[Dshield] SSH Clarifications

Johannes B. Ullrich jullrich at euclidian.com
Thu Nov 8 22:51:21 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Before people get too excited, some background on SSH:

In February, a remote exploit was found in ssh. (CRC Compensation
Attack etector Vulnerability). Most ssh implementations where
effected by it (F-secure, Openssh, ssh.com ssh) at the time.

This vulnerability would allow remote attacker to obtain 'root'
privileges. Initially, it was assumed that this vulnerability is
hard to exploit. Vendors made patched versions of ssh available
shortly after the vulnerability was announced.

A few weeks back, rumors surfaced that someone is offering an
exploit for this vulnerability for sale (see: 
http://www.newsbytes.com/news/01/171291.html ).

So it is bascially just a question of time, when someone will
wrap this exploit into a worm and unleash it. The impact is
a bit hard to predict, but ssh is used quite commonly and we
all know how well people are about updating their systems.

The data we have so far does show some increase in scanning for the last 
day. However, in order to confirm that this is actually a worm, and not 
just a few kiddies playing with ssh, we need the actual worm code to prove 
that infected machines are probing themselve to find and infect other 
machines.

  Johannes.


- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE76wxrVOIizK5pIDMRAsx3AJ4+qgOv1a5HirtTP2EQd2nVZmIBrgCfcH0I
yDCuENMuSiQGEILwbohEnFU=
=aQ5O
-----END PGP SIGNATURE-----




More information about the list mailing list