Update Protection against Malformed SSH Key Exchange Init Message Vulnerability
| Check Point Reference: | CPAI-2006-069 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | FrSIRT/ADV-2006-1820 Secunia Advisory: SA19845 |
|
| Industry Reference(s): | CVE-2006-2421 CVE-2006-2407 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? FortressSSH version 4.0.7.20 and earlier versions WeOnlyDo! Software wodSSHServer 1.2.7 WeOnlyDo! Software wodSSHServer 1.3.3 DEMO and possibly other versions | ||
| Vulnerability Description Several vulnerabilities were reported in the following SSH servers: FortressSSH is an SSH server for Microsoft Windows. A buffer overflow vulnerability has been identified in the way FortressSSH handles a specially crafted key exchange message received from an SSH client. wodSSHServer is an SSH Server Active X component that adds secure tunneling capabilities. A buffer overflow vulnerability has been identified in the way wodSSHServer handles a specially crafted key exchange algorithm string received from an SSH client. Both vulnerabilities could be exploited by remote attackers to compromise a vulnerable system via a malicious SSH client. |
||
|
Update/Patch Available wodSSHServer: Upgrade to wodSSHServer ActiveX Component version 1.3.4 : http://www.weonlydo.com/index.asp?showform=SSHServer |
|
|
Vulnerability Details The flaw in FortressSSH is due to a buffer overflow error when logging a specially crafted SSH_MSG_KEXINIT message received from an SSH client, which could be exploited by remote attackers to compromise a vulnerable system via a malicious client. WeOnlyDo! Software wodSSHServer Server does not validate key exchange algorithm strings supplied by a client. The vulnerability can be triggered if a client sends a specially crafted key exchange algorithm string to a vulnerable wodSSHServer installation. |
Protection Overview
The update defends against the vulnerability by blocking specially crafted Init messages exchanged between an SSH client and an SSH server.
Please note that the protection offered in this advisory may cause false positives by blocking legitimate traffic. We are working on solving this issue.
This issue has been fixed on the update package from February 1, 2011.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The Update released on July 5, 2006 includes the follwoing protections:
Malformed SSH Init Message Protection (CPAI-2006-069)
Multiple IMAP Servers Directory Traversal Protection (CPAI-2006-070)
VNC Authentication Bypass Protection (CPAI-2006-071)
COM Object Instantiation Protection (MS06-013) - CPAI-2006-072
COM Object Instantiation Memory Corruption Vulnerability (MS06-021) - CPAI-2006-073
Microsoft JScript Remote Code Execution Protection (MS06-023) - CPAI-2006-074
Symantec Sygate SQL Injection Protection (CPAI-2006-075)
Horde Help Viewer Protection (CPAI-2006-076)
Virtual War (VWar) File Inclusion Protection (CPAI-2006-077)
AWStats Remote Command Execution Protection - CPAI-2006-078
Windows Media Player PNG Protection (MS06-024) - CPAI-2006-079
ART Image Rendering Protection (MS06-022) - CPAI-2006-080
MySQL Server str_to_date DoS Protection (CPAI-2006-081)
VPN-1 NGX R61
How Can I Protect My Network?
1. Update SmartDefense: Click the SmartDefense Services tab, click Download Updates and then click the Online Update button.
2. In the SmartDefense tree, click VPN Protocols > SSH > Block Malformed Key Exchange Init Message. 
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name : SSH Protocol Violation
Attack Information: Malformed Key Exchange Init Message
VPN-1 NGX R60 & VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the SmartDefense tree, click VPN Protocols > SSH > Block Malformed Key Exchange Init Message.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: SSH Protocol Violation
Attack Information: Malformed Key Exchange Init Message
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. Update SmartDefense by clicking Update Now in the SmartDashboard General window.
2. In the SmartDefense tree, click VPN Protocols > SSH > Block Malformed Key Exchange Init Message.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rule #99022 on the SmartView Tracker.
VPN-1 VSX NGX
How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the SmartDefense tree, click VPN Protocols > SSH > Block Malformed Key Exchange Init Message.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rule #99022 on the SmartView Tracker.
InterSpect NGX
How Can I Protect My Network?
1. Update SmartDefense: In the left pane from the drop-down list, select Profiles > SmartDefense Service and click the Online Update button.
2. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
3. In the SmartDefense tree, click VPN Protocols > SSH > Block Malformed Key Exchange Init Message.
4. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: SSH Protocol Violation
Attack Information: Malformed Key Exchange Init Message
InterSpect 2.0
How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the SmartDefense tree, click VPN Protocols > SSH > Block Malformed Key Exchange Init Message.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: SSH Protocol Violation
Attack Information: Malformed Key Exchange Init Message
Connectra NGX R61
How Can I Protect My Network?
1. Update SmartDefense: In the navigation tree, click Security > SmartDefense Updates; In the Download updated content pane, enter your credentials and click Download Updates.
2. In the navigation tree, click Security > SmartDefense > Application Intelligence.
3. In the Application Intelligence page > Dynamic Attacks pane, check
Block Malformed SSH Key Exchange Init Message
4. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:
Attack Name: SSH Protocol Violation
Attack Information: Malformed Key Exchange Init Message