Helsinki, Finland -
January 31, 2002
SSH Secure Shell protects against recent UNIX and Secure Shell security threats
There has been two separate announcements from CERT Coordination Center (www.cert.org).
www.cert.org/advisories/CA-2001-34.html
Describing a vulnerability in most UNIX platforms, where attackers can gain a root access to server.
This vulnerability affects systems using programs such as telnetd, rlogind or certain open source implementations of Secure Shell, that use a program called login for accessing the server.
SSH Secure Shell uses different implementation, which is not affected.
The problem can be solved by using SSH Secure Shell products and disabling telnetd, rlogind and implementations of Secure Shell that use login.
www.cert.org/advisories/CA-2001-35.html
Warning about heavily increased port scanning traffic trying to exploit known vulnerabilities.
During 2001 there has been several vulnerabilities around different Secure Shell implementations using SSH1 or SSH2 protocols.
Most of these vulnerabilities are related to SSH1 protocol, that was deprecated by SSH Communications Security in late 2000. At that time, all users were strongly advised to upgrade using SSH2 protocol only.
NOTE: Other vulnerabilities are related to other implementations of Secure Shell protocol, not to the SSH Secure Shell product family.
This problem can be solved by using SSH Secure Shell products running SSH2 protocol and disabling and removing all versions using SSH1 protocol.
Special notes:
All commercial SSH Secure Shell product from SSH Communications Security are secure, including:
(with exception of version 3.0.0 in UNIX environments, see special notes)
SSH Secure Shell products can be achieved through our online store (commerce.ssh.com) or through our distribution channels (http://www.ssh.com/sales/enduser/).
Related stories:
www.cert.org/advisories/CA-2001-34.html
Describing a vulnerability in most UNIX platforms, where attackers can gain a root access to server.
This vulnerability affects systems using programs such as telnetd, rlogind or certain open source implementations of Secure Shell, that use a program called login for accessing the server.
SSH Secure Shell uses different implementation, which is not affected.
The problem can be solved by using SSH Secure Shell products and disabling telnetd, rlogind and implementations of Secure Shell that use login.
www.cert.org/advisories/CA-2001-35.html
Warning about heavily increased port scanning traffic trying to exploit known vulnerabilities.
During 2001 there has been several vulnerabilities around different Secure Shell implementations using SSH1 or SSH2 protocols.
Most of these vulnerabilities are related to SSH1 protocol, that was deprecated by SSH Communications Security in late 2000. At that time, all users were strongly advised to upgrade using SSH2 protocol only.
NOTE: Other vulnerabilities are related to other implementations of Secure Shell protocol, not to the SSH Secure Shell product family.
This problem can be solved by using SSH Secure Shell products running SSH2 protocol and disabling and removing all versions using SSH1 protocol.
Special notes:
- In systems running both SSH2 and SSH1 software, SSH1 software should be removed from the system or in disabled in the SSH2 configuration.
- Unix version of SSH Secure Shell 3.0.0 has a known vulnerability. Users with this version were upgraded to version 3.0.1, which is not vulnerable. Windows versions of 3.0.0 are not vulnerable.
All commercial SSH Secure Shell product from SSH Communications Security are secure, including:
- SSH Secure Shell for Workstations, versions 2.x - 3.x
- SSH Secure Shell for Servers, versions 2.x - 3.x
- SSH Secure Shell for Windows Servers, versions 1.0 and 3.1
- SSH Secure Shell for Handhelds, versions 1.x
(with exception of version 3.0.0 in UNIX environments, see special notes)
SSH Secure Shell products can be achieved through our online store (commerce.ssh.com) or through our distribution channels (http://www.ssh.com/sales/enduser/).
Related stories:
SSH Corp. Contact
George Adams
SSH Communications Security Corp.
Tel: +1 781 247 2100
E-mail: 
Americas Contact
Byron Rashed
SSH Communications Security, Inc.
Tel: +1 650 251 2721
E-mail: 
Europe Contact
Bo Sorensen
SSH Communications Security Corp.
Tel: +358 20 500 7404
E-mail: 
Investor Relations
Mika Peuranen
SSH Communications Security Corp.
Tel: +358 20 500 7419
E-mail: 
U.S. Agency Contact
Cheryl Seaberg
Walt & Company
Tel: +1 408 496 0900 x 2981
E-mail: 
© 2002 SSH Communications Security Corp. All rights reserved. ssh® is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions. All other names and marks are property of their respective owners.