Gentoo Logo

OpenSSH: Denial of Service

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200609-17 / openssh
Release Date September 27, 2006
Latest Revision September 27, 2006: 02
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-misc/openssh < 4.3_p2-r5 >= 4.3_p2-r5 All supported architectures

Related bugreports: #148228

Synopsis

A flaw in the OpenSSH daemon allows remote unauthenticated attackers to cause a Denial of Service.

2.  Impact Information

Background

OpenSSH is a free suite of applications for the SSH protocol, developed and maintained by the OpenBSD project.

Description

Tavis Ormandy of the Google Security Team discovered a Denial of Service vulnerability in the SSH protocol version 1 CRC compensation attack detector.

Impact

A remote unauthenticated attacker may be able to trigger excessive CPU usage by sending a pathological SSH message, denying service to other legitimate users or processes.

3.  Resolution Information

Workaround

The system administrator may disable SSH protocol version 1 in /etc/ssh/sshd_config.

Resolution

All OpenSSH users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/openssh-4.3_p2-r5"

4.  References

Print

Page updated September 27, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.