SSH CRC-32 Compensation Attack Detector Vulnerability

BID:2347

Info

SSH CRC-32 Compensation Attack Detector Vulnerability

Bugtraq ID: 2347
Class: Boundary Condition Error
CVE:
Remote: Yes
Local: No
Published: Feb 08 2001 12:00AM
Updated: Feb 08 2001 12:00AM
Credit: Discovered by Michal Zalewski <[email protected]> on Feb 8, 2001.
Vulnerable: SSH Communications Security SSH 1.2.31
SSH Communications Security SSH 1.2.30
- BSDI BSD/OS 4.0.1
- BSDI BSD/OS 4.0
- BSDI BSD/OS 3.1
- Caldera OpenLinux 2.4
- Debian Linux 2.2
- Digital (Compaq) TRU64/DIGITAL UNIX 5.0
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 g
 - FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 3.5.1
- HP HP-UX 11.11
- HP HP-UX 11.0
- HP HP-UX 10.20
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- OpenBSD OpenBSD 2.8
- Red Hat Linux 6.2
 - RedHat Linux 7.0
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- SCO eDesktop 2.4
- SCO eServer 2.3.1
- Sun Solaris 2.5.1
- Sun Solaris 8_sparc
 - Sun Solaris 7.0
 - Sun Solaris 2.6
 SSH Communications Security SSH 1.2.29
SSH Communications Security SSH 1.2.28
SSH Communications Security SSH 1.2.27
- Debian Linux 2.2 sparc
 - Debian Linux 2.2 powerpc
 - Debian Linux 2.2 arm
 - Debian Linux 2.2 alpha
 - Debian Linux 2.2 68k
 - Debian Linux 2.2
SSH Communications Security SSH 1.2.26
SSH Communications Security SSH 1.2.25
SSH Communications Security SSH 1.2.24
Secure Computing SafeWord Agent For SSH 1.0
OpenSSH OpenSSH 2.2
+ Conectiva Linux 6.0
+ NetBSD NetBSD 1.5
OpenSSH OpenSSH 2.1.1
+ Conectiva Linux 5.1
+ S.u.S.E. Linux 7.0 sparc
 + S.u.S.E. Linux 7.0 ppc
 + S.u.S.E. Linux 7.0 i386
 + S.u.S.E. Linux 7.0 alpha
 OpenSSH OpenSSH 2.1
OpenSSH OpenSSH 1.2.3
+ Blue Coat Systems Security Gateway OS 2.1.5001 SP1
 OpenSSH OpenSSH 1.2.2
NetScreen ScreenOS 3.1.1 r2
NetScreen ScreenOS 3.1 r9
NetScreen ScreenOS 3.1 r2
NetScreen ScreenOS 3.1 r1
NetScreen ScreenOS 3.0.3 r1.1
NetScreen ScreenOS 3.0.1 r2
NetScreen ScreenOS 2.6.1 r5
NetScreen ScreenOS 2.6.1 r4
NetScreen ScreenOS 2.6.1 r3
NetScreen ScreenOS 2.6.1 r2
NetScreen ScreenOS 2.6.1 r1
NetScreen ScreenOS 2.6.1
Cisco PIX Firewall 5.3 (1)
Cisco PIX Firewall 5.2 (5)
Cisco IOS 12.2XQ
Cisco IOS 12.2XH
Cisco IOS 12.2XE
Cisco IOS 12.2XD
Cisco IOS 12.2XA
Cisco IOS 12.2T
Cisco IOS 12.2
Cisco IOS 12.1YF
Cisco IOS 12.1YD
Cisco IOS 12.1YC
Cisco IOS 12.1YB
Cisco IOS 12.1YA
Cisco IOS 12.1XY
Cisco IOS 12.1XV
Cisco IOS 12.1XU
Cisco IOS 12.1XT
Cisco IOS 12.1XS
Cisco IOS 12.1XR
Cisco IOS 12.1XQ
Cisco IOS 12.1XP
Cisco IOS 12.1XM
Cisco IOS 12.1XL
Cisco IOS 12.1XK
Cisco IOS 12.1XJ
Cisco IOS 12.1XI
Cisco IOS 12.1XH
Cisco IOS 12.1XG
Cisco IOS 12.1XF
Cisco IOS 12.1XE
Cisco IOS 12.1XD
Cisco IOS 12.1XC
Cisco IOS 12.1XB
Cisco IOS 12.1XA
Cisco IOS 12.1T
Cisco IOS 12.1EZ
Cisco IOS 12.1EY
Cisco IOS 12.1EX
Cisco IOS 12.1EC
Cisco IOS 12.1E
Cisco IOS 12.1DC
Cisco IOS 12.1DB
Cisco IOS 12.10S
Cisco IOS 12.0S
Cisco Catalyst 6000 6.2 (0.110)
Not Vulnerable: SSH Communications Security SSH2 2.4
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
 SSH Communications Security SSH2 2.3
SSH Communications Security SSH2 2.2
SSH Communications Security SSH2 2.1
SSH Communications Security SSH2 2.0
OpenSSH OpenSSH 2.3
- S.u.S.E. Linux 7.0 sparc
 - S.u.S.E. Linux 7.0 ppc
 - S.u.S.E. Linux 7.0 i386
 - S.u.S.E. Linux 7.0 alpha
 - S.u.S.E. Linux 6.4 ppc
 - S.u.S.E. Linux 6.4 i386
 - S.u.S.E. Linux 6.4 alpha
 Cisco WebNS 5.0 B11s
+ Cisco CSS11000 Content Services Switch
+ Cisco CSS11050 Content Services Switch
+ Cisco CSS11150 Content Services Switch
+ Cisco CSS11501 Content Services Switch
+ Cisco CSS11503 Content Services Switch
+ Cisco CSS11506 Content Services Switch
+ Cisco CSS11800 Content Services Switch
Cisco WebNS 5.0 1B6s
+ Cisco CSS11000 Content Services Switch
+ Cisco CSS11050 Content Services Switch
+ Cisco CSS11150 Content Services Switch
+ Cisco CSS11501 Content Services Switch
+ Cisco CSS11503 Content Services Switch
+ Cisco CSS11506 Content Services Switch
+ Cisco CSS11800 Content Services Switch
Cisco WebNS 4.1 0B22s
+ Cisco CSS11000 Content Services Switch
+ Cisco CSS11050 Content Services Switch
+ Cisco CSS11150 Content Services Switch
+ Cisco CSS11501 Content Services Switch
+ Cisco CSS11503 Content Services Switch
+ Cisco CSS11506 Content Services Switch
+ Cisco CSS11800 Content Services Switch
Cisco WebNS 4.0 1B42s
+ Cisco CSS11000 Content Services Switch
+ Cisco CSS11050 Content Services Switch
+ Cisco CSS11150 Content Services Switch
+ Cisco CSS11501 Content Services Switch
+ Cisco CSS11503 Content Services Switch
+ Cisco CSS11506 Content Services Switch
+ Cisco CSS11800 Content Services Switch
Cisco PIX Firewall 6.0 (1)
Cisco PIX Firewall 5.3 (2)
Cisco PIX Firewall 5.2 (6)
Cisco IOS 12.2(3)
Cisco IOS 12.2(2.2)T
Cisco IOS 12.2(2)XA
Cisco IOS 12.2(1b)
Cisco IOS 12.2(1.1)
Cisco IOS 12.2(1)XQ
Cisco IOS 12.2(1)XH
Cisco IOS 12.2(1)XD1
Cisco IOS 12.1(8a)E
Cisco IOS 12.1(6.5)EC3
Cisco IOS 12.1(6)EZ1
Cisco IOS 12.1(6)EY
Cisco IOS 12.1(5)YF2
Cisco IOS 12.1(5)YD2
Cisco IOS 12.1(5)YC1
Cisco IOS 12.1(5)YB4
Cisco IOS 12.1(5)XY6
Cisco IOS 12.1(5)XV3
Cisco IOS 12.1(5)XU1
Cisco IOS 12.1(5)XR2
Cisco IOS 12.1(5)XG5
Cisco IOS 12.1(4)XM4
Cisco IOS 12.1(3)XT3
Cisco IOS 12.1(3)XP4
Cisco IOS 12.0(18)S
Cisco Catalyst 6000 6.3 (0.7)PAN
Cisco Catalyst 6000 6.2 (0.111)
Cisco Catalyst 6000 6.1 (2.13)

Discussion

SSH CRC-32 Compensation Attack Detector Vulnerability

Secure Shell, or SSH, is an encrypted remote access protocol. SSH or code based on SSH is used by many systems all over the world and in a wide variety of commercial applications. An integer-overflow bug in the CRC32 compensation attack detection code may allow remote attackers to write values to arbitrary locations in memory.

This would occur in situations where large SSH packets are recieved by either a client or server, and a 32 bit representation of the SSH packet length is assigned to a 16 bit integer. The difference in data representation in these situations will cause the 16 bit variable to be assigned to zero (or a really low value).

As a result, future calls to malloc() as well as an index used to reference locations in memory can be corrupted by an attacker. This could occur in a manner that can be exploited to write certain numerical values to almost arbitrary locations in memory.

This can lead to an attacker executing arbitrary code with the privileges of the SSH server (usually root) or the SSH client.

**UPDATE**:

There have been reports suggesting that exploitation of this vulnerability may be widespread.

Since early september, independent, reliable sources have confirmed that this vulnerability is being exploited by attackers on the Internet. Security Focus does not currently have the exploit code being used, however this record will be updated if and when it becomes available.

NOTE: Cisco 11000 Content Service Switch family is vulnerable to this issue. All WebNS releases prior, but excluding, versions: 4.01 B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable.

Secure Computing SafeWord Agent for SSH is reportedly prone to this issue, as it is based on a vulnerable version of SSH.

** NetScreen ScreenOS is not directly vulnerable to this issue, however the referenced exploit will cause devices using vulnerable versions of the software to stop functioning properly. This will result in a denial of service condition for NetScreen devices. This issue is in the Secure Command Shell (SCS) administrative interface, which is an implementation of SSHv1. SCS is not enabled on NetScreen devices by default.

Exploit / POC

SSH CRC-32 Compensation Attack Detector Vulnerability

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following proof of concept code is available:

Solution / Fix

SSH CRC-32 Compensation Attack Detector Vulnerability

Solution:
Patches have been made available by a number of vendors, as well as by CORE SDI.

F-Secure SSH Server earlier than version 5.0 are vulnerable to this issue. It is advisable to upgrade to the latest version of F-Secure SSH Server.

http://www.f-secure.com/news/2000/news_2001013000.shtml

SSH Secure Shell 3.0.1 and later are not vulnerable to this issue. Users are advised to obtain the newest version from the vendor.

http://commerce.ssh.com

Cisco users should contact the Technical Assistance Centre for patching/upgrading information.

NetScreen has released an advisory (NetScreen Security Alert 110602) which addresses this issue with new maintenance releases. Some updated maintenance releases are still pending. Users should refer to the information in the attached reference for details on obtaining fixes. Users are also advised to contact the vendor for exact details about affected versions and which upgrades are appropriate to their release.


Cisco IOS 12.1XR
  • Cisco IOS 12.1(5)XR2

  • Cisco IOS 12.1(5)YD2


Cisco IOS 12.1XD
  • Cisco IOS 12.2(1b)

  • Cisco IOS 12.2(3)


Cisco IOS 12.1XQ
  • Cisco IOS 12.2(1b)


Cisco IOS 12.1XJ
  • Cisco IOS 12.1(5)YB4


Cisco IOS 12.1EX
  • Cisco IOS 12.1(8a)E


Cisco IOS 12.1XI
  • Cisco IOS 12.2(1b)

  • Cisco IOS 12.2(3)


Cisco IOS 12.1XS
  • Cisco IOS 12.1(5)XS


Cisco IOS 12.2XE
  • Cisco IOS 12.2(1)XE


Cisco IOS 12.2T
  • Cisco IOS 12.2(2.2)T


Cisco IOS 12.1T
  • Cisco IOS 12.2(1b)

  • Cisco IOS 12.2(3)


Cisco IOS 12.1XV
  • Cisco IOS 12.1(5)XV3


Cisco IOS 12.1XA
  • Cisco IOS 12.2(1b)

  • Cisco IOS 12.2(3)


Cisco IOS 12.1YD
  • Cisco IOS 12.1(5)YD2


Cisco IOS 12.1XM
  • Cisco IOS 12.1(4)XM4


Cisco IOS 12.1YF
  • Cisco IOS 12.1(5)YF2


Cisco IOS 12.1XU
  • Cisco IOS 12.1(5)XU1

  • Cisco IOS 12.2(2)XA


Cisco IOS 12.1XC
  • Cisco IOS 12.2(1b)

  • Cisco IOS 12.2(3)


Cisco IOS 12.2
  • Cisco IOS 12.2(1b)

  • Cisco IOS 12.2(3)


Cisco IOS 12.1XY
  • Cisco IOS 12.1(5)XY6


Cisco IOS 12.1XL
  • Cisco IOS 12.2(1b)

  • Cisco IOS 12.2(3)


Cisco IOS 12.2XH
  • Cisco IOS 12.2(1)XH


Cisco IOS 12.1XT
  • Cisco IOS 12.1(3)XT3

  • Cisco IOS 12.1(5)YB4


Cisco IOS 12.1EC
  • Cisco IOS 12.1(6.5)EC3


Cisco IOS 12.1YC
  • Cisco IOS 12.1(5)YC1


Cisco IOS 12.1E
  • Cisco IOS 12.1(8a)E


Cisco IOS 12.2XA
  • Cisco IOS 12.2(2)XA


Cisco IOS 12.2XD
  • Cisco IOS 12.2(1)XD1


Cisco IOS 12.1YA
  • Cisco IOS 12.2(2)XB


Cisco IOS 12.1YB
  • Cisco IOS 12.1(5)YB4


Cisco IOS 12.1EZ
  • Cisco IOS 12.1(6)EZ2


Cisco IOS 12.1XG
  • Cisco IOS 12.1(5)XG5


Cisco IOS 12.2XQ
  • Cisco IOS 12.2(1)XQ


Cisco IOS 12.1XF
  • Cisco IOS 12.1(2)XF4


Cisco IOS 12.1XH
  • Cisco IOS 12.2(1b)

  • Cisco IOS 12.2(3)


Cisco IOS 12.1EY
  • Cisco IOS 12.1(6)EY


Cisco IOS 12.1XP
  • Cisco IOS 12.1(3)XP4

  • Cisco IOS 12.1(5)YB4


OpenSSH OpenSSH 1.2.2

SSH Communications Security SSH 1.2.24

SSH Communications Security SSH 1.2.25

SSH Communications Security SSH 1.2.26

SSH Communications Security SSH 1.2.27

SSH Communications Security SSH 1.2.28

SSH Communications Security SSH 1.2.29

OpenSSH OpenSSH 1.2.3

SSH Communications Security SSH 1.2.30

OpenSSH OpenSSH 2.1

OpenSSH OpenSSH 2.1.1

OpenSSH OpenSSH 2.2

Cisco PIX Firewall 5.2 (5)
  • Cisco PIX Firewall 5.2(6)


Cisco PIX Firewall 5.3 (1)
  • Cisco PIX Firewall 5.3(2)

References

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report