Re: Dropbear SSH server Denial of Service
On Tue, Mar 07, 2006 at 07:47:57PM +0000, Pablo Fernandez wrote:
> Dropbear SSH server Denial of Service
> The vulnerability specifically exists due to a design error in the
> authorization-pending connections code. By default and as a #define of
> the MAX_UNAUTH_CLIENTS constant, the SSH server allows 30
> authorization-pending connections, after connection 31, incoming sockets
> are close()d immediatly.
> Remote attack of this vulnerability is trivial. This is specially
> problematic if the administrator can't login due to the attack and can't
> at least blacklist the attacker, restart the service or undertake other
> actions.
> All versions (up to and including current 0.47 version) are vulnerable.
Dropbear 0.48 mitigates this issue by having a per-IP limit
as well as a global limit - this will at least prevent an
IP-deprived attacker from denying service.
It's worth noting that various other network services (such
as netkit-inetd and OpenSSH) have the same design issues, at
least in default configurations.
Matt Johnston
Dropbear developer
http://matt.ucc.asn.au/dropbear/dropbear.html