[Fwd: Re: [discuss] Upcoming OpenSSH vulnerability]
Kyle O'Malley
plug-discuss@lists.plug.phoenix.az.us
Mon, 24 Jun 2002 17:52:08 -0700
I cringe at the thought of upgrading sshd again (seems like I *just* did it for something with versions >3.1 iirc), and this time we're also adding a new user and directory (for priv seperation). Why does god hate us so.
Hmm, can any openbsd users confirm if sshd is installed and running by default? Last time I used OBSD was 2.8, and if I remember it DID have it installed and running but that was while ago. If this is the case, could this spell the end of the "running x years without a remote exploit"?
-Kyle
On Mon, Jun 24, 2002 at 04:33:10PM -0700, KevinO wrote:
>
>
> -------- Original Message --------
> Subject: Re: [discuss] Upcoming OpenSSH vulnerability
> Date: Mon, 24 Jun 2002 15:42:46 -0600
> From: Vincent Danen <vdanen@mandrakesoft.com>
> Reply-To: discuss@mandrakesecure.net
> Organization: Danen Consulting Services (www.danen.net)
> To: discuss@mandrakesecure.net
> References:
> <Pine.A41.4.10.10206241520380.213388-100000@acs4.acs.ucalgary.ca>
>
> On Mon Jun 24, 2002 at 03:21:24PM -0600, Daniel Woods wrote:
>
> > FYI...
>
> Updates are currently in the works. The vulnerability, as stated is
> not yet public. I am close to having openssh built for all supported
> platforms and just need to test them all now.
>
> > Date: Mon, 24 Jun 2002 23:06:31 +0200
> > From: Markus Friedl <markus@openbsd.org>
> > Reply-To: openssh@openssh.com
> > To: openssh-unix-announce@mindrot.org, openssh-unix-dev@mindrot.org
> > Subject: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability
> >
> >
> > On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote:
> > > Date: Mon, 24 Jun 2002 15:00:10 -0600
> > > From: Theo de Raadt <deraadt@cvs.openbsd.org>
> > > Subject: Upcoming OpenSSH vulnerability
> > > To: bugtraq@securityfocus.com
> > > Cc: announce@openbsd.org
> > > Cc: dsi@iss.net
> > > Cc: misc@openbsd.org
> > >
> > > There is an upcoming OpenSSH vulnerability that we're working on with
> > > ISS. Details will be published early next week.
> > >
> > > However, I can say that when OpenSSH's sshd(8) is running with priv
> > > seperation, the bug cannot be exploited.
> > >
> > > OpenSSH 3.3p was released a few days ago, with various improvements
> > > but in particular, it significantly improves the Linux and Solaris
> > > support for priv sep. However, it is not yet perfect. Compression is
> > > disabled on some systems, and the many varieties of PAM are causing
> > > major headaches.
> > >
> > > However, everyone should update to OpenSSH 3.3 immediately, and enable
> > > priv seperation in their ssh daemons, by setting this in your
> > > /etc/ssh/sshd_config file:
> > >
> > > UsePrivilegeSeparation yes
> > >
> > > Depending on what your system is, privsep may break some ssh
> > > functionality. However, with privsep turned on, you are immune from
> > > at least one remote hole. Understand?
> > >
> > > 3.3 does not contain a fix for this upcoming bug.
> > >
> > > If priv seperation does not work on your operating system, you need to
> > > work with your vendor so that we get patches to make it work on your
> > > system. Our developers are swamped enough without trying to support
> > > the myriad of PAM and other issues which exist in various systems.
> > > You must call on your vendors to help us.
> > >
> > > Basically, OpenSSH sshd(8) is something like 27000 lines of code. A
> > > lot of that runs as root. But when UsePrivilegeSeparation is enabled,
> > > the daemon splits into two parts. A part containing about 2500 lines
> > > of code remains as root, and the rest of the code is shoved into a
> > > chroot-jail without any privs. This makes the daemon less vulnerable
> > > to attack.
> > >
> > > We've been trying to warn vendors about 3.3 and the need for privsep,
> > > but they really have not heeded our call for assistance. They have
> > > basically ignored us. Some, like Alan Cox, even went further stating
> > > that privsep was not being worked on because "Nobody provided any info
> > > which proves the problem, and many people dont trust you theo" and
> > > suggested I "might be feeding everyone a trojan" (I think I'll publish
> > > that letter -- it is just so funny). HP's representative was
> > > downright rude, but that is OK because Compaq is retiring him. Except
> > > for Solar Designer, I think none of them has helped the OpenSSH
> > > portable developers make privsep work better on their systems.
> > > Apparently Solar Designer is the only person who understands the need
> > > for this stuff.
> > >
> > > So, if vendors would JUMP and get it working better, and send us
> > > patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday
> > > which supports these systems better. So send patches by Thursday
> > > night please. Then on Tuesday or Wednesday the complete bug report
> > > with patches (and exploits soon after I am sure) will hit BUGTRAQ.
> > >
> > > Let me repeat: even if the bug exists in a privsep'd sshd, it is not
> > > exploitable. Clearly we cannot yet publish what the bug is, or
> > > provide anyone with the real patch, but we can try to get maximum
> > > deployement of privsep, and therefore make it hurt less when the
> > > problem is published.
> > >
> > > So please push your vendor to get us maximally working privsep patches
> > > as soon as possible!
> > >
> > > We've given most vendors since Friday last week until Thursday to get
> > > privsep working well for you so that when the announcement comes out
> > > next week their customers are immunized. That is nearly a full week
> > > (but they have already wasted a weekend and a Monday). Really I think
> > > this is the best we can hope to do (this thing will eventually leak,
> > > at which point the details will be published).
> > >
> > > Customers can judge their vendors by how they respond to this issue.
> > >
> > > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away.
> > > On OpenBSD privsep works flawlessly, and I have reports that is also
> > > true on NetBSD. All other systems appear to have minor or major
> > > weaknesses when this code is running.
> > >
> > > (securityfocus postmaster; please post this through immediately, since
> > > i have bcc'd over 30 other places..)
> > _______________________________________________
> > openssh-unix-announce@mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-announce
> >
> >
> >
> >
> > For help, email discuss-help@mandrakesecure.net; to unsubscribe send a
> > message to discuss-unsubscribe@mandrakesecure.net. To visit
> MandrakeSecure,
> > go to http://www.mandrakesecure.net/.
> >
>
> --
> MandrakeSoft Security; http://www.mandrakesecure.net/
> "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import"
> 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD
>
> Current Linux kernel 2.4.18-6.10mdk uptime: 16 days 17 hours 58 minutes.
>
>
> --
> Kevin O'Connor
>
> "People will be free to devote themselves to activities that are fun ...
>
> The GNU Manifesto - Copyright (C) 1985, 1993 Free Software Foundation, Inc.