Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Does OpenSSH Vulnerability Affect IDS Sensors?

I am wondering if the OpenSSH vulnerability affects IDS sensors configured to use SSH for remote connections?

I saw the notification from PSIRT and did not see any mention of the IDS sensors one way or the other.

Regards,

Chad Giulini

6 REPLIES
New Member

Re: Does OpenSSH Vulnerability Affect IDS Sensors?

The 3.x sensors at least run OpenSSH, and thus should be vulnerable. I guess Cisco forgot about them. I'm not sure about 4.x.

-ben

New Member

Re: Does OpenSSH Vulnerability Affect IDS Sensors?

I'm running 4.x here and it looks to me like OpenSSH is running on them too. I am just looking for confirmation and hopefully a recommended resolution (either upgrade the SSH on the sensors directly or a patch from Cisco).

Chad

New Member

Re: Does OpenSSH Vulnerability Affect IDS Sensors?

The PSIRT announcement was recently updated to include the status of IDS sensors.

Here is our announcement:

Symptom:

========

None, although an attacker might theoretically cause the SSH server to terminate, resulting in a denial of service.

Conditions:

===========

IDS-42xx appliances, NM-CIDS and WS-SVS-IDSM2:

Software versions from 3.0(1) through 4.1(1) are affected because they include a vulnerable version of OpenSSH.

WS-X6381-IDS:

Not affected.

The vulnerability was announced 16-Sep-2003 by members of the OpenSSH development team. Their announcement is at:

http://www.openssh.com/txt/buffer.adv

Workaround:

===========

It is generally recommended to restrict access to the SSH server on an IDS sensor to a limited number of allowed hosts, using the access list mechanism in IDS.

Further problem information:

============================

From the OpenSSH advisory:

"All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management errors. It is uncertain whether these errors are potentially exploitable, however, we prefer to see bugs fixed proactively."

The OpenSSH executables in IDS software will be updated to at least version 3.7.1 in a future service pack.

New Member

Re: Does OpenSSH Vulnerability Affect IDS Sensors?

Here's what I read on PSIRT today:

Cisco Secure Intrusion Detection System (NetRanger) appliance—Software version 4.1(2), due out end of October will have the fix. Software version 3.1(5) will have the fix for software version 3.1, release date to be determined.

I think end-of-October is just too late to get a fix. Every other vendor whose product is vulnerable has released or is in the course of coming out with one within a couple of days. I strongly urge Cisco employees on this forum to push for an update soon.

New Member

Re: Does OpenSSH Vulnerability Affect IDS Sensors?

By using sysconfig-sensor on our 3.x sensors we defined the Access Control List and limited the source addresses that can connect to the sensors.

Our understanding is that an attacker could only initiate a DOS from this trusted network.

Am I correct?

If not , we will then need to implement ACLs at the router to deny ssh traffic from all sources other than the trusted source.

So far our tests show that one can only connect to the sensor from a trusted source/network defined in the Access Control List.

Hope this helps.

Mike

New Member

Re: Does OpenSSH Vulnerability Affect IDS Sensors?

That's correct, Mike. The attacker must establish a TCP connection with the OpenSSH service before it can send data to exercise this vulnerability. Access control lists on all versions of IDS sensor only allow data to pass from an allowed host.

215
Views
0
Helpful
6
Replies