SSH Vulnerability Scan

[Niels Provos <provos () citi umich edu>]

SSH Vulnerability Scan
Vulnerability to CRC32 compensation attack detector exploit
-----------------------------------------------------------

In February 2001, Razor Bindview released their "Remote vulnerability
in SSH daemon crc32 compensation attack detector" advisory, which
outlined a gaping hole in deployed SSH servers that can lead to a
remote attacker gaining privileged access:

        http://razor.bindview.com/publish/advisories/adv_ssh1crc.html

In November 2001, Dave Dittrich published a detailed analysis of the
"CRC32 compensation attack detector exploit."  This exploit is
currently widely in use.  CERT released Incident Note IN-2001-12:

        http://staff.washington.edu/dittrich/misc/ssh-analysis.txt
        http://www.cert.org/incident_notes/IN-2001-12.html

At the Center for Information Technology Integration, Niels Provos and
Peter Honeyman have been scanning the University of Michigan for
vulnerable SSH server software to identify and update vulnerable SSH
servers:

        http://www.citi.umich.edu/ssh/

However, scans of the Internet show that system and security
administrators must react and update their SSH servers:

        http://www.citi.umich.edu/u/provos/ssh/crc32s.png

At this writing, over 30% of all SSH servers appear to have the
CRC32 bug.
                        
A simple solution is to remove support for Version One of the SSH
protocol.  The majority of servers on the Internet support the SSH v2
protocol.

To test whether your network has vulnerable SSH servers, you might
use the ScanSSH tool:

        http://www.monkey.org/~provos/scanssh/

References:
                 
"ScanSSH - Scanning the Internet for SSH Servers",
  Niels Provos and Peter Honeyman, 16th USENIX Systems Administration
  Conference (LISA). San Diego, CA, December 2001.
  http://www.citi.umich.edu/techreports/reports/citi-tr-01-13.pdf
        
This information is also available at

  http://www.citi.umich.edu/u/provos/ssh/