For your SA'n enjoyment -------- Original Message -------- Subject: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability Date: Mon, 24 Jun 2002 23:06:31 +0200 From: Markus Friedl Reply-To: openssh@openssh.com To: openssh-unix-announce@mindrot.org, openssh-unix-dev@mindrot.org References: <200206242100.g5OL0BLL019128@cvs.openbsd.org> On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote: > Date: Mon, 24 Jun 2002 15:00:10 -0600 > From: Theo de Raadt > Subject: Upcoming OpenSSH vulnerability > To: bugtraq@securityfocus.com > Cc: announce@openbsd.org > Cc: dsi@iss.net > Cc: misc@openbsd.org > > There is an upcoming OpenSSH vulnerability that we're working on with > ISS. Details will be published early next week. > > However, I can say that when OpenSSH's sshd(8) is running with priv > seperation, the bug cannot be exploited. > > OpenSSH 3.3p was released a few days ago, with various improvements > but in particular, it significantly improves the Linux and Solaris > support for priv sep. However, it is not yet perfect. Compression is > disabled on some systems, and the many varieties of PAM are causing > major headaches. > > However, everyone should update to OpenSSH 3.3 immediately, and enable > priv seperation in their ssh daemons, by setting this in your > /etc/ssh/sshd_config file: > > UsePrivilegeSeparation yes > > Depending on what your system is, privsep may break some ssh > functionality. However, with privsep turned on, you are immune from > at least one remote hole. Understand? > > 3.3 does not contain a fix for this upcoming bug. > > If priv seperation does not work on your operating system, you need to > work with your vendor so that we get patches to make it work on your > system. Our developers are swamped enough without trying to support > the myriad of PAM and other issues which exist in various systems. > You must call on your vendors to help us. > > Basically, OpenSSH sshd(8) is something like 27000 lines of code. A > lot of that runs as root. But when UsePrivilegeSeparation is enabled, > the daemon splits into two parts. A part containing about 2500 lines > of code remains as root, and the rest of the code is shoved into a > chroot-jail without any privs. This makes the daemon less vulnerable > to attack. > > We've been trying to warn vendors about 3.3 and the need for privsep, > but they really have not heeded our call for assistance. They have > basically ignored us. Some, like Alan Cox, even went further stating > that privsep was not being worked on because "Nobody provided any info > which proves the problem, and many people dont trust you theo" and > suggested I "might be feeding everyone a trojan" (I think I'll publish > that letter -- it is just so funny). HP's representative was > downright rude, but that is OK because Compaq is retiring him. Except > for Solar Designer, I think none of them has helped the OpenSSH > portable developers make privsep work better on their systems. > Apparently Solar Designer is the only person who understands the need > for this stuff. > > So, if vendors would JUMP and get it working better, and send us > patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday > which supports these systems better. So send patches by Thursday > night please. Then on Tuesday or Wednesday the complete bug report > with patches (and exploits soon after I am sure) will hit BUGTRAQ. > > Let me repeat: even if the bug exists in a privsep'd sshd, it is not > exploitable. Clearly we cannot yet publish what the bug is, or > provide anyone with the real patch, but we can try to get maximum > deployement of privsep, and therefore make it hurt less when the > problem is published. > > So please push your vendor to get us maximally working privsep patches > as soon as possible! > > We've given most vendors since Friday last week until Thursday to get > privsep working well for you so that when the announcement comes out > next week their customers are immunized. That is nearly a full week > (but they have already wasted a weekend and a Monday). Really I think > this is the best we can hope to do (this thing will eventually leak, > at which point the details will be published). > > Customers can judge their vendors by how they respond to this issue. > > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. > On OpenBSD privsep works flawlessly, and I have reports that is also > true on NetBSD. All other systems appear to have minor or major > weaknesses when this code is running. > > (securityfocus postmaster; please post this through immediately, since > i have bcc'd over 30 other places..) _______________________________________________ openssh-unix-announce@mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-announce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -- Kevin O'Connor "People will be free to devote themselves to activities that are fun ... The GNU Manifesto - Copyright (C) 1985, 1993 Free Software Foundation, Inc.