cbcvebase.
CVE-2006-4924
published 2006-09-27

CVE-2006-4924: sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet…

PriorityP341high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
34.67%
98.2th percentile
sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector.

Affected

61 ranges· showing 25
VendorProductVersion rangeFixed in
debianopenssh< openssh 1:4.3p2-4 (bookworm)openssh 1:4.3p2-4 (bookworm)
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh

Detection & IOCsextracted from sources · hover to see the quote

commandprintf "\x00\x00\x08\x3d" >&3 # packet length printf "\x00\x00\x00\x03" >&3 # packet type printf "\x03" >&3 # cipher type
bytes
\x00\x00\x08\x3d\x00\x00\x00\x03\x03
bytes
\x00\x03\xff\xf8
  • Attack targets SSH protocol version 1 only; monitor for SSHv1 negotiation attempts followed by large packets with duplicate blocks causing sustained CPU spike on sshd process.
  • The exploit sends an oversized SSH1 packet (length field 0x00038ff8 = ~262144 bytes of null padding) after the key exchange; detect anomalously large SSH1 packets (>8KB) containing repetitive/null byte payloads.
  • The CRC compensation attack detector (deattack.c) consumes CPU cubic in the number of duplicate blocks; alert on sshd processes consuming 100% CPU during pre-authentication phase (before LoginGraceTime expires).
  • Attack can be multiplexed across up to MaxStartups (default 10) simultaneous connections; detect multiple concurrent SSHv1 connections from the same source IP saturating sshd pre-auth slots.
  • The exploit uses a pre-calculated CRC32 value of 0xb2240279 for the packet header; this constant may appear in attack tooling targeting this CVE.
  • ·The vulnerability only affects SSH protocol version 1; disabling SSHv1 in sshd_config fully mitigates the attack.
  • ·Red Hat Enterprise Linux 5 is not vulnerable due to a backported patch; detection rules targeting RHEL5 sshd binaries may produce false positives.

CVSS provenance

nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
osv7.8HIGH
vendor_debian7.8LOW
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.