-----BEGIN PGP SIGNED MESSAGE-----


===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-98.03  --  AUSCERT ALERT
                  Potential Vulnerability in ssh 1.2.26 (update)
                             30 October 1998

Last Revised: 3 November 1998

===========================================================================

PROBLEM:

    On 30 October 1998 we reported a potential vulnerability in the server
    for the latest freely available version of ssh (1.2.26).  ssh is a
    tool that allows users to make encrypted remote connections using
    strong authentication.

    One of the attacks leading to that alert has been publicly
    documented:

      http://www.news.com/News/Item/0,4,28043,00.html

    The vendor of this version of ssh has examined the code and has
    been unable to establish, at this stage, the existence of a
    vulnerability.  The vendor has created a web page to provide
    updates on this topic:

      http://www.ssh.fi/sshprotocols2/rootshell.html


SOLUTION:

    AusCERT encourages sites to maintain an awareness of this issue by
    monitoring the vendor's web site.

    Sites choosing to allow incoming connections are encouraged to ensure
    that they only allow connections from a controlled set of sources.
    For example, sites may choose to do this by applying appropriate
    filters at boundary routers and firewalls, or by investigating the
    use of tools such as tcp_wrappers.  Further, we encourage sites to
    monitor incoming traffic according to their local policies and
    procedures, and respond appropriately to any suspicious incoming ssh
    connections.

    We will continue to monitor this situation and post another alert
    should any further information be confirmed.

- ---------------------------------------------------------------------------

AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						
Postal:  Australian Computer Emergency Response Team
Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA
===========================================================================


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBNmUx+Ch9+71yA2DNAQE1KgQAkSNNQS3dI1Sp5eXF8NRfB7xMszGRufKT
aCqRTkttsqvDoXX80yHt+YGRNG1+x1oD6J0LBVTjkMvJ+WzPsjCKH0YrBEdr0vWF
U6NwUjhP1fWQKHwuCPAuWa5YdzQrY+WMDB3zCotlxWa/CAP7+bUNMmDK7QJt77QP
4EQMLUgQdIg=
=EzsP
-----END PGP SIGNATURE-----