COMMAND

    ssh

SYSTEMS AFFECTED

    Systems running ssh server 1.2.17

PROBLEM

    The  SSH  Quality  Control  team  has  found security flaws in SSH
    protocol.  Some of the flaws are serious.

    The bugs concern only SSH protocol version 1.5 implemented in  SSH
    server  version   1.2.17.  Later   versions  of   the  server   or
    applications  that  use  version  2  of  the  SSH protocol are not
    affected  by  the  bugs.   Version  2  of  the  protocol  is under
    development and first implementations  should be ready by  the end
    of June 1997.

    An attacker with  the ability to  do active network-level  attacks
    can compromise  the security  of a  number of  aspects of  the SSH
    protocol as implemented in  SSH-1.2.17. While some of  the attacks
    are  fairly  serious,  even  in  the  worst case security is still
    better  than  with  rlogin  or  telnet.  Being  able to succeed in
    breaking SSH security requires intimate knowledge of the  protocol
    and the  implementation, access  to a  large amount  of processing
    power and expertise in TCP/IP networking.

SOLUTION

    The  known  vulnerabilities  can  be  avoided  by updating the SSH
    server to  version 1.2.20  or later.  The server  can be  obtained
    from:

        http://www.Europe.DataFellows.com/f-secure/ssh/download.htm

    or the ftp sites listed at:

        http://www.cs.hut.fi/ssh/

    The client software does not need to be updated.