New SSH Vulnerabilities Discovered

Posted by timothy on Monday December 16, 2002 @01:26PM from the this-too-shall-pass dept.

possible writes "Rapid7 has discovered a new class of vulnerabilities affecting SSH2 implementations from many vendors. These vulnerabilities affect a wide variety of SSH servers and SSH clients. Rapid7 designed an SSH protocol test suite called SSHredder. The SSHredder test suite contains a large number of SSH2 protocol binary test cases, and is released under the BSD license. Rapid7's testing has revealed many defects in products such as F-Secure, SSH.com, PuTTY, etc. OpenSSH and GNU LSH are not affected." Some of the affected vendors have released fixed versions, and some say there's nothing exploitable about the reported holes.

1 of 33 comments (clear)

Min score:

Reason:

Sort:

exploitable by Anonymous Coward · 2002-12-16 14:11 · Score: 4, Interesting

Some of the affected vendors have released fixed versions, and some say there's nothing exploitable about the reported holes
Bullshit. Those vulnerabilities are exploitable. I know because i caught someone exploiting the buffer token error earlier today. We had to shut down our ssh server until we could add double-passback scanning to our firewall.