Note Recent SSH 1 Security Advisories

Steve VanDevender
stevev@oregon.uoregon.edu

Two security advisories relating to SSH 1 came out in February.

The first involves a potential attack against SSH 1 servers that would allow the attacker to recover the session key (usually a 768-bit RSA key pair), which would allow further subversion of the SSH protocol.
http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm

The second advisory relates to an integer overflow in code intended to detect attacks against a previously-discovered vulnerability in the SSH 1 protocol involving the CRC checksums of data packets. Exploiting this overflow can result in arbitrary areas of memory being overwritten, and since the SSH daemon typically runs as root, this opens the possibility of root compromise.
http://www.core-sdi.com/advisories/ssh1_deattack.htm

Note that both of these involve the now-deprecated SSH 1 protocol. If you are using SSH 2 exclusively, then you are not vulnerable to either of these problems. However, SSH 1 has the most client support, particularly for Macintosh and Windows users, and it is common to either run the ssh.com SSH 2 daemon with fallback support for SSH 1, or to run OpenSSH which supports both SSH 1 and SSH 2 in the same daemon.

If you're running OpenSSH, you should update to OpenSSH 2.3.0, which is not vulnerable to either of these attacks. A portable version of OpenSSH that runs on many different UNIX systems (the stock OpenSSH is for OpenBSD only) is available from http://openssh.com/portable.html

SSH Communications Security (ssh.com) has indicated that they will probably be releasing a new version of their SSH 1 server with fixes sometime soon. Patches for existing versions of their SSH 1 are given in the advisories listed above.