Full Disclosure mailing list archives
Re: R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors
From: Chad Loder <cloder () loder us>
Date: Mon, 16 Dec 2002 09:18:27 -0800
So, it seems to me that you found one less popular implementation that may be vulnerable to a remote code execution; another that is susceptible to DoS; and then you decided to throw SSH.com in just because you found a programming glitch (but not a security problem) in it, hoping that some people would read it as "there's a remote code execution problem in SSH.com" when the advisory is vague enough. Don't get me wrong - I'm not saying you did that, and you did that on purpose.
It's really nothing so insidious as that. :) F-Secure and SSH.com have
released detailed statements about the issue to CERT, which will show
up in CERT's advisory (not sure why it hasn't been released yet). We
didn't want to duplicate all of the detailed vendor responses that
CERT is going to include in their vulnerability note.
The SSH.com and F-Secure issues are NULL pointer dereferences. The
vendors have classified this as non exploitable, which we pointed
out clearly in the advisory. A more detailed statement will be
released with the CERT vuln note. In this case, we have not said
"This issue is definitely not exploitable." Why? Because we haven't
had time to run the test suite against earlier versions of these
products. Because we have not adapted SSHredder to SSHv1 yet (which
we pointed out in the advisory). Because we have not witnessed
the effects of the test suite on architectures without memory
protection (most router operating systems). All this is caused
by limited access to a wide range of implementations, a limited time
to spend testing them, and limited answers to our questions from
many of the vendors.
To sum up, sorry if the advisory came off as too vague. It was not
our intent to confuse anyone -- we are trying to strike a balance with
the length of our advisories, the amount of duplication between our
advisory and the CERT advisory/vuln note, etc. Here's the key to
reading the advisory: anything without a note saying "Non
exploitable" is probably exploitable. :)
Yours,
Chad Loder
Rapid 7, Inc.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors Rapid 7 Security Advisories (Dec 16)
- Re: R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors Michal Zalewski (Dec 16)
- <Possible follow-ups>
- Re: R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors Chad Loder (Dec 16)
- Re: R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors Michal Zalewski (Dec 16)
- Re: R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors matt merhar (Dec 16)
- Re: R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors Knud Erik Højgaard (Dec 16)
- Re: R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors Michal Zalewski (Dec 16)