{"vuid":"VU#787448","idnumber":"787448","name":"OpenSSH fails to properly handle multiple identical blocks in a SSH packet","keywords":["OpenSSH","DoS","CRC compensation attack detector","apple_2007-003"],"overview":"OpenSSH fails to properly handle multiple identical blocks in a SSH packet. This vulnerability may cause a denial-of-service condition.","clean_desc":"OpenSSH is an open source client and server implementation of the Secure Shell (SSH) protocol. OpenSSH includes a cyclic redundancy check (CRC) compensation attack detection function that produces a checksum on a block of data in a SSH packet. This function was introduced to defend against exploitation of CRC weaknesses in version 1 of the SSH protocol (see VU#13877). Multiple identical blocks contained within a SSH packet may trigger a computationally expensive operation within the CRC attack detector that can lead to a denial of service. According to the OpenSSH 4.4 release notes: [This vulnerability] ...would cause sshd(8) to spin until the login grace time expired. The OpenSSH sshd daemon is only vulnerable when SSH protocol version 1 is enabled.","impact":"A remote, unauthenticated attacker could cause a denial-of service condition by sending specially crafted packets to the OpenSSH server that would cause it to use excessive CPU time until a connection timeout occurs.","resolution":"Upgrade\nSee the systems affected section of this document for information about specific vendors. Users who compile OpenSSH from source are encouraged to update to the most recent version.","workarounds":"Disable SSH version 1 SSH protocol version 1 should be disabled in order to prevent this vulnerability from occurring on affected systems.","sysaffected":"","thanks":"This issue was reported in\n the OpenSSH \n4.4 release notes\n. OpenSSH credits Tavis Ormandy of the Google Security Team for reporting this issue.","author":"This document was written by Chris Taschner.","public":["http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=115939141729160&w=2","https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207955","http://secunia.com/advisories/22091","http://www.securityfocus.com/bid/20216","http://www.openssh.com/txt/release-4.4","https://issues.rpath.com/browse/RPL-661","http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.592566","http://secunia.com/advisories/22208/","http://secunia.com/advisories/22236/","http://secunia.com/advisories/22183/","http://support.avaya.com/elmodocs2/security/ASA-2006-216.htm","http://secunia.com/advisories/22362/","http://secunia.com/advisories/22495/","http://secunia.com/advisories/23241/","http://docs.info.apple.com/article.html?artnum=305214"],"cveids":["CVE-2006-4924"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-09-28T13:42:07Z","publicdate":"2006-09-27T00:00:00Z","datefirstpublished":"2006-10-04T20:20:43Z","dateupdated":"2007-03-13T22:01:44Z","revision":45,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"2","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"13","cam_population":"20","cam_impact":"3","cam_easeofexploitation":"14","cam_attackeraccessrequired":"20","cam_scorecurrent":"8.82","cam_scorecurrentwidelyknown":"10.395","cam_scorecurrentwidelyknownexploited":"16.695","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":8.82,"vulnote":null}