OpenSSH Rumors

Over the past 24 hours we've had a number of readers tell us that there is an OpenSSH exploit in active use.  We cannot confirm its existence, other than a DOS exploit for OpenSSH that recently showed up on Milw0rm.  If you have any concrete evidence of this (not rumors or URLs to blogs where people are discussing that there might be a problem) please let us know via our contact form.  Again, no rumors and no links to discussions of rumors please.  We need reports of active exploitation or other evidence that this a real issue.

Marcus H. Sachs
Director, SANS Internet Storm Center


301 Posts
ISC Handler
Jul 7th 2009
Hy all,

I have received, since sunday morning, at least 35 alerts comming from one of my Debian server hosting Debian 5.0, related to ssh access attempts ... It would be nice to give more update on such attacks ... How could be try to capture the worm/exploit ?

Best regards,

5 Posts
Actually, 4.3 *is* the latest RHEL/CentOS SSH version. openssh-server-4.3p2-29.el5 has been backported by RH engineers to supposedly patch all of the bugs that have since been disclosed up until the latest OpenSSH versions released by the OpenBSD project people. For enterprise stability purposes (which is why Gov and large businesses buy Red Hat) the versions and features are kept approximately the same as the original RHEL distribution release, but bugs are cleaned up. So if this vulnerability is valid, then possibilities include:
1. All OpenSSH versions are vulnerable
2. Unknown vulnerability was unwittingly patched as part of a version feature upgrade with newer-than-4.3 OpenSSH versions
3. Red Hat engineers failed to properly fix bugs with their backporting efforts.

- n3kt0n
Is this rumor worth shutting down SSH access to customers? At what point can anyone able to create semi-plausible log snippets create a DOS.


3 Posts
Presuming there is a threat to openssh-server-4.3p2-29.el5 does anyone know which dependencies would need to met to update to 5.2p1?

3 Posts
perhaps this exploit is only valid for poorly configured sshd configurations. hardening ssh and using something like fail2ban would certainly be advisable.
5 Posts
Such stories when spread make people/admin's panic even if there isn't any proof to such an issue.

To calm down I encourage people/admin's to use a port-knocking system specially on their SSH service, at least for the meantime.

Sign Up for Free or Log In to start participating in the conversation!