As promised, our advisory: http://xforce.iss.net/xforce/alerts/id/144 Regards, =============================== Daniel Ingevaldson Engineering Manager, X-Force R&D dsi@iss.net 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net =============================== -----Original Message----- From: Ingevaldson, Dan (ISS Atlanta) Sent: Tuesday, September 16, 2003 4:01 PM To: Valdis.Kletnieks@vt.edu; Richard A Steenbergen Cc: William Allen Simpson; nanog@nanog.org Subject: RE: new openssh issue ISS X-Force discovered this vulnerability and our advisory will be released shortly. We were working to determine the full scope of the vulnerability before we notified the vendor. Unfortunately, someone else found the flaw and began to cause discuss it using specifics. That caused us to push forward our disclosure. Typically, when we do X-Force Advisories, we have developed an in-house, functional exploit (not proof of concept) in order to verify the exact nature and scope of the issue. We have not done so in this case. Right now it is undetermined if the issue is exploitable on *any* platform. It may turn out that it may be exploitable on every platform. This issue is serious enough that it should be addressed on all platforms as quickly as possible. I'll forward our Advisory to the list when it is public. Regards, =============================== Daniel Ingevaldson Engineering Manager, X-Force R&D dsi@iss.net 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net =============================== -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, September 16, 2003 3:50 PM To: Richard A Steenbergen Cc: William Allen Simpson; nanog@nanog.org Subject: Re: new openssh issue On Tue, 16 Sep 2003 15:33:03 EDT, Richard A Steenbergen said:
patched, but does anybody know whether there's a problem with the criscos? (as in "how do I configure my router for that?" ;-)
Or better yet, the OpenSSH running on Junipers? Nothing on Juniper's site about a vulnerability so far.
A posting to full-disclosure quotes Theo as saying HP and Cisco are affected, and I don't see any reason that Juniper would *NOT* be, given the common code base of the OpenSSH implementations. I'm not going to say the routers are vulnerable, but I *would* say that ACLs blocking port 22 to the router might be a good idea.....