CVE-2006-4924
published 2006-09-27CVE-2006-4924: sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet…
PriorityP341high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
34.67%
98.2th percentile
sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector.
Affected
61 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | < openssh 1:4.3p2-4 (bookworm) | openssh 1:4.3p2-4 (bookworm) |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandprintf "\x00\x00\x08\x3d" >&3 # packet length
printf "\x00\x00\x00\x03" >&3 # packet type
printf "\x03" >&3 # cipher type↗
bytes↗
\x00\x00\x08\x3d\x00\x00\x00\x03\x03
bytes↗
\x00\x03\xff\xf8
- →Attack targets SSH protocol version 1 only; monitor for SSHv1 negotiation attempts followed by large packets with duplicate blocks causing sustained CPU spike on sshd process. ↗
- →The exploit sends an oversized SSH1 packet (length field 0x00038ff8 = ~262144 bytes of null padding) after the key exchange; detect anomalously large SSH1 packets (>8KB) containing repetitive/null byte payloads. ↗
- →The CRC compensation attack detector (deattack.c) consumes CPU cubic in the number of duplicate blocks; alert on sshd processes consuming 100% CPU during pre-authentication phase (before LoginGraceTime expires). ↗
- →Attack can be multiplexed across up to MaxStartups (default 10) simultaneous connections; detect multiple concurrent SSHv1 connections from the same source IP saturating sshd pre-auth slots. ↗
- →The exploit uses a pre-calculated CRC32 value of 0xb2240279 for the packet header; this constant may appear in attack tooling targeting this CVE. ↗
- ·The vulnerability only affects SSH protocol version 1; disabling SSHv1 in sshd_config fully mitigates the attack. ↗
- ·Red Hat Enterprise Linux 5 is not vulnerable due to a backported patch; detection rules targeting RHEL5 sshd binaries may produce false positives. ↗
CVSS provenance
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
osv7.8HIGH
vendor_debian7.8LOW
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
openssh vulnerabilities
vendor_ubuntu·2006-10-02·CVSS 7.8
CVE-2006-4924 [HIGH] openssh vulnerabilities
Title: openssh vulnerabilities
Summary: openssh vulnerabilities
Tavis Ormandy discovered that the SSH daemon did not properly handle
authentication packets with duplicated blocks. By sending specially
crafted packets, a remote attacker could exploit this to cause the ssh
daemon to drain all available CPU resources until the login grace time
expired. (CVE-2006-4924)
Mark Dowd discovered a race condition in the server's signal handling.
A remote attacker could exploit this to crash the server.
(CVE-2006-5051)
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
BSD
FreeBSD-SA-06:22.openssh: Multiple vulnerabilities in OpenSSH
bsd_advisories·2006-09-30·CVSS 7.8
CVE-2006-4924 [HIGH] FreeBSD-SA-06:22.openssh: Multiple vulnerabilities in OpenSSH
FreeBSD-SA-06:22.openssh Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in OpenSSH
Category: contrib
Module: openssh
Announced: 2006-09-30
Credits: Tavis Ormandy, Mark Dowd
Affects: All FreeBSD releases.
Corrected: 2006-09-30 19:50:57 UTC (RELENG_6, 6.2-PRERELEASE)
2006-09-30 19:51:56 UTC (RELENG_6_1, 6.1-RELEASE-p10)
2006-09-30 19:53:21 UTC (RELENG_6_0, 6.0-RELEASE-p15)
2006-09-30 19:54:03 UTC (RELENG_5, 5.5-STABLE)
2006-09-30 19:54:58 UTC (RELENG_5_5, 5.5-RELEASE-p8)
2006-09-30 19:55:52 UTC (RELENG_5_4, 5.4-RELEASE-p22)
2006-09-30 19:56:38 UTC (RELENG_5_3, 5.3-RELEASE-p37)
2006-09-30 19:57:15 UTC (RELENG_4, 4.11-STABLE)
2006-09-30 19:58:07 UTC (RELENG_4_11, 4.11-RELEASE-p25)
CVE Name: CVE-2006-4924, CVE-2006-5051
For general information regarding FreeBSD Securit
Red Hat
openssh DoS
vendor_redhat·2006-09-19·CVSS 7.8
CVE-2006-4924 [HIGH] openssh DoS
openssh DoS
sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector.
Statement: Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Debian
CVE-2006-4924: openssh - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote...
vendor_debian·2006·CVSS 7.8
CVE-2006-4924 [HIGH] CVE-2006-4924: openssh - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote...
sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector.
Scope: local
bookworm: resolved (fixed in 1:4.3p2-4)
bullseye: resolved (fixed in 1:4.3p2-4)
forky: resolved (fixed in 1:4.3p2-4)
sid: resolved (fixed in 1:4.3p2-4)
trixie: resolved (fixed in 1:4.3p2-4)
GHSA
GHSA-8x5c-jhv9-65x6: sshd in OpenSSH before 4
ghsa_unreviewed·2022-05-03
CVE-2006-4924 [HIGH] GHSA-8x5c-jhv9-65x6: sshd in OpenSSH before 4
sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector.
OSV
CVE-2006-4924: sshd in OpenSSH before 4
osv·2006-09-27·CVSS 7.8
CVE-2006-4924 [HIGH] CVE-2006-4924: sshd in OpenSSH before 4
sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector.
No detection rules found.
Bugzilla
CVE-2006-4924 openssh DoS (also CVE-2006-5051) (also for RHL7.3: CVE-2006-0225, CVE-2003-0386)
bugzilla·2006-09-30·CVSS 7.5
CVE-2006-4924 [HIGH] CVE-2006-4924 openssh DoS (also CVE-2006-5051) (also for RHL7.3: CVE-2006-0225, CVE-2003-0386)
CVE-2006-4924 openssh DoS (also CVE-2006-5051) (also for RHL7.3: CVE-2006-0225, CVE-2003-0386)
creating as a clone of bug 207955 (and also bug 207957 which is for fc5) --
create clone doens't seemt o be workign for me for some reason, so copy/pasted
int he description from those bugs.
Tavis Ormandy of the Google Security Team discovered a denial of service attack
on the openssh sshd daemon when ssh protocol version 1 is enabled. This flaw
will cause the openssh server to consume a large quantity of the CPU until the
specified timeout is reached.
The upstream patches can be found here:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.c.diff?r1=1.29&r2=1.30&sortby=date&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.143&r2=1.144&sortby=date&f=h
h
Bugzilla
CVE-2006-4924 openssh DoS
bugzilla·2006-09-27·CVSS 7.8
CVE-2006-4924 [HIGH] CVE-2006-4924 openssh DoS
CVE-2006-4924 openssh DoS
+++ This bug was initially created as a clone of Bug #207955 +++
Tavis Ormandy of the Google Security Team discovered a denial of service attack
on the openssh sshd daemon when ssh protocol version 1 is enabled. This flaw
will cause the openssh server to consume a large quantity of the CPU until the
specified timeout is reached.
The upstream patches can be found here:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.c.diff?r1=1.29&r2=1.30&sortby=date&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.143&r2=1.144&sortby=date&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.h.diff?r1=1.9&r2=1.10&sortby=date&f=h
Discussion:
An advisory has been issued which should help the problem
described in this bug r
Bugzilla
CVE-2006-4924 openssh DoS
bugzilla·2006-09-27·CVSS 7.8
CVE-2006-4924 [HIGH] CVE-2006-4924 openssh DoS
CVE-2006-4924 openssh DoS
Tavis Ormandy of the Google Security Team discovered a denial of service attack
on the openssh sshd daemon when ssh protocol version 1 is enabled. This flaw
will cause the openssh server to consume a large quantity of the CPU until the
specified timeout is reached.
The upstream patches can be found here:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.c.diff?r1=1.29&r2=1.30&sortby=date&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.143&r2=1.144&sortby=date&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.h.diff?r1=1.9&r2=1.10&sortby=date&f=h
Discussion:
*** This bug has been marked as a duplicate of 207955 ***
Bugzilla
CVE-2006-4924 openssh DoS
bugzilla·2006-09-25·CVSS 7.8
CVE-2006-4924 [HIGH] CVE-2006-4924 openssh DoS
CVE-2006-4924 openssh DoS
Tavis Ormandy of the Google Security Team discovered a denial of service attack
on the openssh sshd daemon when ssh protocol version 1 is enabled. This flaw
will cause the openssh server to consume a large quantity of the CPU until the
specified timeout is reached.
The upstream patches can be found here:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.c.diff?r1=1.29&r2=1.30&sortby=date&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.143&r2=1.144&sortby=date&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.h.diff?r1=1.9&r2=1.10&sortby=date&f=h
Discussion:
This issue also affects RHEL2.1 and RHEL3
---
*** Bug 208352 has been marked as a duplicate of this bug. ***
---
An advisory has been issued wh
Bugzilla
CVE-2006-4924 openssh DoS
bugzilla·2006-09-25·CVSS 7.8
CVE-2006-4924 [HIGH] CVE-2006-4924 openssh DoS
CVE-2006-4924 openssh DoS
+++ This bug was initially created as a clone of Bug #207955 +++
Tavis Ormandy of the Google Security Team discovered a denial of service attack
on the openssh sshd daemon when ssh protocol version 1 is enabled. This flaw
will cause the openssh server to consume a large quantity of the CPU until the
specified timeout is reached.
The upstream patches can be found here:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.c.diff?r1=1.29&r2=1.30&sortby=date&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.143&r2=1.144&sortby=date&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.h.diff?r1=1.9&r2=1.10&sortby=date&f=h
Discussion:
openssh-4.3p2-4.10 has been pushed for fc5, which should resolve this issue. If t
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:22.openssh.ascftp://ftp.sco.com/pub/unixware7/714/security/p534336/p534336.txtftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.aschttp://blogs.sun.com/security/entry/sun_alert_102962_security_vulnerabilityhttp://bugs.gentoo.org/show_bug.cgi?id=148228http://docs.info.apple.com/article.html?artnum=305214http://itrc.hp.com/service/cki/docDisplay.do?docId=c00815112http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.htmlhttp://marc.info/?l=openssh-unix-dev&m=115939141729160&w=2http://secunia.com/advisories/21923http://secunia.com/advisories/22091http://secunia.com/advisories/22116http://secunia.com/advisories/22158http://secunia.com/advisories/22164http://secunia.com/advisories/22183http://secunia.com/advisories/22196http://secunia.com/advisories/22208http://secunia.com/advisories/22236http://secunia.com/advisories/22245http://secunia.com/advisories/22270http://secunia.com/advisories/22298http://secunia.com/advisories/22352http://secunia.com/advisories/22362http://secunia.com/advisories/22487http://secunia.com/advisories/22495http://secunia.com/advisories/22823http://secunia.com/advisories/22926http://secunia.com/advisories/23038http://secunia.com/advisories/23241http://secunia.com/advisories/23340http://secunia.com/advisories/23680http://secunia.com/advisories/24479http://secunia.com/advisories/24799http://secunia.com/advisories/24805http://secunia.com/advisories/25608http://secunia.com/advisories/29371http://secunia.com/advisories/34274http://security.freebsd.org/advisories/FreeBSD-SA-06%3A22.openssh.aschttp://security.gentoo.org/glsa/glsa-200609-17.xmlhttp://security.gentoo.org/glsa/glsa-200611-06.xmlhttp://securitytracker.com/id?1016931http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.592566http://sourceforge.net/forum/forum.php?forum_id=681763http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227http://sunsolve.sun.com/search/document.do?assetkey=1-26-102962-1http://support.avaya.com/elmodocs2/security/ASA-2006-216.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-262.htmhttp://www-unix.globus.org/mail_archive/security-announce/2007/04/msg00000.htmlhttp://www.debian.org/security/2006/dsa-1189http://www.debian.org/security/2006/dsa-1212http://www.kb.cert.org/vuls/id/787448http://www.mandriva.com/security/advisories?name=MDKSA-2006:179http://www.novell.com/linux/security/advisories/2006_24_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_62_openssh.htmlhttp://www.openbsd.org/errata.html#sshhttp://www.openpkg.org/security/advisories/OpenPKG-SA-2006.022-openssh.htmlhttp://www.osvdb.org/29152http://www.redhat.com/support/errata/RHSA-2006-0697.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0698.htmlhttp://www.securityfocus.com/archive/1/447153/100/0/threadedhttp://www.securityfocus.com/bid/20216http://www.trustix.org/errata/2006/0054http://www.ubuntu.com/usn/usn-355-1http://www.us-cert.gov/cas/techalerts/TA07-072A.htmlhttp://www.vmware.com/support/vi3/doc/esx-3069097-patch.htmlhttp://www.vmware.com/support/vi3/doc/esx-9986131-patch.htmlhttp://www.vupen.com/english/advisories/2006/3777http://www.vupen.com/english/advisories/2006/4401http://www.vupen.com/english/advisories/2006/4869http://www.vupen.com/english/advisories/2007/0930http://www.vupen.com/english/advisories/2007/1332http://www.vupen.com/english/advisories/2007/2119http://www.vupen.com/english/advisories/2009/0740https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207955https://exchange.xforce.ibmcloud.com/vulnerabilities/29158https://hypersonic.bluecoat.com/support/securityadvisories/ssh_server_on_sghttps://issues.rpath.com/browse/RPL-661https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10462https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1193ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:22.openssh.ascftp://ftp.sco.com/pub/unixware7/714/security/p534336/p534336.txtftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.aschttp://blogs.sun.com/security/entry/sun_alert_102962_security_vulnerabilityhttp://bugs.gentoo.org/show_bug.cgi?id=148228http://docs.info.apple.com/article.html?artnum=305214http://itrc.hp.com/service/cki/docDisplay.do?docId=c00815112http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.htmlhttp://marc.info/?l=openssh-unix-dev&m=115939141729160&w=2http://secunia.com/advisories/21923http://secunia.com/advisories/22091http://secunia.com/advisories/22116http://secunia.com/advisories/22158http://secunia.com/advisories/22164http://secunia.com/advisories/22183http://secunia.com/advisories/22196http://secunia.com/advisories/22208http://secunia.com/advisories/22236http://secunia.com/advisories/22245http://secunia.com/advisories/22270http://secunia.com/advisories/22298
+ 58 more references
2006-09-27
Published