Recent breakins / SSHD root hole?

nuuB _nuub at
Tue Jun 5 03:08:21 EST 2001

>> Basically what I'd like to know is: What version of the OpenSSH daemon
>> would I need to run in order NOT to be vulnerable to this "weakness"?
>Sounds like

No, I don't think so. AFAIK that bug was fixed in 2.1.1, and
reportedly ran "OpenSSH 2.2". But doing a bit more digging I found

"Remote vulnerability in SSH daemon crc32 compensation attack detector"

This wasn't fixed until 2.3.0. This hole requires quite a lot of constants to
be correct, and having local access makes this easier. This could explain why
it wasn't exploited remotely on (though it could have been).


Anyhow, the fact that I had missed this hole completely has given me a new
perspective. Normally I try to keep on top of all security holes in products I
use. But for the past 6 months I haven't been reading bugtraq (the main source
for such information). I find the SNR way to low these days. Its annoying to
see an advisory on product X, then like 10 advisories on the same subject from
a bunch of vendors (mostly Linux ones...) that ship product X.

So I left bugtraq and instead relied on my vendors (Redhat) ability to issue
proper updates (yeah I know, stupid, but I thought it better than doing
nothing). It appears they haven't issued a bulletin for this problem (even
though they ship OpenSSH 2.1.1 in RH 7.0). They did issue

which fixes two other (much less serious) problems. It also happens to fix the
above CRC attack, but it isn't mentioned in redhats bulletin (and I doubt they
knew about it). I don't upgrade things unless there is a problem that affects
me (wise from previous updates where new problems of course snuck in with the
upgrade). The two minor things mentioned didn't affect me, so I didn't upgrade.
So here I am, 2 Jun, with a root hole that was announced on Feb 8. Almost 4
months with an open root hole. Gives me a real warm'n'fuzzy.... NOT. The only
thing making me feel better is that the exploitation is quite a far from ./hack
with the public exploit.

Ah well. I guess it's back to bugtraq, and more time wasted weeding through the

junk to find the good bits...

Sorry about the rant.


Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!

More information about the openssh-unix-dev mailing list