| VID |
14022 |
| Severity |
40 |
| Port |
22 |
| Protocol |
TCP |
| Class |
Ssh |
| Detailed Description |
The SSH on the server is older than version 1.2.32, or a version of OpenSSH which is older than 2.3.0.
These versions are vulnerable to a flaw which allows an attacker to insert arbitrary commands in a ssh stream through CRC-32 compensation. An attacker with access to the encrypted ssh stream may insert encrypted blocks in the stream that will decrypt to arbitrary commands to be executed on the ssh server.
* References:
http://www.securityfocus.com/bid/2347
http://www.core-sdi.com/english/ssh/ |
| Recommendation |
Upgrade to version 1.2.32 of SSH which solves this problem, or to version 2.3.0/2.3.2 of OpenSSH (Note : The version 2.3.1 of OpenSSH has a serious flaw related to authentication problem) |
| Related URL |
CVE-2001-0144 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
