Problem Description
The CRC compensation attack detector in the sshd(8) daemon,
upon receipt of duplicate blocks, uses CPU time cubic in the
number of duplicate blocks received. [CVE-2006-4924]
A race condition exists in a signal handler used by the
sshd(8) daemon to handle the LoginGraceTime option, which
can potentially cause some cleanup routines to be executed
multiple times. [CVE-2006-5051]
Impact
An attacker sending specially crafted packets to sshd(8)
can cause a Denial of Service by using 100% of CPU time
until a connection timeout occurs. Since this attack can be
performed over multiple connections simultaneously, it is
possible to cause up to MaxStartups (10 by default) sshd
processes to use all the CPU time they can obtain.
[CVE-2006-4924]
The OpenSSH project believe that the race condition can
lead to a Denial of Service or potentially remote code
execution, but the FreeBSD Security Team has been unable to
verify the exact impact. [CVE-2006-5051]
Workaround
The attack against the CRC compensation attack detector can
be avoided by disabling SSH Protocol version 1 support in
sshd_config(5).
There is no workaround for the second issue.