Bugtraq mailing list archives
Re: Dropbear SSH server Denial of Service
From: Matt Johnston <matt () ucc asn au>
Date: Fri, 10 Mar 2006 15:20:31 +0800
On Tue, Mar 07, 2006 at 07:47:57PM +0000, Pablo Fernandez wrote:
Dropbear SSH server Denial of Service
The vulnerability specifically exists due to a design error in the authorization-pending connections code. By default and as a #define of the MAX_UNAUTH_CLIENTS constant, the SSH server allows 30 authorization-pending connections, after connection 31, incoming sockets are close()d immediatly.
Remote attack of this vulnerability is trivial. This is specially problematic if the administrator can't login due to the attack and can't at least blacklist the attacker, restart the service or undertake other actions. All versions (up to and including current 0.47 version) are vulnerable.
Dropbear 0.48 mitigates this issue by having a per-IP limit as well as a global limit - this will at least prevent an IP-deprived attacker from denying service. It's worth noting that various other network services (such as netkit-inetd and OpenSSH) have the same design issues, at least in default configurations. Matt Johnston Dropbear developer http://matt.ucc.asn.au/dropbear/dropbear.html
Current thread:
- Dropbear SSH server Denial of Service Pablo Fernandez (Mar 07)
- Re: Dropbear SSH server Denial of Service Matt Johnston (Mar 10)
- Re: Dropbear SSH server Denial of Service Damien Miller (Mar 11)
- <Possible follow-ups>
- Re: Dropbear SSH server Denial of Service il80r (Mar 10)
- Re: Dropbear SSH server Denial of Service Matt Johnston (Mar 10)