SSH1 security protocol found lacking once again

A security patch for SSH1 has inadvertantly opened the door to another, even worse attack.

  • E-Mail
By  Jon Tullett Published  February 18, 2001

A serious vulnerability has been discovered in the SSH1 security protocol, allowing attackers to potentially execute arbitrary code on target systems, gaining full system privileges. Ironically, the vulnerability is caused by a programming flaw in a section of code introduced to fix an earlier flaw. The new vulnerability is in fact considerably more dangerous than the one the patch was intended to fix.

SSH (Secure Shell) is a protocol allowing encrypted access to servers for facilities such as terminal access. The initial SSH1 protocol is now deprecated in favour of the more robust and flexible SSH2, but SSH1 is still widely used.

In 1998, a design flaw was discovered allowing attackers to inject code into the encrypted stream between client and server that would then be executed at either end. Patching this flaw would have broken the protocol, so new code, deattack.c was introduced to identify attack attempts to remove the suspect packets. Unfortunately, a badly declared variable in the deattack.c source allows a buffer overflow to be exploited, causing remote execution to occur at the server. Unlike the initial vulnerability, which required an attacker to act as a middle-man in client-server communications, this exploit can be enacted by communicating directly with the SSH1 port on the server.

Most SSH1 software vendors have released patches to fix the problem, or issued statements regarding the status of their products.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code