Netscreen VPN solutions ship with an SSH daemon that is vulnerable to the SSH1 CRC32 bug. In the default configuration, SSH is not enabled on their devices and when enabled, it is expected that any CRC32 exploits used to attack said device will cause a crash and require a reboot. Original bug discovered by Michal Zalewski.
5fed7ff8aace600e4148fcf25365f4e1
Discovered by: HD Moore
Products Tested: Netscreen-25 (All models expected to be vulnerable)
Vendor contacted: October 23rd
Vendor confirmed: October 23rd
CVE: CVE-2001-0144 covered this bug.
Original Bug discovered by: Michal Zalewski of the BindView RAZOR Team.
In February of 2001, BindView's RAZOR Team announced the SSH1 CRC32
compensation attack detector bug. After all was said and done, several
vendors found their SSH implementations were vulnerable. Netscreen seems
to have overlooked this for a year and 8 months.
By default the Netscreen does not ship with SSH enabled, and Netscreen
usually doesn't encourage their customers to even access the CLI on their
devices. However, in the GUI you can enabled SSH, and disable telnet. This
only opens SSH on the trusted interfaces, unless you specifically add
rules to forward to this interface/port. On a normal system with SSH
enabled, the unit will only be vulnerable to attackers on the trusted side.
If you use any of the CRC32 exploits out there, the unit will crash
immediately, and require a hard reboot. It does not appear from our
analysis that anything more than a crash can occur from this.
The vendor assured a response with an ETA to a fix by October 25th. After
trying to get more information from them a few times after October 25th
passed, it has fallen on deaf ears.
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!