Debian DSA-086-1 : ssh-nonfree - remote root exploit

This script is Copyright (C) 2004-2013 Tenable Network Security, Inc.


Synopsis :

The remote Debian host is missing a security-related update.

Description :

We have received reports that the 'SSH CRC-32 compensation attack
detector vulnerability' is being actively exploited. This is the same
integer type error previously corrected for OpenSSH in DSA-027-1.
OpenSSH (the Debian ssh package) was fixed at that time, but
ssh-nonfree and ssh-socks were not.

Though packages in the non-free section of the archive are not
officially supported by the Debian project, we are taking the unusual
step of releasing updated ssh-nonfree/ssh-socks packages for those
users who have not yet migrated to OpenSSH. However, we do recommend
that our users migrate to the regularly supported, DFSG-free 'ssh'
package as soon as possible. ssh 1.2.3-9.3 is the OpenSSH package
available in Debian 2.2r4.

The fixed ssh-nonfree/ssh-socks packages are available in version
1.2.27-6.2 for use with Debian 2.2 (potato) and version 1.2.27-8 for
use with the Debian unstable/testing distribution. Note that the new
ssh-nonfree/ssh-socks packages remove the setuid bit from the ssh
binary, disabling rhosts-rsa authentication. If you need this
functionality, run

chmod u+s /usr/bin/ssh1

after installing the new package.

See also :

http://www.debian.org/security/2001/dsa-086

Solution :

Upgrade the affected ssh-nonfree, and ssh-socks packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Family: Debian Local Security Checks

Nessus Plugin ID: 14923 (debian_DSA-086.nasl)

Bugtraq ID:

CVE ID: CVE-2001-0144
CVE-2001-0361