CVE-2002-1358
CVSS10.0
发布时间 :2002-12-23 00:00:00
修订时间 :2009-03-04 00:14:08
NMCOS    

[原文]Multiple SSH2 servers and clients do not properly handle lists with empty elements or strings, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code, as demonstrated by the SSHredder SSH protocol test suite.


[CNNVD]多个SSH2服务器客户端非法列表拒绝服务攻击漏洞(CNNVD-200212-047)

        
        SSH协议可以使客户端和服务端之间建立加密通信。Rapid7开发了SSHredde测试工具,针对连接初始化,KEY交换,SSH传输层协议密码字段协商等过程进行详细测试。
        在测试过程中发现多个SSH2服务器和客户端不正确处理包含空元素或者字符串的列表,远程攻击者可以利用这个漏洞进行拒绝服务攻击或可能以进程权限执行任意代码。
        目前没有更详细的漏洞细节。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-20 [输入验证不恰当]

- CPE (受影响的平台与产品)

cpe:/a:putty:putty:0.49
cpe:/o:cisco:ios:12.2Cisco IOS 12.2
cpe:/o:cisco:ios:12.0sCisco IOS 12.0S
cpe:/o:cisco:ios:12.1eCisco IOS 12.1E
cpe:/o:cisco:ios:12.1eaCisco IOS 12.1EA
cpe:/o:cisco:ios:12.1tCisco IOS 12.1T
cpe:/a:winscp:winscp:2.0.0
cpe:/a:putty:putty:0.48
cpe:/o:cisco:ios:12.2sCisco IOS 12.2S
cpe:/a:fissh:ssh_client:1.0a_for_windows
cpe:/a:intersoft:securenetterm:5.4.1
cpe:/a:pragma_systems:secureshell:2.0
cpe:/a:netcomposite:shellguard_ssh:3.4.6
cpe:/o:cisco:ios:12.2tCisco IOS 12.2T
cpe:/a:putty:putty:0.53
cpe:/o:cisco:ios:12.0stCisco IOS 12.0ST

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5721Multiple Vendors SSH2 "lists with empty elements or multiple separators" Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1358
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1358
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-047
(官方数据源) CNNVD

- 其它链接及资源

http://www.cert.org/advisories/CA-2002-36.html
(VENDOR_ADVISORY)  CERT  CA-2002-36
http://securitytracker.com/id?1005813
(UNKNOWN)  SECTRACK  1005813
http://securitytracker.com/id?1005812
(UNKNOWN)  SECTRACK  1005812
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0110.html
(UNKNOWN)  VULNWATCH  20021216 R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors

- 漏洞信息

多个SSH2服务器客户端非法列表拒绝服务攻击漏洞
危急 输入验证
2002-12-23 00:00:00 2009-03-04 00:00:00
远程  
        
        SSH协议可以使客户端和服务端之间建立加密通信。Rapid7开发了SSHredde测试工具,针对连接初始化,KEY交换,SSH传输层协议密码字段协商等过程进行详细测试。
        在测试过程中发现多个SSH2服务器和客户端不正确处理包含空元素或者字符串的列表,远程攻击者可以利用这个漏洞进行拒绝服务攻击或可能以进程权限执行任意代码。
        目前没有更详细的漏洞细节。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用防火墙或其他包过滤系统限制只有可信主机和网络对SSH SERVER进行访问。
        * SSH客户端可以通过连接可信服务器来降低危险。
        厂商补丁:
        F-Secure
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.f-secure.com

        InterSoft
        ---------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.securenetterm.com/

        SSH Communications Security
        ---------------------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.ssh.com/

        FiSSH
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://web.mit.edu/ssh/FiSSH/

        NetComposite
        ------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://telneat.lipetsk.ru/

        Pragma Systems, Inc.
        --------------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.pragmasys.com/

        PuTTY
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.chiark.greenend.org.uk/~sgtatham/putty/

        WinSCP
        ------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://winscp.vse.cz/eng/

- 漏洞信息

8043
SSH2 Server/Client Empty Element List Arbitrary Command Execution

- 漏洞描述

- 时间线

2002-12-16 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor SSH2 Implementation Empty Elements / Multiple Separator Vulnerabilities
Failure to Handle Exceptional Conditions 6408
Yes No
2002-12-16 12:00:00 2009-07-11 07:16:00
Discovery of this vulnerability is credited to Rapid 7, Inc.

- 受影响的程序版本

WinSCP WinSCP 2.0 .0
Simon Tatham PuTTY 0.53
Simon Tatham PuTTY 0.49
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
Simon Tatham PuTTY 0.48
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
Pragma Systems SecureShell 2.0
NetComposite Shellguard SSH 3.4.6
InterSoft SecureNetTerm 5.4.1
FiSSH SSH Client For Windows 1.0 A
Cisco ONS 15600 1.3 (0)
Cisco ONS 15600 1.1 (1)
Cisco ONS 15600 1.1 (0)
Cisco ONS 15600 1.1
Cisco ONS 15600 1.0
Cisco ONS 15454SDH 4.6 (1)
Cisco ONS 15454SDH 4.6 (0)
Cisco ONS 15454SDH 4.5
Cisco ONS 15454SDH 4.1 (3)
Cisco ONS 15454SDH 4.1 (2)
Cisco ONS 15454SDH 4.1 (1)
Cisco ONS 15454SDH 4.1 (0)
Cisco ONS 15454SDH 4.0 (2)
Cisco ONS 15454SDH 4.0 (1)
Cisco ONS 15454SDH 4.0 (0)
Cisco ONS 15454SDH 4.0
Cisco ONS 15454SDH 3.4
Cisco ONS 15454SDH 3.3
Cisco ONS 15454SDH 3.2
Cisco ONS 15454SDH 3.1
Cisco ONS 15454SDH 2.3 (5)
Cisco ONS 15454E Optical Transport Platform 0
Cisco ONS 15454 Optical Transport Platform 4.14
Cisco ONS 15454 Optical Transport Platform 4.6 (1)
Cisco ONS 15454 Optical Transport Platform 4.6 (0)
Cisco ONS 15454 Optical Transport Platform 4.5
Cisco ONS 15454 Optical Transport Platform 4.1 (3)
Cisco ONS 15454 Optical Transport Platform 4.1 (2)
Cisco ONS 15454 Optical Transport Platform 4.1 (1)
Cisco ONS 15454 Optical Transport Platform 4.1 (0)
Cisco ONS 15454 Optical Transport Platform 4.1
Cisco ONS 15454 Optical Transport Platform 4.0 (2)
Cisco ONS 15454 Optical Transport Platform 4.0 (1)
Cisco ONS 15454 Optical Transport Platform 4.0
Cisco ONS 15454 Optical Transport Platform 3.4
Cisco ONS 15454 Optical Transport Platform 3.3
Cisco ONS 15454 Optical Transport Platform 3.2 .0
Cisco ONS 15454 Optical Transport Platform 3.1 .0
Cisco ONS 15454 Optical Transport Platform 3.0
Cisco ONS 15454 Optical Transport Platform 2.3 (5)
Cisco ONS 15454 IOS-Based Blades
Cisco ONS 15327 Metro Edge Optical Transport Platform
Cisco ONS 15327 4.14
Cisco ONS 15327 4.6 (1)
Cisco ONS 15327 4.6 (0)
Cisco ONS 15327 4.1 (3)
Cisco ONS 15327 4.1 (2)
Cisco ONS 15327 4.1 (1)
Cisco ONS 15327 4.1 (0)
Cisco ONS 15327 4.0 (2)
Cisco ONS 15327 4.0 (1)
Cisco ONS 15327 4.0
Cisco ONS 15327 3.4
Cisco ONS 15327 3.3
Cisco ONS 15327 3.2
Cisco ONS 15327 3.1
Cisco ONS 15327 3.0
Cisco IOS 12.2T
Cisco IOS 12.2S
Cisco IOS 12.2
Cisco IOS 12.1T
Cisco IOS 12.1EA
Cisco IOS 12.1E
Cisco IOS 12.0ST
Cisco IOS 12.0S
Simon Tatham PuTTY 0.53 b
Pragma Systems SecureShell 3.0
OpenSSH OpenSSH 3.5
OpenSSH OpenSSH 3.4 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux Enterprise Edition 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ FreeBSD FreeBSD 5.0
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ IBM AIX 5.1 L
+ IBM AIX 4.3.3
+ Immunix Immunix OS 7+
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ Slackware Linux 8.1
OpenSSH OpenSSH 3.4
OpenSSH OpenSSH 3.3 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
OpenSSH OpenSSH 3.3
+ Openwall Openwall GNU/*/Linux (Owl)-current
OpenSSH OpenSSH 3.2.3 p1
OpenSSH OpenSSH 3.2.2 p1
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.0.4
+ Apple Mac OS X 10.0.3
+ Apple Mac OS X 10.0.2
+ Apple Mac OS X 10.0.1
+ Apple Mac OS X 10.0
OpenSSH OpenSSH 3.2
+ OpenBSD OpenBSD 3.1
OpenSSH OpenSSH 3.1 p1
+ Juniper Networks NetScreen-IDP 10 3.0 r2
+ Juniper Networks NetScreen-IDP 10 3.0 r1
+ Juniper Networks NetScreen-IDP 10 3.0
+ Juniper Networks NetScreen-IDP 100 3.0 r2
+ Juniper Networks NetScreen-IDP 100 3.0 r1
+ Juniper Networks NetScreen-IDP 100 3.0
+ Juniper Networks NetScreen-IDP 1000 3.0 r2
+ Juniper Networks NetScreen-IDP 1000 3.0 r1
+ Juniper Networks NetScreen-IDP 1000 3.0
+ Juniper Networks NetScreen-IDP 500 3.0 r2
+ Juniper Networks NetScreen-IDP 500 3.0 r1
+ Juniper Networks NetScreen-IDP 500 3.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.3
+ RedHat Linux 7.2
+ RedHat Linux 7.1
+ RedHat Linux for iSeries 7.1
+ RedHat Linux for pSeries 7.1
+ Slackware Linux 8.1
+ Sun Linux 5.0.7
+ Sun Solaris 9
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
OpenSSH OpenSSH 3.1
OpenSSH OpenSSH 3.0.2 p1
+ Guardian Digital Engarde Secure Linux 1.0.1
+ HP VirtualVault 4.6
OpenSSH OpenSSH 3.0.2
- Debian Linux 3.0
+ FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
+ FreeBSD FreeBSD 4.5 -RELEASE
+ OpenPKG OpenPKG 1.0
+ Openwall Openwall GNU/*/Linux 0.1 -stable
+ S.u.S.E. Linux 8.0
OpenSSH OpenSSH 3.0.1 p1
OpenSSH OpenSSH 3.0.1
OpenSSH OpenSSH 3.0 p1
OpenSSH OpenSSH 3.0
LSH LSH 1.5
InterSoft SecureNetTerm 5.4.2
BitVise WinSSHD 3.5

- 不受影响的程序版本

Simon Tatham PuTTY 0.53 b
Pragma Systems SecureShell 3.0
OpenSSH OpenSSH 3.5
OpenSSH OpenSSH 3.4 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux Enterprise Edition 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ FreeBSD FreeBSD 5.0
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ IBM AIX 5.1 L
+ IBM AIX 4.3.3
+ Immunix Immunix OS 7+
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ Slackware Linux 8.1
OpenSSH OpenSSH 3.4
OpenSSH OpenSSH 3.3 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
OpenSSH OpenSSH 3.3
+ Openwall Openwall GNU/*/Linux (Owl)-current
OpenSSH OpenSSH 3.2.3 p1
OpenSSH OpenSSH 3.2.2 p1
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.0.4
+ Apple Mac OS X 10.0.3
+ Apple Mac OS X 10.0.2
+ Apple Mac OS X 10.0.1
+ Apple Mac OS X 10.0
OpenSSH OpenSSH 3.2
+ OpenBSD OpenBSD 3.1
OpenSSH OpenSSH 3.1 p1
+ Juniper Networks NetScreen-IDP 10 3.0 r2
+ Juniper Networks NetScreen-IDP 10 3.0 r1
+ Juniper Networks NetScreen-IDP 10 3.0
+ Juniper Networks NetScreen-IDP 100 3.0 r2
+ Juniper Networks NetScreen-IDP 100 3.0 r1
+ Juniper Networks NetScreen-IDP 100 3.0
+ Juniper Networks NetScreen-IDP 1000 3.0 r2
+ Juniper Networks NetScreen-IDP 1000 3.0 r1
+ Juniper Networks NetScreen-IDP 1000 3.0
+ Juniper Networks NetScreen-IDP 500 3.0 r2
+ Juniper Networks NetScreen-IDP 500 3.0 r1
+ Juniper Networks NetScreen-IDP 500 3.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.3
+ RedHat Linux 7.2
+ RedHat Linux 7.1
+ RedHat Linux for iSeries 7.1
+ RedHat Linux for pSeries 7.1
+ Slackware Linux 8.1
+ Sun Linux 5.0.7
+ Sun Solaris 9
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
OpenSSH OpenSSH 3.1
OpenSSH OpenSSH 3.0.2 p1
+ Guardian Digital Engarde Secure Linux 1.0.1
+ HP VirtualVault 4.6
OpenSSH OpenSSH 3.0.2
- Debian Linux 3.0
+ FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
+ FreeBSD FreeBSD 4.5 -RELEASE
+ OpenPKG OpenPKG 1.0
+ Openwall Openwall GNU/*/Linux 0.1 -stable
+ S.u.S.E. Linux 8.0
OpenSSH OpenSSH 3.0.1 p1
OpenSSH OpenSSH 3.0.1
OpenSSH OpenSSH 3.0 p1
OpenSSH OpenSSH 3.0
LSH LSH 1.5
InterSoft SecureNetTerm 5.4.2
BitVise WinSSHD 3.5

- 漏洞讨论

A vulnerability has been reported for multiple SSH2 vendors. The vulnerability is a result of SSH2 packets containing empty elements/multiple separators.

The vulnerability has been reported to affect initialization, key exchange, and negotiation phases of SSH communications. An attacker may exploit this vulnerability to perform denial of service attacks against vulnerable systems and possibly to execute malicious, attacker-supplied code.

Further details about this vulnerability are currently unknown. This BID will be updated as more information becomes available. This vulnerability was originally described in BugTraq ID 6397.

- 漏洞利用

The SSHredder test suite, provided by Rapid 7, is available from the following location:

http://www.rapid7.com/perl/DownloadRequest.pl?PackageChoice=666

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Cray Inc. supports a OpenSSH implementation via the Cray Open Software (COS) package. COS 3.3 will reportedly address these issues and is expected to be released at the end of December 2002. Those affected by the issues may also contact Cray Inc. to obtain a fixed version of the OpenSSH implementation that will be made available in COS 3.3.

SSH Secure Shell products do not appear to be prone to any of the vulnerabilities that have been reported.

F-Secure SSH products are not vulnerable to arbitrary code execution or denial of service attacks via exploitation of these issues.

Some versions of Cisco IOS support SSH, though it is not enabled by default. Fixed versions have been made available. See the referenced advisory for more information.

Cisco has released an updated advisory. Cisco Aironet software rebuild version 12.01T1 is not vulnerable to this issue. This software will be available in the near future and will be available for download from the Software Center.

http://www.cisco.com/tacpage/sw-center/sw-wireless.shtml

Cisco has released an updated advisory to outline vulnerable Cisco ONS products and fixes. Please see the referenced advisory for more information.

The following vendors have provided fixes:


Cisco IOS 12.2T

Cisco IOS 12.0ST

Cisco IOS 12.2

Cisco IOS 12.1E

Cisco IOS 12.0S

Simon Tatham PuTTY 0.48

Simon Tatham PuTTY 0.49

Simon Tatham PuTTY 0.53

Pragma Systems SecureShell 2.0

InterSoft SecureNetTerm 5.4.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站