CERT: More SSH flaws found

Additional flaws have been revealed in Secure Shell (SSH) protocol implementations in SSH clients and servers from a variety of vendors, according to the CERT Coordination Center at Carnegie Mellon University.

Pittsburgh, Pa.-based computer security incident response team CERT reported Monday that multiple vendors’ implementations of the SSH transport layer protocol contain vulnerabilities that could allow a remote attacker to execute arbitrary code with the privileges of the SSH process or cause a denial of service. The full list of vendors potentially affected are listed on CERT’s Web site at www.cert.org.

The SSH protocol enables a secure communications channel from a client to a server. The vulnerabilities include incorrect field lengths, lists with empty elements or multiple separators, “classic” buffer overflows and null characters in strings.

The flaws affect both SSH clients and servers and occur before user authentication takes place, CERT said.

In the case of SSH clients, any attacker-supplied code would run with at least the privileges of the user who started the client program. In severe cases, remote attackers could execute arbitrary code with the privileges of the SSH process.

SSH clients can reduce the risk of attacks by only connecting to trusted servers by IP address, the CERT Coordination Center noted, thereby limiting the number of potential sources of attacks.

Furthermore, CERT suggested that users limit access to SSH servers to trusted hosts and networks and implement network-based intrusion detection sensors, firewalls or other packet-filtering systems.