Vunerability in OpenSSH4.3p2 for AIX5.2, 5.3
sbodily 100000RUAA Visits (4723)
IBM SECURITY ADVISORYFirst Issued: Wed Apr 4 09:05:40 CDT 2007
VULNERABILITY: Remotely exploitable denial of service vulnerabilities in OpenSSH.
PLATFORMS: OpenSSH 4.3p2 for AIX 5.2, 5.3
SOLUTION: Apply the APAR, interim fix or workaround as described below.
THREAT: A remote attacker may cause a denial of service.
CERT VU Number: n/aCVE Number: CVE-2006-4924 and CVE-
IBM provides OpenSSH for AIX. OpenSSH 4.3p2 for AIX is affected by tworemotely exploitable denial of service vulnerabilities. First, CVE-2006-4924allows a remote attacker to cause CPU consumption when sshd is configuredto allow the SSH version 1 protocol. Second, CVE-2006-5051 allows a remoteattacker to cause sshd to crash. If sshd is configured to allow GSSAPIbased authentication, the attacker may execute arbitrary code.
A remote attacker may cause a denial of service or execute arbitrary code.
OpenSSH 4.3p2-r2 for AIX 5.2 and 5.3 is available for download from:
A. CVE-2006-4924sshd uses the Protocol keyword in sshd_config to determine which version ofthe SSH protocol to use. To configure sshd to use only version 2 of the SSHprotocol, Protocol should be set to "2".
B. CVE-2006-5051ssh uses the GSSA
IV. Contact Info
If you would like to receive AIX Security Advisories via email, pleasevisit:
Comments regarding the content of this announcement can be directed to:
To request the PGP public key that can be used to communicate securelywith the AIX Security Team send email to secu
Please contact your local IBM AIX support center for any assistance.
eServer is a trademark of International Business Machines Corporation.IBM, AIX and pSeries are registered trademarks of International BusinessMachines Corporation. All other trademarks are property of their resp