New ssh Exploit in the Wild 754
veg writes "In the last few hours there have been several reports of a new ssh bug, with an exploit seemingly in the wild. Oh god not again... The lengths some people will goto to try and damage Theo's pride." Update: 09/17 00:24 GMT by T : friscolr writes "Hot on the heels of rev 1 of the buffer.adv advisory, here is revision 2, which fixes more than revision 1 did. Also see the 3.7.1 release notes."
Re:CRAP! (Score:1, Insightful)
"The attack makes an enormous amount of ssh connections and attempts various offsets until it finds one that works permitting root login."
So even if the root hole cannot be exploited with priv. sep, you still have to worry about all those SSH connections eating up your resources.
install base (Score:1, Insightful)
GOOD!! Red Hat, fix your RPMs!! (Score:5, Insightful)
Great, now maybe Redhat will fix their damn openssh RPMs that they fubarred [redhat.com] with their last patch!
Re:very early (Score:4, Insightful)
It also may give those who need it on something to watch for until a patch does come out.
Re:very early (Score:5, Insightful)
Really?
How about hearing about it when you find your machines rooted?
Even though there is no patch available (yet), this heads-up is extremely valuable, as it allows people who cannot afford to be compromised to shut down or appropriately filter SSH on their systems.
C and security... again (Score:0, Insightful)
Re:CRAP! (Score:1, Insightful)
Oh come on Taco.... (Score:2, Insightful)
See how easy it is - that should be a -1 flamebait topic on your post.
Now that thats over with I belive (read: may be mistaken) but the latest version from www.openssh.com addresses that issue. But it could just be a similar issue and i'm reading it wrong. If I am enlighten me.
Re:Suggestions for a newbie? (Score:2, Insightful)
Re:install base (Score:1, Insightful)
Re:Update for debian (Score:5, Insightful)
bug 211205 [debian.org], which deals with this expoit, was resolved in 2h after the announcement. I had my box patched 15min after the slashdot story hit.
Really good stuff.
For Gentoo (Score:5, Insightful)
- cp openssh-3.6.1_p2.ebuild openssh-3.7_p1.ebuild
- emerge --update openssh
The emerge will fetch the file and complain that there is no digest.- ebuild openssh-3.7_p1.ebuild digest
- emerge --update openssh
Just tested it here, worked fine.Pat
Right... (Score:5, Insightful)
Pot = Kettle = Black (Score:1, Insightful)
Obviously the *NIX side of the world isn't bulletproof either. Now perhaps we might be spared (at least for a day or two) about the anti-M$ rants about insecure M$ code. It can happen, and it can happen regardless of OS platform.
Re:C and security... again (Score:1, Insightful)
And oCaMl is fast enough too..
Re:very early (Score:5, Insightful)
Even though there is no patch available (yet)
There is a patch available, as well as it being fixed in 3.7, which was just released this morning. That's the point of all of this. The mention of the bug was in the 3.7 release notes, i believe.
Re:install base (Score:0, Insightful)
Any "linux user" who has openssh open to the world is a huge dumbass. What part of "firewall rules" don't you understand?
Furthermore, anyone running any OS, who has any port open to anyone other than themselves is not secure.
Why all the lsh plugs? (Score:5, Insightful)
Why are there people suggesting to go from a secure package to an insecure one?
Re:Coincidence, Or... (Score:3, Insightful)
There isn't a grand conspiracy. It's just how people work. I person says something like, "So I heared that there is the possibility of an exploit due to a bug in OpenSSH they found." Someone overhears and turns around and tells the next person they see, "There's a hole in ssh that's exploitable!" and it takes off from there.
Re:Pot = Kettle = Black (Score:2, Insightful)
Fair enough, but this goes for any OS: no ports should be open by default!!!
Re:OpenSSH is big and fat (Score:4, Insightful)
To put the size comment in perspective (this is 3.7p1 on Linux/x86):
$ du -ks
272
224
Re:Great opportunity. (Score:3, Insightful)
That's a good idea. Time for the Ada-zealots [adahome.com] to "put up or shut up". Those guys never seem to put out much code... and of course they become rarer every day. If their language was really more secure, correct, and easy (yes, they claim that!), then an sshd reimplementation would be a fine demonstration to prove it.
Re:Ermm.. can anyone say "Microsoft" (Score:1, Insightful)
If so this would be a Windows vulnerability too.
Re:very early (Score:2, Insightful)
Anyone who is relying on slashdot for critical security updates is being extremely irresponsible. If your site is so sensitive, you should have blocked/filtered/whatever ssh last night when it first came out on Full Disclosure or whatever list/service you subscribe to for critical security updates..
The "Full Disclosure" message is stupid (Score:5, Insightful)
It appears that the OpenSSH people found this bug first, and released a fix in version 3.7. People who studied this fix then found the exploit. So it's stupid for this guy to tell people "upgrade to lsh", since the whole reason his buds know about this bug is because 3.7 fixes it.
Suggestions? (Score:5, Insightful)
That's right! It can form remote connections, and generate random keys, and... and... uh, well, that's about it, actually. Form connections, generate session keys.
Public/private key generation? Different program. Managing keys on a local machine? Different program. Transferring files securely? Different (wrapper) program.
Got any concrete suggestions there? Exactly how would you divide the existing tools up? Precisely which tools would you create? In what ways -- details, now -- would they be different from the half-dozen programs that come with ssh now?
Re:Pot = Kettle = Black (Score:3, Insightful)
Re:Pot = Kettle = Black (Score:4, Insightful)
The MS rants are well deserved.
While your statement about security bugs can happen on any platform is technically correct, unintended bugs are not the only thing that causes security problems. Both MS and *NIX can have unintentional bugs, which lead to security problems. In this case, MS should not be blamed for "insecure" code.
Where the MS rants are well deserved is when a system is insecure by design. It may not have been a design goal, but the design can still be insecure. Just one past example: IIS runs under the SYSTEM account. It is installed by default and turned on by default. These kinds of problems deserve to be ranted about, and MS deserves the resulting reputation. Apache may or may not be installed and/or turned on by default, depending on distribution, but even if it could be compromised, it runs as "nobody" or "wwwrun" or some other unprivileged account.
Re:Pot = Kettle = Black (Score:2, Insightful)
I recall back when IIS 4.0 first came out. You could just Google part of the default IIS home page in quotes as the search string. You'd get results pages with hundreds of new IIS boxes on the 'Net likely with nothing locked down.
I think that the design portion of M$ software is starting to get there (note that Windoze 2003 Server is at least a little more locked down by default). Of course the RPC flaws are still in the code, going from NT 4.0 all the way to include Win2K3.
I will admit that the *NIX platform and apps are inherently more secure since a lot of the code is open source, has lots of reviewing eyes, and patches come about quickly. But nevertheless it's not as secure as folks crow about.
Re:deceit (Score:3, Insightful)
"Given that the default install has ssh turned on, will they change it to "two remote holes" ?"
Yes, if they confirm the exploit. They've changed this notice in the past. It went from 0 to 1.
"Lets make some noise and force Theo to finally update that!"
Why? Just to piss off the developers? The openssh code is open and subject to review by anyone.
I think since you didn't catch this bug, we should all be asses and target you for harrassment.
"If you follow misc@ carefully you have probably seen it done before."
Bullshit. If you follow misc@, most of the exploits discussed hit previous unpatched versions of OpenBSD. The point of OBSD is to catch bugs and bad code ahead of time; it undergoes near constant review.
A lot of folks want OBSD to add to this count stuff OBSD noticed may have been exploitable, then patched it anyways, frequently weeks or months or years ahead of a known exploit. When the known exploit comes out, they point to the OBSD version 6 months ago.
Exploits are counted that can violate current, stable systems, not OBSD 2.8.
This is like blaming MS for the exploit that allowed slammer to spread; if people patched their systems when they were supposed to, they wouldn't have been inconvenienced. OTOH, MS should have caught the bug ahead of time.
I feel OBSD falls into the latter category, not the former. They are more than likely ahead of the game. Given what I've seen of security reports on Linux and FreeBSD over the past 2 years, OBSD tends to play catchup in coming up with fixes. Rather, they tend to fight the tide that their "policy" in reporting exploits is wrong.
Oddly, I think that is more a testament to them doing things right as opposed to your attitude that they are being purposefully deceitful.
Re:CRAP! (Score:3, Insightful)
iptables -A INPUT -p tcp --dport 22 -m state --state NEW --limit 5/min --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP
Re:install base (Score:3, Insightful)
Re:Exploits, Bugs, etc (Score:2, Insightful)
Re:Suggestions for a newbie? (Score:3, Insightful)
This open ssh bug is "believed" to be a vulnerability, but they didn't want to worry about trying to find out if it was. They found the bug in a code audit and fixed it. They weren't forced to reveal it because of a threat of bad publicity.
And finally:
With the report last week of Linux being the most-breached operating system
A very misleading statement, as this study only counted breachs by a human hacker and not a auto-vulnerability (worm, virus, etc.). There own statistics prove this, note the following lines from the article [globetechnology.com]:
Clearly, overall server attacks were down while just as clearly, all attacks were up. In fact, server attacks were 1/40th of the economic cost of all attacks. The dwindling cost of server attacks is probably attributed to the continued movement of web servers to apache and away from anything MS.
Re:Ermm.. can anyone say "Microsoft" (Score:5, Insightful)
Remember, we're supposed to seperate the OS and the apps that have the holes...remember?
Or are we still using the term "Windows hole" when referring to Outlook?
Re:Theo's "Pride" (Score:3, Insightful)
In your netbsd prompt type ssh -V. It's probably using ssh 3.4, not 3.6, assuming you're using the core system's ssh (Not the pkgsrc one). You should be unaffected by this hole.
OE == Windows (Score:1, Insightful)
Well, if you had said Outlook Express, then the answer is YES since MS claims OE is an inseperable component of IE and IE is an inseperable component of Windows itself, then OE == Windows.
Re:Mirror of the vulnerability description (Score:5, Insightful)
Why are they bothering with proper cleanup? This is FATAL CONDITION! ABANDON SHIP!
Only guessing, but how about to ensure that the freed memory isn't handed over to a subsequently-run app, still stuffed full of cryptographically-sensitive information?
Re:interesting comment on how to stop it... (Score:3, Insightful)
And it's only a problem because they didn't tell anyone else. There are too many people looking at SSH for holes to try and slip a security fix into a new version without mentioning it and backporting the fix. Maybee they didn't appreciate that it was an exploitable bug. Maybee this whole topic is hype and there is no exploit. Assuming they new it was an exploitable bug, they should have coordinated a fix before releasing a patched version. A local root exploit in Galeon, Grip, etc...upsetting but no use losing sleep over it. A remote root exploit in SSH, Apache, xinetd, etc...get is fixed ASAP and don't hide the problem.
Re:Why all the lsh plugs? (Score:3, Insightful)
Why are there people suggesting to go from a secure package to an insecure one?
It's alot like the Indie music scene, actually. Whatever the mainstream doesn't use is suddenly the most 3l33t and coveted tool. Because obviously OpenSSH is tainted by the touch of the mainstream individuals and now suddenly lsh is far superior. They need something to feel superior for.
I myself use what works, and OpenSSH works. Mainstream or not, it's a damn fine tool, and I have no reason to migrate to another tool unless it provides me with advantages that supersede what OpenSSH can provide.
REAL Security (Score:3, Insightful)
SECURITY 101: The only way to really protect yourself from unwanted connections from the outside world is to unplug from the network. Of course, that's hard if you're trying to build a Web Service. Even that isn't a guarantee if you can't provide physical security to prevent access to the system console. There's a handy little floppy boot disk I've seen that will break into any Windows box made, though it won't help you if the file system is encrypted. I have a feeling there are similar exploits possible on Linux or other UNIX systems if you can get to the physical box.
Point being, security is a question of choices and compromises. What series of choices (such as leaving a ssl port open or closed) gives you an acceptable risk, and still allows you to do what you need to do?