[nsp] Cisco Security Advisory: Multiple SSH vulnerabilities

From: Cisco Systems Product Security Incident Response Team (psirt@cisco.com)
Date: Wed Jun 27 2001 - 12:28:47 EDT


-----BEGIN PGP SIGNED MESSAGE-----

                Security Advisory: Multiple SSH vulnerabilities
                                       
Revision 1.0 - INTERIM

  For public release 2001 June 27 08:00 (UTC -0800)
     _________________________________________________________________
   
Summary

   Three different Cisco product lines are susceptible to multiple
   vulnerabilities in the Secure Shell (SSH) protocol. These issues are
   inherent to the SSH protocol version 1.5, which is implemented in
   several Cisco product lines.
   
   By exploiting the weakness in the SSH protocol, it is possible to
   insert an arbitrary commands into an established SSH session, collect
   information that may help in brute force key recovery, or brute force
   a session key.
   
   Affected product lines are:
   
     All devices running Cisco IOS software supporting SSH. That includes
          routers and switches running Cisco IOS.
          
     Catalyst 6000 switches running CatOS.
          
     Cisco PIX Firewall.
          
          No other Cisco products are vulnerable.
          
          It is possible to mitigate this vulnerability by preventing, or
          having a control over, interception of SSH traffic.
          
          This advisory will be available at
          http://www.cisco.com/warp/public/707/SSH-multiple-pub.html
          
Affected Products

          The following table depicts the affected products categories.
          
+---------------+-----------------+-------------------+----------------+
| | CRC-32 check | Traffic analysis | Key recovery |
+---------------+-----------------+-------------------+----------------+
|IOS | Vulnerable | Vulnerable | Vulnerable |
| | CSCdt96253 | CSCdt57231 | CSCdu37371 |
+---------------+-----------------+-------------------+----------------+
|PIX | Vulnerable | Not vulnerable | Not vulnerable |
| | CSCdt73353 | | |
+---------------+-----------------+-------------------+----------------+
|VPN3000 | Not vulnerable | Not vulnerable | Not vulnerable |
+---------------+-----------------+-------------------+----------------+
|Catalyst 6000 | Vulnerable | Vulnerable | Not vulnerable |
| | CSCdt72996 | CSCdt55357 | |
+---------------+-----------------+-------------------+----------------+
   
          Per product category, the following software releases are
          vulnerable:
          
+--------+---------------------------------------------------------------+
|IOS | All 12.0, and upwards, releases that conatins support for SSH.|
+--------+---------------------------------------------------------------+
|PIX | 5.2(5) and 5.3.(1) |
+--------+---------------------------------------------------------------+
|CatOS | 6.2(0.110) |
+--------+---------------------------------------------------------------+
|VPN3000 | Not vulnerable |
+--------+---------------------------------------------------------------+
   
Details

          An implementation of SSH in multiple Cisco products are
          vulnerable to three different vulnerabilities. These
          vulnerabilities are:
          
        CRC-32 integrity check vulnerability
                This vulnerability has been described in a CORE SDI S.A.
                paper entitled "An attack on CRC-32 integrity checks of
                encrypted channels using CBC and CFB modes", which can be
                found at http://www.core-sdi.com/soft/ssh/ssh.pdf
                
                In order for this attack to succeed, an attacker must
                possess one or two known chipertext/plaintext pairs. This
                should not be difficult since every session starts with a
                greeting screen which is fixed and which can be
                determined. This also implies that an attacker must be
                somewhere along the session path in order to be able to
                sniff the session and collect corresponding chipertext.
                
                For further technical details, see
                http://www.core-sdi.com/soft/ssh/ssh.pdf.
                
        Traffic analysis
                This issue has been described in an analysis made by
                Solar Designer. It can be found at
                http://www.securityfocus.com/archive/1/169840, and is
                entitled "Passive Analysis of SSH (Secure Shell)
                Traffic".
                
                To exploit this vulnerability, an attacker must be able
                to capture packets. When sending a packet using the SSH
                protocol, it is padded to the next 8-byte boundary, but
                the exact len of the data (without the padding) is sent
                unencrypted.
                
                The timing between packets may yield additional
                information, such as the relative position of a letter on
                the keyboard, but that depends on overall jitter in the
                network and the typing habits of the person.
                
                For additional information, please see
                http://www.securityfocus.com/archive/1/169840.
                
        Key recovery in SSH protocol 1.5
                This has been discovered by CORE SDI S.A. and the paper
                describing it can be viewed at
                http://www.securityfocus.com/archive/1/161150. The
                subject line is "SSH protocol 1.5 session key recovery
                vulnerability".
                
                In order to exploit this vulnerability, an attacker must
                be able to sniff the SSH session and must be able to
                establish a connection to the SSH server. In order to
                recover the server key, an attcker must perform an
                additional 2^20+2^19=1572864 connections. Since the key
                has a lifespan of about an hour, this means that an
                attacker must perform around 400 connections per second.
                
                For further details, please conslut
                http://www.securityfocus.com/archive/1/161150.
                
Impact

        CRC-32 integrity check vulnerability
                By exploiting this protocol weakness, the attacker can
                insert arbitrary commands in the session after the
                session has been established.
                
        Traffic analysis
                This vulnerability exposes the exact lengths of the
                passwords used for login authentication. This is only
                applicable to an interactive session that is being
                established over the tunnel protected by SSH. This can
                significantly help an attacker in guessing the password
                using the brute force attack.
                
        Key recovery in SSH protocol 1.5
                This vulnerability may lead to the compromise of the
                session key. Once the session key is determined, the
                attacker can proceed to decrypt the stored session using
                any implementation of the crypto algorithm used. This
                will reveal all information in an unencrypted form.
                
Software Versions and Fixes

          Following software releases contains fixes for all
          vulnerabilities.
          
          For Catalyst 6000 switches all vulnerabilities are fixed in the
          following CatOS releases.
          
+---------+--------------------------------------------------------------+
| CatOS | 6.1(2.13), 6.2(0.111) and 6.3(0.7)PAN |
+---------+--------------------------------------------------------------+
   
          Each row of the table describes a release train and the
          platforms or products for which it is intended. If a given
          release train is vulnerable, then the earliest possible
          releases that contain the fix and the anticipated date of
          availability for each are listed in the "Rebuild", "Interim",
          and "Maintenance" columns. A device running any release in the
          given train that is earlier than the release in a specific
          column (less than the earliest fixed release) is known to be
          vulnerable, and it should be upgraded at least to the indicated
          release or a later version (greater than the earliest fixed
          release label).
          
          When selecting a release, keep in mind the following
          definitions:
          
              Maintenance
                      Most heavily tested and highly recommended release
                      of any label in a given row of the table.
                      
              Rebuild
                      Constructed from the previous maintenance or major
                      release in the same train, it contains the fix for
                      a specific defect. Although it receives less
                      testing, it contains only the minimal changes
                      necessary to effect the repair.
                      
              Interim
                      Built at regular intervals between maintenance
                      releases and receive less testing. Interims should
                      be selected only if there is no other suitable
                      release that addresses the vulnerability, and
                      interim images should be upgraded to the next
                      available maintenance release as soon as possible.
                      Interim releases are not available via
                      manufacturing, and usually they are not available
                      for customer download from CCO without prior
                      arrangement with the Cisco TAC.
                      
          In all cases, customers should exercise caution to be certain
          the devices to be upgraded contain sufficient memory and that
          current hardware and software configurations will continue to
          be supported properly by the new release. If the information is
          not clear, contact the Cisco TAC for assistance as shown in the
          following section.
          
          More information on IOS release names and abbreviations is
          available at http://www.cisco.com/warp/public/620/1.html.
          For PIX Firewall software, use the following table to determine
          affected and fixed software releases.
          
+------+----------------------+--------------------------------------------+
|Train |Description of Image | Availability of Fixed Releases* |
| | or Platform | |
+------+----------------------+-------------------------+------------------+
| 5.x-based Releases |Rebuild Interim** | Maintenance |
+-----+-----------------------+---------+---------------+------------------+
| | | | 5.2(5)203 | 5.2.(6) |
| 5.2 | Early Deployment (ED) | |Available | Available in |
| | for all platforms | |through TAC | August |
+-----+-----------------------+---------+---------------+------------------+
| | | |5.3(1)202 | 5.3.(1) |
| 5.3 | Early Deployment (ED) | |Available | Available in |
| | for all platforms | |through TAC | August |
+-----+-----------------------+---------+---------------+------------------+
| 6.x-based Releases Rebuild | Interim** | Maintenance |
+-----+-----------------------+---------+---------------+------------------+
| 6.0 | Early Deployment (ED) | | | 6.0(1) |
| | for all platforms | | | Available |
+-----+-----------------------+---------+---------------+------------------+
   
          For Cisco IOS, use the following table to determine affected
          and fixed software releases.
          
 +---------------+----------------+-----------------------------------------+
 | | Description of | |
 | Train | Image or | Availability of Fixed Releases* |
 | | Platform | |
 +---------------+----------------+-------------+------------+--------------+
 | 12.0-based Releases | Rebuild | Interim** | Maintenance |
 +---------------+----------------+-------------+------------+--------------+
 | |General | | | |
 | 12.10S |deployment | | |12.0(18)S |
 | |release for all | | |2001-July |
 | |platforms | | | |
 +---------------+----------------+-------------+------------+--------------+
 | 12.1-based Releases | Rebuild | Interim** | Maintenance |
 +---------------+----------------+-------------+------------+--------------+
 | |General | |
 | 12.1 |deployment | SSH not supported |
 | |release for all | |
 | |platforms | |
 +---------------+----------------+-----------------------------------------+
 | 12.1AA |Dial support | SSH not supported |
 +---------------+----------------+-----------------------------------------+
 | |Core/ISP | |
 | 12.1CX |support: GSR, | SSH not supported |
 | |RSP, c7200 | |
 +---------------+----------------+-----------------------------------------+
 | 12.1DA |xDSL support: | SSH not supported |
 | |6100, 6200 | |
 +---------------+----------------+-------------+------------+--------------+
 | |Cisco IOS | | | |
 | |Software Release| | | |
 | |12.1(1)DB | | | |
 | 12.1DB |supports Cisco's| | | |
 | |6400 Universal | | | |
 | |Access | | | |
 | |Concentrator | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Cisco IOS | | | |
 | |Software Release| | | |
 | |12.1(1)DC | | | |
 | 12.1DC |supports Cisco's| | | |
 | |6400 Universal | | | |
 | |Access | | | |
 | |Concentrator | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Core/ISP | | | |
 | 12.1E |support: GSR, | | |12.1(8a)E |
 | |RSP, c7200 | | |2001-Jul-09 |
 +---------------+----------------+-------------+------------+--------------+
 | |12.1EC is being | | | |
 | |offered to allow| | | |
 | |early support of| | | |
 | |new features on | | | |
 | |the uBR7200 | | | |
 | 12.1EC |platform, as | |12.1(6.5)EC3| |
 | |well as future | | | |
 | |support for new | | | |
 | |Universal | | | |
 | |Broadband Router| | | |
 | |headend | | | |
 | |platforms. | | | |
 +---------------+----------------+-------------+------------+--------------+
 | 12.1EX |Catalyst 6000 | | |12.1(8a)E |
 | |support | | |2001-Jul-09 |
 +---------------+----------------+-------------+------------+--------------+
 | |Cat8510c, | | | |
 | 12.1EY |Cat8510m, | | |12.1(6)EY |
 | |Cat8540c, | | | |
 | |Cat8540m, LS1010| | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Early Deployment| | | |
 | 12.1EZ |(ED): special |12.1(6)EZ1 | | |
 | |image | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Early | |
 | |Deployment(ED): |Not Scheduled |
 | 12.1T |VPN, Distributed| |
 | |Director, +-----------------------------------------+
 | |various |Upgrade recommended to 12.2(1b) |
 | |platforms | |
 +---------------+----------------+-------------+------------+--------------+
 | |Early Deployment| | | |
 | 12.1XA |(ED): limited | | | |
 | |platforms | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Early Deployment| | | |
 | 12.1XB |(ED): limited | | | |
 | |platforms | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Early Deployment| | | |
 | 12.1XC |(ED): limited | | | |
 | |platforms | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Early Deployment|Not Scheduled |
 | 12.1XD |(ED): limited +-----------------------------------------+
 | |platforms |Upgrade recommended to 12.2(1b) |
 +---------------+----------------+-------------+------------+--------------+
 | |Early Deployment| | | |
 | 12.1XE |(ED): limited | | | |
 | |platforms | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Early Deployment| | | |
 | 12.1XF |(ED): 811 and |12.1(2)XF4 | | |
 | |813 (c800 |2001-July-09 | | |
 | |images) | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Early Deployment| | | |
 | 12.1XG |(ED): 800, 805, |12.1(5)XG5 | | |
 | |820, and 1600 |2001-July-09 | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Early Deployment|Not Scheduled |
 | 12.1XH |(ED): limited +-----------------------------------------+
 | |platforms |Upgrade recommended to 12.2(1b) |
 +---------------+----------------+-----------------------------------------+
 | |Early Deployment|Not Scheduled |
 | 12.1XI |(ED): limited +-----------------------------------------+
 | |platforms |Upgrade recommended to 12.2(1b) |
 +---------------+----------------+-----------------------------------------+
 | |Early Deployment|Not Scheduled |
 | 12.1XJ |(ED): limited +-----------------------------------------+
 | |platforms |Upgrade recommended to 12.1(5)YB4 |
 +---------------+----------------+-------------+------------+--------------+
 | |Early Deployment| |
 | 12.1XK |(ED): limited | SSH not supported |
 | |platforms | |
 +---------------+----------------+-------------+------------+--------------+
 | |Early Deployment|Not Scheduled |
 | 12.1XL |(ED): limited +-----------------------------------------+
 | |platforms |Upgrade recommended to 12.2(1b) |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | | | |
 | 12.1XM |early deployment|12.1(4)XM4 | | |
 | |release |2001-June-27 | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Early Deployment| | | |
 | 12.1XP |(ED): 1700 and |12.1(3)XP4 | | |
 | |SOHO | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived |Not Scheduled |
 | 12.1XQ |early deployment+-----------------------------------------+
 | |release |Upgrade recommended to 12.2(1b) |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | | | |
 | 12.1XR |early deployment|12.1(5)XR2 | | |
 | |release | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | | | |
 | 12.1XS |early deployment| | | |
 | |release | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Early Deployment| | | |
 | 12.1XT |(ED): 1700 |12.1(3)XT3 | | |
 | |series | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Early Deployment| | | |
 | 12.1XU |(ED): limited |12.1(5)XU1 | | |
 | |platforms | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | | | |
 | 12.1XV |early deployment|12.1(5)XV3 | | |
 | |release |2001-July | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | |
 | 12.1XW |early deployment| SSH not supported |
 | |release | |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | |
 | 12.1XX |early deployment| SSH not supported |
 | |release | |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | | | |
 | 12.1XY |early deployment|12.1(5)XY6 | | |
 | |release |2001-July | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | |
 | 12.1XZ |early deployment| SSH not supported |
 | |release | |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | | | |
 | 12.1YA |early deployment| | | |
 | |release | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | | | |
 | 12.1YB |early deployment|12.1(5)YB4 | | |
 | |release | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | | | |
 | 12.1YC |early deployment|12.1(5)YC1 | | |
 | |release | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | | | |
 | 12.1YD |early deployment|12.1(5)YD2 | | |
 | |release |2001-June-25 | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | | | |
 | 12.1YF |early deployment|12.1(5)YF2 | | |
 | |release | | | |
 +---------------+----------------+-------------+------------+--------------+
 | 12.2-based Releases | Rebuild | Interim** | Maintenance |
 +---------------+----------------+-------------+------------+--------------+
 | |General | | | |
 | 12.2 |deployment |12.2(1b) |12.2(1.1) |12.2(3) |
 | |release for all | | |2001-August |
 | |platforms | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |General | | | |
 | 12.2T |deployment | |12.2(2.2)T | |
 | |release for all | | | |
 | |platforms | | | |
 +---------------+----------------+-------------+------------+--------------+
 | 12.2XA |SPLOB | | |12.2(2)XA |
 | | | | |2001-July-02 |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | | | |
 | 12.2XD |early deployment|12.2(1)XD1 | | |
 | |release | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | | | |
 | 12.2XE |early deployment| | |12.2(1)XE |
 | |release | | | |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | | | |
 | 12.2XH |early deployment| | |12.2(1)XH |
 | |release | | |2001-June-25 |
 +---------------+----------------+-------------+------------+--------------+
 | |Short-lived | | | |
 | 12.2XQ |early deployment| | |12.2(1)XQ |
 | |release | | |2001-June-23 |
 +---------------+----------------+-------------+------------+--------------+
 | Notes |
 +--------------------------------------------------------------------------+
 | * All dates are estimated and subject to change. |
 | |
 | ** Interim releases are subjected to less rigorous testing than regular |
 | maintenance releases, and may have serious bugs. |
 +--------------------------------------------------------------------------+
   
Obtaining Fixed Software

          Customers with contracts should obtain upgraded software
          through their regular update channels. For most customers, this
          means that upgrades should be obtained through the Software
          Center on Cisco's Worldwide Web site at
          http://www.cisco.com.
          
          Customers whose Cisco products are provided or maintained
          through prior or existing agreement with third-party support
          organizations such as Cisco Partners, authorized resellers, or
          service providers should contact that support organization for
          assistance with the upgrade, which should be free of charge.
          
          Customers who purchase directly from Cisco but who do not hold
          a Cisco service contract and customers who purchase through
          third party vendors but are unsuccessful at obtaining fixed
          software through their point of sale should get their upgrades
          by contacting the Cisco Technical Assistance Center (TAC). TAC
          contacts are as follows:
          
          + +1 800 553 2447 (toll-free from within North America)
          + +1 408 526 7209 (toll call from anywhere in the world)
          + e-mail: tac@cisco.com
            
          Please have your product serial number available and give the
          URL of this notice as evidence of your entitlement to a
          free upgrade. Free upgrades for non-contract customers must be
          requested through the TAC.
          
Workarounds

          There are no workarounds for these vulnerabilities.
          
Exploitation and Public Announcements

          All three vulnerabilities are publicly known. Please see the
          Details section for the original announcements.
          
          The Cisco PSIRT is not aware of malicious use of the
          vulnerabilities described in this advisory.
          
Status of This Notice: INTERIM

          This is an interim security advisory. Cisco anticipates issuing
          updated versions of this notice at irregular intervals as there
          are material changes in the facts, and will continue to update
          this notice as necessary. The reader is warned that this notice
          may contain inaccurate or incomplete information. Although
          Cisco cannot guarantee the accuracy of all statements in this
          notice, all of the facts have been checked to the best of our
          ability. Cisco anticipates issuing monthly updates of this
          notice until it reaches FINAL status.
          
          A standalone copy or paraphrase of the text of this security
          advisory that omits the distribution URL in the following
          section is an uncontrolled copy, and may lack important
          information or contain factual errors.
          
Distribution

          This notice will be posted on Cisco's Worldwide Web site at
          http://www.cisco.com/warp/public/707/SSH-multiple-pub.html.
          In addition to Worldwide Web posting, a text version of this
          notice is clear-signed with the Cisco PSIRT PGP key and is
          posted to the following e-mail and Usenet news recipients:
          
          + cust-security-announce@cisco.com
          + bugtraq@securityfocus.com
          + first-teams@first.org (includes CERT/CC)
          + cisco@spot.colorado.edu
          + comp.dcom.sys.cisco
          + firewalls@lists.gnac.com
          + Various internal Cisco mailing lists
            
          Future updates of this notice, if any, will be placed on
          Cisco's Worldwide Web server, but may or may not be actively
          announced on mailing lists or newsgroups. Users concerned about
          this problem are encouraged to check the URL given above for
          any updates.
          
Revision History

          Revision 1.0 2001-June-27 08:00 UTC -0800 Initial public release
   
Cisco Security Procedures

          Complete information on reporting security vulnerabilities in
          Cisco products, obtaining assistance with security incidents,
          and registering to receive security information from Cisco, is
          available on Cisco's Worldwide Web site at
          http://www.cisco.com/warp/public/707/sec_incident_response.
          shtml. This includes instructions for press inquiries regarding
          Cisco security notices.
          
          For a list of all advisories please visit
          http://www.cisc.com/warp/public/707/advisory.html page.
            __________________________________________________________
          
          This notice is Copyright 2000 by Cisco Systems, Inc. This
          notice may be redistributed freely after the release date given
          at the top of the text, provided that redistributed copies are
          complete and unmodified, and include all date and version
          information.
            __________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBOzn6T2iN3BRdFxkbAQHfnggAjJxdGNJpV38nVrVdfKl6QWLbtiJGHB4i
wi3fzNqBV3zOaPwu1VERhq5tco2S/r+WhtOZEq1vEiLjc4ck9sBn6hYH2WqBxJFY
98BZa0qNlzGIESiZdBJXkf6/C0gVnpZ+z2Feox0gnX+Xlow6ENxsCOX92zVXNpp4
DTLNxv2n6sH8RhnthQ1HXTFTck+/IpILKikEUwK4/W2mINc8GmAr0JHH+Fr9UJAR
jzCc8en7Q4y7OYMfUyIOPE6udO9VvG2+J7xpkDRsynFR9HJwibt50yudh23VtdKm
/EyDeB7WPLoZMch3GMK614PrYbq4Wp+hdo+KgJcSB1TH2+J3OJYtzA==
=gpvY
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:43 EDT