[f-nsp] OpenSSH vulnerability

Jared Mauch jared at puck.nether.net
Wed Sep 17 15:22:12 EDT 2003


On Wed, Sep 17, 2003 at 11:51:09AM -0700, Andrew Lee wrote:
> Is Foundry gear vulnerable to the remote exploit
> (http://www.cert.org/advisories/CA-2003-24.html) in the OpenSSH engine?
> 
> Apparently some Cisco gear is:
> http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml
> because they used the OpenSSH engine in CatOS (PIX and IOS are not).  I
> hear rumblings that Juniper is as well.

	Juniper uses OpenSSH, but I believe that most people who use
these devices are bright enough to lock down the control plane
from unauthorized ip addresses.

	Worst case scenario for people out there, restrict access to your
devices from your entire customer-netblocks...  this will mean that if
you can't lock down to a specific set of ips, you at least know
it came from your network..  this is what I did in a previous life
before we locked down to a specific set of ips.. this allowed people
to fix things when they were at home and oncall...

	it's a good practice for all your devices.. lock down traffic
to them all, be it foundry, cisco, juniper, or even some dumb
home nat box/router.

	- jared

> 
> There doesn't seem to be anything on the web site, their latest press
> release was 9/8. 
> 
> It would be nice to know for sure one way or the other.
> 
> 
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.



More information about the foundry-nsp mailing list