Cisco Vulnerable to SSH Malformed Packet Vulnerabilities
26 Dec. 2002
Certain Cisco products containing support for the Secure Shell (SSH) server are vulnerable to a Denial of Service (DoS) if the SSH server is enabled on the device. A malformed SSH packet directed at the affected device can cause a reload of the device. No authentication is necessary for the packet to be received by the affected device. The SSH server in Cisco IOS is disabled by default.
Cisco will be making free software available to correct the problem as soon as possible.
The malformed packets can be generated using the SSHredder test suite from Rapid7, Inc. Workarounds are available. The Cisco PSIRT is not aware of any malicious exploitation of this vulnerability.
Multiple Cisco products which contain support for an SSH server are vulnerable if the SSH server is enabled. Cisco routers and Catalyst switches running the affected versions of Cisco IOS shown in the Software Version and Fixes section below have been confirmed to be vulnerable.
Cisco products which contain SSH server functionality that are confirmed not to be vulnerable include:
A suite of crafted packets has been developed to test implementations of the Secure Shell (SSH) protocol. If the SSH server has been enabled, several of the test cases cause a forced reload of the device before the authentication process is called. Each time an SSH connection attempt is made to a Cisco device running Cisco IOS with one of the crafted packets, and the SSH server is enabled on the device, the device reboots.
The SSH server feature is available in the following Cisco IOS release trains: 12.0S, 12.0ST, 12.1T, 12.1E, 12.2, 12.2T, 12.2S. All releases which have the SSH server feature are vulnerable when the SSH server is enabled by issuing the command "crypto key generate rsa" in configuration mode.
All products running vulnerable versions of Cisco IOS except the Cisco 3550 will automatically reload and resume service following the crash. The Cisco 3550 will not reload, and will require manual intervention to resume normal processing.
This Cisco IOS defect is documented in DDTS CSCdz60229.
The vulnerability can be exploited to make an affected product unavailable for several minutes while the device reloads. Once it has resumed normal processing, the device is still vulnerable and can be forced to reload repeatedly.
Obtaining Fixed Software:
Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com/tacpage/sw-center/.
Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with obtaining the free software upgrade(s).
Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* email: firstname.lastname@example.org .
Please have your product serial number available and give the URL of this advisory as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
Please do not contact either "email@example.com" or "firstname.lastname@example.org" for software upgrades.
Workarounds consist of disabling the SSH server, removing SSH as a remote access method, permitting only trusted hosts to connect to the server, and blocking SSH traffic to the device completely via external mechanisms.
Caution: The following workaround will have undesirable side effects for IPSEC sessions that terminate on the device that use RSA key pairs for device authentication, or that use certificates based on those RSA key pairs. IPSEC sessions using other authentication methods will not be affected.
For Cisco IOS the SSH server can be disabled by applying the command "crypto key zeroize rsa" while in configuration mode. The SSH server is enabled automatically upon generating an RSA key pair. Zeroing the RSA keys is the only way to completely disable the SSH server.
Access to the SSH server on Cisco IOS may also be disabled via removing SSH as a valid transport protocol. This can be done by reapplying the "transport input" command with 'ssh' removed from the list of permitted transports on VTY lines while in configuration mode. For example: