SSH is a widely used secure shell protocol, somewhat like an encrypted and secure -telnet" program.
The vulnerabilities may allow an attacker to take control of a server running SSH.
Rapid7, a security company, developed an SSH test suite named -SSHhredder", which was able to pinpoint the security flaws in several implementations of the SSH protocol.
Vendors listed as vulnerable in the relevant CERT vulnerability notes include F-Secure, SSH Communications security, Pragma Systems and Intersoft International.
The most widely used implementation, OpenSSH, is not vulnerable.
The official response from many of the vendors listed as vulnerable has been to deny the problem seriously affects their products.
F-Secure claim that -F-Secure SSH products are not exploitable via these attacks. While F-Secure SSH versions 3.1.0 build 11 and earlier crash on these malicious packets, we did not find ways to exploit this to gain unauthorized access or to run arbitrary code."
SSH Communications Security made a similar statement.
-SSH Secure Shell products are not exploitable via these attacks."
The original advisory is available at cert.org.
