SSH Communications Security Helsinki, Finland - October 1, 2003 SSH Secure Shell Security Vulnerability in BER Decoding Description A vulnerability has been detected in the way Secure Shell handles the decoding of BER/DER encoded packets. BER/DER encoding is applied in digital certificates, which are used for authenticating a user to a host. Certificates are also commonly used for authenticating SSL/TLS connections. Using malformed BER/DER packets, the receiving host can potentially crash making a Denial-of-Service (DoS) attack possible. Please note that this vulnerability does not apply for users of non-commercial versions of SSH Secure Shell (Unix), since the non-commercial versions do not contain ASN.1 related libraries. Affected Products You are vulnerable if: * You are using certificate based authentication in commercially available versions of SSH Secure Shell with the "Pki" definition in the configuration file. This applies to Windows and Unix Secure Shell Servers. * You are using hostbased authentication for the server and the client. It is not possible to disable certificate authentication in hostbased configurations. * You are using the commercial or non-commercial version of the SSH Secure Shell Client for Windows. Your server is not vulnerable if: * You are using password authentication only * You use the non-commercial Unix distribution that does not contain the PKI functionality. * You allow public key authentication WITHOUT specifying the "Pki" keyword in the server configuration file (sshd2_config). Action We strongly advise you to upgrade your installation to the 3.2.9 version of SSH Secure Shell as soon as possible. Customers may download the SSH Secure Shell update from the Updates and Packages at Download Section. A valid license file is required for all the binaries. Depending on your license file the Unix binaries will function as SSH Secure Shell for Workstations or SSH Secure Shell for Servers product. If you wish to obtain a license file, please visit our online store or contact your sales representative. Updating SSH Secure Shell from 3.1.x to 3.2.5 If you have a commercial license for 3.1.x or 3.2.x versions, you can install the 3.2.9 version binaries on top of the old 3.1.x or 3.2.x ones. Updates and Packages SSH Secure Shell for Workstations 3.2 SSH Secure Shell for Servers 3.2 SSH Secure Shell for Windows Servers 3.2 Versions All versions from version 3.0 to 3.2.5 are affected. SSH Communications Security is committed to utmost security SSH Communications Security apologizes for any inconvenience caused. We take security of the systems of our customers very seriously and do our utmost to provide secure software. We strongly urge all customers to consider the implications of this vulnerability and to make an educated decision on whether or not to update/upgrade.