenSSH OpenSSH 3.0.2
- Debian Linux 3.0
+ FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
+ FreeBSD FreeBSD 4.5 -RELEASE
+ OpenPKG OpenPKG 1.0
+ Openwall Openwall GNU/*/Linux 0.1 -stable
+ S.u.S.E. Linux 8.0
OpenSSH OpenSSH 3.0.1 p1
OpenSSH OpenSSH 3.0.1
OpenSSH OpenSSH 3.0 p1
OpenSSH OpenSSH 3.0
LSH LSH 1.5
InterSoft SecureNetTerm 5.4.2
BitVise WinSSHD 3.5

- 不受影响的程序版本

Simon Tatham PuTTY 0.53 b
Pragma Systems SecureShell 3.0
OpenSSH OpenSSH 3.5
OpenSSH OpenSSH 3.4 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux Enterprise Edition 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ FreeBSD FreeBSD 5.0
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ IBM AIX 5.1 L
+ IBM AIX 4.3.3
+ Immunix Immunix OS 7+
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ Slackware Linux 8.1
OpenSSH OpenSSH 3.4
OpenSSH OpenSSH 3.3 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
OpenSSH OpenSSH 3.3
+ Openwall Openwall GNU/*/Linux (Owl)-current
OpenSSH OpenSSH 3.2.3 p1
OpenSSH OpenSSH 3.2.2 p1
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.0.4
+ Apple Mac OS X 10.0.3
+ Apple Mac OS X 10.0.2
+ Apple Mac OS X 10.0.1
+ Apple Mac OS X 10.0
OpenSSH OpenSSH 3.2
+ OpenBSD OpenBSD 3.1
OpenSSH OpenSSH 3.1 p1
+ Juniper Networks NetScreen-IDP 10 3.0 r2
+ Juniper Networks NetScreen-IDP 10 3.0 r1
+ Juniper Networks NetScreen-IDP 10 3.0
+ Juniper Networks NetScreen-IDP 100 3.0 r2
+ Juniper Networks NetScreen-IDP 100 3.0 r1
+ Juniper Networks NetScreen-IDP 100 3.0
+ Juniper Networks NetScreen-IDP 1000 3.0 r2
+ Juniper Networks NetScreen-IDP 1000 3.0 r1
+ Juniper Networks NetScreen-IDP 1000 3.0
+ Juniper Networks NetScreen-IDP 500 3.0 r2
+ Juniper Networks NetScreen-IDP 500 3.0 r1
+ Juniper Networks NetScreen-IDP 500 3.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.3
+ RedHat Linux 7.2
+ RedHat Linux 7.1
+ RedHat Linux for iSeries 7.1
+ RedHat Linux for pSeries 7.1
+ Slackware Linux 8.1
+ Sun Linux 5.0.7
+ Sun Solaris 9
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
OpenSSH OpenSSH 3.1
OpenSSH OpenSSH 3.0.2 p1
+ Guardian Digital Engarde Secure Linux 1.0.1
+ HP VirtualVault 4.6
OpenSSH OpenSSH 3.0.2
- Debian Linux 3.0
+ FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
+ FreeBSD FreeBSD 4.5 -RELEASE
+ OpenPKG OpenPKG 1.0
+ Openwall Openwall GNU/*/Linux 0.1 -stable
+ S.u.S.E. Linux 8.0
OpenSSH OpenSSH 3.0.1 p1
OpenSSH OpenSSH 3.0.1
OpenSSH OpenSSH 3.0 p1
OpenSSH OpenSSH 3.0
LSH LSH 1.5
InterSoft SecureNetTerm 5.4.2
BitVise WinSSHD 3.5

- 漏洞讨论

A vulnerability with incorrect lengths of fields in SSH packets has been reported for multiple products that use SSH2 for secure communications.

The vulnerability has been reported to affect initialization, key exchange, and negotiation phases of SSH communications. An attacker may exploit the vulnerability to perform denial-of-service attacks against vulnerable systems and possibly to execute malicious, attacker-supplied code.

Further details about the vulnerability are currently unknown. This BID will be updated as more information becomes available. This vulnerability was originally described in Bugtraq ID 6397.

- 漏洞利用


The SSHredder test suite, provided by Rapid 7, is available from the following location:

http://www.rapid7.com/perl/DownloadRequest.pl?PackageChoice=666

Exploit code (putty_ssh.pm) has been provided as part of the Metasploit Framework project.

- 解决方案


SSH Secure Shell products do not appear to be prone to any of the reported vulnerabilities.

F-Secure SSH products are not vulnerable to arbitrary code execution or denial-of-service attacks via exploitation of these issues.

Please see the referenced advisories for more information.

The following vendors have provided fixes:


Cisco IOS 12.2T

Cisco IOS 12.2S

Cisco IOS 12.0ST

Cisco IOS 12.2

Cisco IOS 12.1E

Cisco IOS 12.0S

Simon Tatham PuTTY 0.48

Simon Tatham PuTTY 0.49

Simon Tatham PuTTY 0.53

Pragma Systems SecureShell 2.0

InterSoft SecureNetTerm 5.4.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站