[Fwd: Re: [discuss] Upcoming OpenSSH vulnerability]

KevinO plug-discuss@lists.plug.phoenix.az.us
Mon, 24 Jun 2002 16:33:10 -0700


This is a multi-part message in MIME format.
--------------080706000507070407060207
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit



-------- Original Message --------
Subject: Re: [discuss] Upcoming OpenSSH vulnerability
Date: Mon, 24 Jun 2002 15:42:46 -0600
From: Vincent Danen <vdanen@mandrakesoft.com>
Reply-To: discuss@mandrakesecure.net
Organization: Danen Consulting Services (www.danen.net)
To: discuss@mandrakesecure.net
References: <Pine.A41.4.10.10206241520380.213388-100000@acs4.acs.ucalgary.ca>

On Mon Jun 24, 2002 at 03:21:24PM -0600, Daniel Woods wrote:

 > FYI...

Updates are currently in the works.  The vulnerability, as stated is
not yet public.  I am close to having openssh built for all supported
platforms and just need to test them all now.

 > Date: Mon, 24 Jun 2002 23:06:31 +0200
 > From: Markus Friedl <markus@openbsd.org>
 > Reply-To: openssh@openssh.com
 > To: openssh-unix-announce@mindrot.org, openssh-unix-dev@mindrot.org
 > Subject: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability
 >
 >
 > On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote:
 > > Date: Mon, 24 Jun 2002 15:00:10 -0600
 > > From: Theo de Raadt <deraadt@cvs.openbsd.org>
 > > Subject: Upcoming OpenSSH vulnerability
 > > To: bugtraq@securityfocus.com
 > > Cc: announce@openbsd.org
 > > Cc: dsi@iss.net
 > > Cc: misc@openbsd.org
 > >
 > > There is an upcoming OpenSSH vulnerability that we're working on with
 > > ISS.  Details will be published early next week.
 > >
 > > However, I can say that when OpenSSH's sshd(8) is running with priv
 > > seperation, the bug cannot be exploited.
 > >
 > > OpenSSH 3.3p was released a few days ago, with various improvements
 > > but in particular, it significantly improves the Linux and Solaris
 > > support for priv sep.  However, it is not yet perfect.  Compression is
 > > disabled on some systems, and the many varieties of PAM are causing
 > > major headaches.
 > >
 > > However, everyone should update to OpenSSH 3.3 immediately, and enable
 > > priv seperation in their ssh daemons, by setting this in your
 > > /etc/ssh/sshd_config file:
 > >
 > > 	UsePrivilegeSeparation yes
 > >
 > > Depending on what your system is, privsep may break some ssh
 > > functionality.  However, with privsep turned on, you are immune from
 > > at least one remote hole.  Understand?
 > >
 > > 3.3 does not contain a fix for this upcoming bug.
 > >
 > > If priv seperation does not work on your operating system, you need to
 > > work with your vendor so that we get patches to make it work on your
 > > system.  Our developers are swamped enough without trying to support
 > > the myriad of PAM and other issues which exist in various systems.
 > > You must call on your vendors to help us.
 > >
 > > Basically, OpenSSH sshd(8) is something like 27000 lines of code.  A
 > > lot of that runs as root.  But when UsePrivilegeSeparation is enabled,
 > > the daemon splits into two parts.  A part containing about 2500 lines
 > > of code remains as root, and the rest of the code is shoved into a
 > > chroot-jail without any privs.  This makes the daemon less vulnerable
 > > to attack.
 > >
 > > We've been trying to warn vendors about 3.3 and the need for privsep,
 > > but they really have not heeded our call for assistance.  They have
 > > basically ignored us.  Some, like Alan Cox, even went further stating
 > > that privsep was not being worked on because "Nobody provided any info
 > > which proves the problem, and many people dont trust you theo" and
 > > suggested I "might be feeding everyone a trojan" (I think I'll publish
 > > that letter -- it is just so funny).  HP's representative was
 > > downright rude, but that is OK because Compaq is retiring him.  Except
 > > for Solar Designer, I think none of them has helped the OpenSSH
 > > portable developers make privsep work better on their systems.
 > > Apparently Solar Designer is the only person who understands the need
 > > for this stuff.
 > >
 > > So, if vendors would JUMP and get it working better, and send us
 > > patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday
 > > which supports these systems better.  So send patches by Thursday
 > > night please.  Then on Tuesday or Wednesday the complete bug report
 > > with patches (and exploits soon after I am sure) will hit BUGTRAQ.
 > >
 > > Let me repeat: even if the bug exists in a privsep'd sshd, it is not
 > > exploitable.  Clearly we cannot yet publish what the bug is, or
 > > provide anyone with the real patch, but we can try to get maximum
 > > deployement of privsep, and therefore make it hurt less when the
 > > problem is published.
 > >
 > > So please push your vendor to get us maximally working privsep patches
 > > as soon as possible!
 > >
 > > We've given most vendors since Friday last week until Thursday to get
 > > privsep working well for you so that when the announcement comes out
 > > next week their customers are immunized.  That is nearly a full week
 > > (but they have already wasted a weekend and a Monday).  Really I think
 > > this is the best we can hope to do (this thing will eventually leak,
 > > at which point the details will be published).
 > >
 > > Customers can judge their vendors by how they respond to this issue.
 > >
 > > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away.
 > > On OpenBSD privsep works flawlessly, and I have reports that is also
 > > true on NetBSD.  All other systems appear to have minor or major
 > > weaknesses when this code is running.
 > >
 > > (securityfocus postmaster; please post this through immediately, since
 > > i have bcc'd over 30 other places..)
 > _______________________________________________
 > openssh-unix-announce@mindrot.org mailing list
 > http://www.mindrot.org/mailman/listinfo/openssh-unix-announce
 >
 >
 >
 >
 > For help, email discuss-help@mandrakesecure.net; to unsubscribe send a
 > message to discuss-unsubscribe@mandrakesecure.net.  To visit MandrakeSecure,
 > go to http://www.mandrakesecure.net/.
 >

-- 
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import"
1024D/FE6F2AFD   88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD

Current Linux kernel 2.4.18-6.10mdk uptime: 16 days 17 hours 58 minutes.


-- 
Kevin O'Connor

  "People will be free to devote themselves to activities that are fun ...

The GNU Manifesto - Copyright (C) 1985, 1993 Free Software Foundation, Inc.

--------------080706000507070407060207
Content-Type: application/pgp-signature;
 name="file:///tmp/nsmail.tmp"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
 filename="file:///tmp/nsmail.tmp"

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuMC43IChH
TlUvTGludXgpCgppRDhEQlFFOUY1SldJRVBRNWY1dkt2MFJBanFNQUtDeFUydHRjblFpSURP
cFRRZ3FqYURZMXpKSW1RQ2dzTnFtCnkxeUVkZnE5eHhlV21oY2RHUm01Y0pzPQo9SDg2dgot
LS0tLUVORCBQR1AgU0lHTkFUVVJFLS0tLS0KCg==
--------------080706000507070407060207--