Bugtraq mailing list archives
RE: Netscreen SSH1 CRC32 Compensation Denial of service
From: "John" <audit01 () ameritech net>
Date: Fri, 1 Nov 2002 13:48:05 -0500
I was able to duplicate this on 4 different Netscreen-100's with Software Version 3.0.1r2.0 John -----Original Message----- From: Erik Parker [mailto:erik.parker () digitaldefense net] Sent: Friday, November 01, 2002 1:31 PM To: bugtraq () securityfocus com; vulnwatch () vulnwatch org Subject: Netscreen SSH1 CRC32 Compensation Denial of service Discovered by: HD Moore Products Tested: Netscreen-25 (All models expected to be vulnerable) Vendor contacted: October 23rd Vendor confirmed: October 23rd CVE: CVE-2001-0144 covered this bug. Original Bug discovered by: Michal Zalewski of the BindView RAZOR Team. In February of 2001, BindView's RAZOR Team announced the SSH1 CRC32 compensation attack detector bug. After all was said and done, several vendors found their SSH implementations were vulnerable. Netscreen seems to have overlooked this for a year and 8 months. By default the Netscreen does not ship with SSH enabled, and Netscreen usually doesn't encourage their customers to even access the CLI on their devices. However, in the GUI you can enabled SSH, and disable telnet. This only opens SSH on the trusted interfaces, unless you specifically add rules to forward to this interface/port. On a normal system with SSH enabled, the unit will only be vulnerable to attackers on the trusted side. If you use any of the CRC32 exploits out there, the unit will crash immediately, and require a hard reboot. It does not appear from our analysis that anything more than a crash can occur from this. The vendor assured a response with an ETA to a fix by October 25th. After trying to get more information from them a few times after October 25th passed, it has fallen on deaf ears. -- Erik Parker Digital Defense, Inc.
Current thread:
- Netscreen SSH1 CRC32 Compensation Denial of service Erik Parker (Nov 01)
- RE: Netscreen SSH1 CRC32 Compensation Denial of service John (Nov 01)
- Re: [VulnWatch] Netscreen SSH1 CRC32 Compensation Denial of service quentyn (Nov 08)