Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Erik Parker (erik.parker_at_digitaldefense.net)
Date: Fri Nov 01 2002 - 12:30:39 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Discovered by: HD Moore
    Products Tested: Netscreen-25 (All models expected to be vulnerable)
    Vendor contacted: October 23rd
    Vendor confirmed: October 23rd
    CVE: CVE-2001-0144 covered this bug.

    Original Bug discovered by: Michal Zalewski of the BindView RAZOR Team.

    In February of 2001, BindView's RAZOR Team announced the SSH1 CRC32
    compensation attack detector bug. After all was said and done, several
    vendors found their SSH implementations were vulnerable. Netscreen seems
    to have overlooked this for a year and 8 months.

    By default the Netscreen does not ship with SSH enabled, and Netscreen
    usually doesn't encourage their customers to even access the CLI on their
    devices. However, in the GUI you can enabled SSH, and disable telnet. This
    only opens SSH on the trusted interfaces, unless you specifically add
    rules to forward to this interface/port. On a normal system with SSH
    enabled, the unit will only be vulnerable to attackers on the trusted side.

    If you use any of the CRC32 exploits out there, the unit will crash
    immediately, and require a hard reboot. It does not appear from our
    analysis that anything more than a crash can occur from this.

    The vendor assured a response with an ETA to a fix by October 25th. After
    trying to get more information from them a few times after October 25th
    passed, it has fallen on deaf ears.

    Erik Parker
    Digital Defense, Inc.