OpenSSH Vulnerability Disclosed, Version 3.4 Released 339
Dan writes: "OpenSSH 3.4 has been released and will be shortly available on all mirrors. All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 fixes this bug." And kylus writes: "The previously mentioned vulnerability in OpenSSH has been disclosed by ISS X-Force today on the BugTraq list. This is a potential remote root compromise, and while there is a workaround, it's advised that users upgrade to version 3.4 as soon as they can."
Workaround here: (Score:5, Informative)
"ChallengeResponseAuthentication no" and restart sshd
Re:Workaround here: (Score:2, Insightful)
#ChallengeResponseAuthentication yes
Re:Workaround here: (Score:2, Informative)
Re:Workaround here: (Score:3, Informative)
Re:Workaround here: (Score:3, Informative)
I think I should start an OpenSSH remote root exploit of the month club.
Do I assume this is set at no? (Score:2)
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
This was on my Red Hat Linux 7.1 workstation (also acts like a private server only to me). Do I assume this is at no value right now and I don't need to worry?
Thank you in advance.
Re:Do I assume this is set at no? (Score:3, Informative)
CERT Advisory. (Score:3, Informative)
ftp.openssh.org is getting hammered right now... sigh.
Better workaround: Mandrake (Score:2)
According to my sshd configuration under Mandrake 8.0, this is already set to "n". In fact, the comment above the line makes things even more clear:
# Comment to enable s/key passwords or PAM interactive authentication
# NB. Neither of these are compiled in by default. Please read the
# notes in the sshd(8) manpage before enabling this on a PAM system.
ChallengeResponseAuthentication no
Red Hat too?! (Score:2)
Why was it kept hush hush? (Score:2, Interesting)
Re:Why was it kept hush hush? (Score:2, Informative)
It was hinted on bugtraq a while ago that a remote root exploit for SSH was discovered but would only be disclosed once patches were available.
Re:Why was it kept hush hush? (Score:2, Insightful)
* posting a workaround that broke functionality but didn't fix the problem,
* failing to disclose (in advance) a workaround that does close the hole,
* failing to release the source code to vendors before detailing the vulerability to the general public,
* deliberately releasing the vulnerability five days earlier than expected, catching vendors off-guard, and
* using strong-arm scare tactics to force a very broken feature on the end-user community.
In short, they have made a mockery of reasonable procedure for security updates.
If this is what we should expect from OpenSSH when future security vulnerabilities arise, then I, for one, will be investigating alternatives to OpenSSH, and I strongly encourage other vendors to do the same. The security of our users' systems is too precious to be left in the hands of someone who does not have their best interests in mind.
Try something else. (Score:2)
Years ago I took a look at ssh and thought it would have lots of problems (kludgy, lots of complex features stuffed into one binary). The "Sendmail" of remote admin.
The past years have vindicated my decision many times over.
Sure stunnel and openssl have had some problems too, but as long as the stunnel people don't try to stuff tons of features in, it'll still be much better than ssh securitywise.
You could try vnc over stunnel if you really need GUIs.
Cheerio,
Link.
Re:Why was it kept hush hush? (Score:4, Insightful)
Every choice in handling this matter carries a different consequence for different groups of people. Theo can't serve every group equally.
As it turns out, recent OpenBSD installations were exposed to this, where many other platforms were not exposed.
The first question Theo had to decide was whether to spread the information around before his own user community was protected. Of course every vendor thinks they are entitled to this information. No black hats here! No rooted systems here! Your secrets are safe with us. Tell enough vendors, your secret is certain to escape.
The next question to decide is whether to create a window of opportunity for his own user base to protect themselves before giving away anything of use to the black hat community.
He can't do this without admitting that there is a big problem here. But any further details he gives become clues for those who might try to discover the flaw themselves.
As it stood, he had an option to put forward which allowed his user base to protect themselves while giving nothing away to his black hat adversaries. privsep is a case of Doing The Right Thing. I'm sure Theo does get frustrated that vendors don't put a higher priority on Do The Right Thing initiatives.
On OpenBSD itself, privsep has been there quite a while and I don't think it would be considered untested in its nascient environment.
He couldn't very well suggest to his user base "disable challenge/response". That's like backing away from Mike Tyson.
What could he have done differently?
He could have informed his own user base to install the reasonably well tested privsep version *in advance* of informing other vendors of the actual problem in secrecy *after* he completed the actual bug fix patch. This would have meant keeping the patch secret for another week or two.
But instead he chose to put his boot up the ass of vendors who think that compatibility with PAM is more important than adopting a model which eliminates 90% of the future prospect for more of the same.
If Theo were entirely sane he wouldn't be doing what he's doing. Maybe he has your best interests at heart, but the same best interests you chose for yourself.
There are always people who have good reasons for delaying The Right Thing. In the long term, I think these people contribute more to the sorry state of security that brash actions by people like Theo.
If you invest your faith in Doing The Right Thing on the technical merits, I think you'll stick with OpenSSH. If you prefer the relationship model of working hand in hand behind the scenes, maybe you won't.
Re:Why was it kept hush hush? (Score:2)
Re:Why was it kept hush hush? (Score:5, Informative)
There were basically two ways to fix your configuration. One was simple, and actually the default on most systems. The other is a pain in the ass, but Theo likes the second method because it is aesthetically more pure; a better implementation of a security conscious application.
The distributions (who couldn't get any information about the nature of the bug, just the suggestion that they fix the pain in the ass way of using sshd) correctly figured that they were being railroaded and balked.
For what it is worth, privelege separation is a better architecture for a security concious program, but setting up a chroot jail and adding new users, along with the brokeness of several ports of the new privsep code especially in the area of pluggable authentication modules (ie: RedHat) means that although I now have 3.4p1 iunstalled on my boxen, I also have privsep turned off. Less pure, but I'm a pragmatist, not an idealist.
Re:Why was it kept hush hush? (Score:2)
The Debian security team just about killed themselves getting the upgrade out for all eleven architectures and patching and backporting it to Potato.
And now we find out that we were never vulnerable.
I think there will be a movement to put a price on Theo's head.
Re:Why was it kept hush hush? (Score:2)
Before getting too upset with Theo, you should at least consider that security is Theo's life blood. The way he sees it, the primary bug in earlier versions of OpenSSH was the security architecture; by fixing that bug Debian is far ahead of the crowd since you will be impervious to a whole class of programming errors, of which this particular error is only a specific example.
He certainly didn't believe he was giving bad advice, and the fact that this whole thing has backfired on him will probably be setback enough. I'd certainly hate to see him burned so badly that he decides to drop out, just educated that even rational, well educated people don't always come to the same conclusions given the same data, and that he must let others come to their conclusions on their own.
For what it is worth I do admire the work the Debian team has done to get the new release integrated. I think it speaks volumes that the open team is also the only Linux distribution to have integrated the new features before the patch was released.
Re:Why was it kept hush hush? (Score:2, Interesting)
I don't know why, but ISS seemed to get under the skin of a lot of security researchers with their release of details of the recent Apache problem. This release was *directly responsible* for someone (I forget who, but thanks are due) to code a fairly simple work-around in the form of an Apache module, so that people can quickly install some protection whilst waiting for a fix to appear, and ancilliary apache addons (modssl, php etc.) to catch up with the new Apache release, so we are now maore-or-less protected whilst compiling, testing and installing new versiona of about half a dozen bits of software. Because of this release, the problem can be handled in a calm and non-disruptive manner.
Oh, and someone reported being hit with similar symptoms to this problem, well before ISS released the details.
Take that in contrast to when this OpenSSH problem hit the net. I was well aware of OpenSSH 3.3 and the new security features, and had a plan to wait till the next release (to check for implementation problems) and then upgrade all our servers in an orderly manner.
However,this morning, I opened Bugtraq to find a load of peeps that should know better (i.e. OpenSSH developers) screaming that there was a major root-exploit in the code I was currently running, that I had to upgrade immidiately, and no, they won't tell me what the problem is. Based on the available information, I made a judgement call, and suspended all incoming ssh access at the firewall until I could upgrade. As you can imagine, this pissed off a lot of customers. I also had to then reschedule my day to get, test and install this new version of SSH - I did not have time to put it through our usual QA process - to get us operational again.
To add insult to injury, when the details were released, it turns out to be a problem with a feature we do not even use and a simple config change was a suitable work-around.
Who do I get to bill for our (useless) 3 hour downtime?
Re:Why was it kept hush hush? (Score:5, Informative)
They were told to release an upgrade to a version that broke existing functionality, was largely untested, and were also told that it didn't directly fix the issue anyhow. The were told this without any details of what the vulnerability was, or even if it would affect them (and it turns out that nearly every distro will be unaffected).
I don't blame any distro for being a little wary and asking for more information. I believe Debian summed it up very well in their advisory [debian.org].
Re:Why was it kept hush hush? (Score:2)
But after seeing the easy patch (ChallengeResponseAuthentication no in the sshd_config file and restart sshd), I wonder where I can contribute to the "get Theo's attention" fund.
Was there ever a working 'sploit? (Score:4, Interesting)
Did any one of the many black hat groups out there actually work up a exploit or was this caught in time that it was just a possibility of being exploited?
Re:Was there ever a working 'sploit? (Score:3, Interesting)
He's a rather reliable source. In fact, he let me know that Apache on essentially ANY platform was vulnerable, long before IIS or Bugtrack had that info. Interestingly enough, a few days later, one of our servers (not one that I admin-I NEVER run Apache as Root) was Root'ed. It was just a small workgroup server, no real harm done.
Re:One Word "Gobbles" (Score:2)
Gobble! Gobble!
New Slogan! (Score:4, Funny)
~Shane
Re:New Slogan! (Score:5, Insightful)
Unfortunately, one remote hole is all you need. Such is the Unix nature.
Re:New Slogan! (Score:2)
Re:New Slogan! (Score:3, Insightful)
Re:New Slogan! (Score:5, Funny)
bbh
Re:New Slogan! (Score:2, Funny)
Sort of like cock pushups [tenaciousd.com].
Except the rooting is of a different nature.
- A.P.
Re:New Slogan! (Score:2)
The biggest security hole in Windows is the power-button. Turn it on, and POW! HACKED BY CHIN33SE!
Re:New Slogan! (Score:2)
And that is the difference between open source and proprietary. You can argue until the cows come home which one is better, but open source is demonstrably more honest. If there's a hole, you find out about it. It isn't hushed up and smushed into the next Service Pack, regardless of whether it's being sploited or not.
I'm currently building a firewall machine for my brother. I'd considered openBSD, but was going to just stick to what I know and use a cut down Linux distro. But this changes my mind. I'm still old fashioned enough to respect honesty and integrity; people who display those virtues (I've found) tend to write better code, because they're more open to positive criticism and apply higher standards to their work. So openBSD it is, and roll on the next vulnerability, sometime in 2008.
Re:New Slogan! (Score:3, Funny)
"5 hours without remote holes in the default install"
Re:New Slogan! (Score:2, Funny)
Re:New Slogan! (Score:2, Insightful)
With other OS distros, be it linux, other bsd's, commercial unix'x or stuff from MS, many services are turned on by default. Services provided by packages not necessaraly developed in house. The vendor hasent audited the code so is realy unaware of the risk of running it. The sysadmin is doubly unaware of the risk; he hasent audited the code (or is taking the word of a trusted auditor..) and may not be compleatly aware that the code is even running.
OpenBSD "secure by default" means that when a system is installed somebody has to make a concious decision to enable services, and thus make the system less secure (bug free services or not; think "airplane rule" here). Hopefully the person enabling the service will think about the security consiquences of doing so. If they dont thats not realy OpenBSDs fault.
Re:New Slogan! (Score:2)
As another poster said above, the biggest hole in Windows is the power button. The default install of what ever Microsoft is calling the server addition of Windows 2000, has IIS running. If you just connect to the Internet to get your Windows Update you'll probally be exploited before it is done.
I know I put Apache on a machine that had never been a webserver before. I started right away testing the server side includes. When they didn't work I checked the error log. I was suprised to see that an IIS worm had attempted to exploit my machine before I even began testing.
I wish more Linux installs would ship with all listening services disabled. Make you turn on what you need, not turn off what you don't.
There's security leaks everywhere (Score:2, Insightful)
The key here is that it is caught and corrected, and solutions offered.
I'm impressed (Score:3, Insightful)
I'm impressed that the OpenSSH team gave us advance warning that this bug was going to be announced, and also how to reduce the risk (privilege separation).
From [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability
Is it just me.... (Score:2, Insightful)
Personally, I'd go as far to say that I would rather switch to an alternative SSHd in the period that we were given from the presence of the exploit being announced to the fix being released - rather than following the "everyone upgrade now to our super-duper-improved privaledged seperated version"
It just seems to me that rather than attempting to help us users, the way that this bug was handled was just a huge PR stunt...
and I dont like it
Re:Is it just me.... (Score:2, Insightful)
OpenSSH enjoys a broad user base and is on a lot of trusted systems, a lot of admins trust their jobs to it. Theo, Neils, Markus et al. have been pushing for people to upgrade to the later versions that contain support for Privilege Separation which make this hole pretty much worthless in the first place. However, as Theo stated on the Announce list people have been hesitant to upgrade to the newer version.
ISS notified the OpenBSD/OpenSSH group of the security hole and just like every other exploit they find, they worked WITH the developers to give them a little time to develop/test the patch before they made the announcement. How is this different than anyone else?
Theo also said OpenSSH and the exploit wouldn't be released until next Monday, but the fix has been released today. My guess is that they agreed to do the announcement as soon as the patch was developed or Monday, whichever was sooner. The patch was completed/tested ahead of schedule, so there you go.
Congrats to ISS for discovering the flaw, they killed the five year streak.
Congrats to the OpenBSD team for putting together such a good system and hopefully the next streak will be even longer.
Now the hole has been disclosed, the patch has been released. Get off your arse and start patching or don't bitch when you get rooted.
Re:Is it just me.... (Score:2)
I agree totally. What is that dude Theo smoking? We've had remote root exploits before and they were handled properly. This one was like a forced push for untested brand new privsep code. No thanks. I just added "ChallengeRepsonseAuthentication no" in my config instead.
To me it seemed like a PR stunt. Why it was handled this way I don't know, but I'm not going to jump when he demands everyone upgrade or else.
I'd go as far as to say I want to see a working exploit for this. It sounds fishy. An integer overflow (not a string overflow) causing remote root? I find that very hard to believe.
Pay no attention to the man behind the curtain...
Re:Is it just me.... (Score:2)
You have found the big hole in the "window of opportunity" description of the danger of a bug (Bruce Schneier, Cryptograms and books). Fortunately, it gives even further support to the "full disclosure" movement.
We don't need to wait for the bug-fix release to secure our systems. We can switch to alternate products, change config files, and even turn off convenient services that are not strictly necessary or block them at the firewall temporarily.
Schneier says the window is open between discovery of the bug and the time when a fix is released (and longer until everyone fixes their systems). This is a perfect example of how full disclosure allows you to close the window even before a patch is developed.
Cheers, Theo (Score:5, Interesting)
All that you need to do, as far aas I understand it, is turn Challenge/Response authentication off (which nobody uses anyway). So the line in /etc/ssh/sshd_config reads:
and then restart the daemon.
Big deal.
I don't see any need to upgrade anything. Yes, privilege separation is nice in terms of future security, but I prefer the (more likely) known stability of software that has been in use for a while.
Debian security policy is that vulnerability fixes are backported (to avoid adding anything that could cause instability or further insecurity); this was made impossible by Theo's and ISS' advisory which lacked any details about the exploit. This may have been justified had the exploit not be able to be prevented by a simple configuration change (in order to give administrators time to prepare an upgrade their systems), but not for this.
Cheers, Theo, you just cried Wolf for the entire community. If there ever is a hole major enough that everyone should (or might want to) upgrade to a version which is by nature immune rather than give away the exploit by releasing a patch, noboby's going to believe you now, and probably not anyone else either.
Probable Reason for Theo's Approach (Score:3, Informative)
Here it is a few days later, the vendors have been given time to implement fixes, and we have disclosure. What are you people complaining about? Apart from the lack of social grace that he's famous for, I'd say Theo handled this about as securely as he could. Moreover, he did so by folloing the procedure widely accepted in the security community. Am I missing something?
Re:Probable Reason for Theo's Approach (Score:3, Insightful)
Except the vendors didn't get a head start because the vulnerability wasn't disclosed to them either. They were just handed OpenSSH 3.3 and told, "Here. Use this. It doesn't fix the hole that we won't tell you about, but it will prevent it from being exploited." Now, today, the vendors have finally been allowed to see a patch and can start implementing fixes other than "upgrade to the newest version".
Hmm... "There's a problem, we won't tell you what it is, but if you upgrade to the newest version, it will go away, plus you'll get nifty new features along with it!" Where have I heard that before?
Re:Probable Reason for Theo's Approach (Score:2)
From every programmer ever? It's pretty standard when reporting a bug to get "please upgrade to the latest version and try again." Nobody wants to have to go back and fix bugs in every version of every program they've ever written.
Re:Probable Reason for Theo's Approach (Score:2)
Nope. I guess I just forgot that the Debian security team, which backports security fixes, is an anomaly.
More seriously, though, one of the often-touted benefits of open source/free software is that we produce security patches which don't introduce hordes of new features (and bugs). It's sad to see good projects starting to behave like proprietary software vendors and doubly so that it would be something as respectable as openssh.
Difference between Theo and the Borg (Score:3, Insightful)
1) The problem was fixed in a couple of days
2) The upgrade was free
3) This is the first serious security hole OpenBSD has had in nearly 6 years.
For extra credit, compute the following: average number of days between disclosure and fix, times the cost of the upgrade that gives it to you, times the number of remote-root-level security exploits in your average BorgOS over 6 years.
Re:Probable Reason for Theo's Approach (Score:2)
Apart from the lack of social grace that he's famous for, I'd say Theo handled this about as securely as he could.
Yes, he did.
Moreover, he did so by folloing the procedure widely accepted in the security community.
No, I don't think he did. Normally the exploit is announced at the same time as the fix or workaround. Instead of this, he told everyone to upgrade (which is an unnecessary inconvenience for at least some people, who could just use the workaround). He has basically forced us to (unnecessarily) upgrade to a version which has known problems.
I don't think this is standard practice, but clearly it isn't a standard situation (ssh is the one thing that locked-down boxes still may have open, and the upgrade conveniently stopped the exploit without giving it away). I'll admit that whether or not he did the right thing isn't clear cut, but I don't think he did.
With every other exploit/fix that's announced there's a "Window of Exposure" during which you are vulnerable, and that was still the case here. The only difference is that there was a chance that fewer people knew about it. But given that the exploit was found, there's no reason that it hasn't already been actively exploited for a while by black-hats.
It's generally accepted that there's always going to be a "Window of Exposure", and that the way to keep this to a minimum is to coordinate the announcement of the exploit with the announcement of the fix. I don't see why that couldn't have been the case here.
While I accept the advantages of his approach, in my particular case the disadvantages far outweigh them (if I had decided to upgrade all the boxes I'm responsible for, this would have taken me maybe about 36 hours and many remote reboots. Had I messed up then entire businesses would have gone without functional computers). My problem is that he made the decision for us, and this is exactly what full disclosure is not supposed to do.
Re:Probable Reason for Theo's Approach (Score:2)
>su -
>apt-get update
>apt-get upgrade
All done.
Re:Probable Reason for Theo's Approach (Score:2)
Re:Cheers, Theo (Score:3, Informative)
No thanks, I'll upgrade my servers and enable priviledge separation. We may or may not see exploits that get around turning off the ChallengeResponseAuthentication bugs, but I'm not taking that chance.
Re:Cheers, Theo (Score:3, Informative)
Minor correction (only AFAIK, please correct me if I'm wrong):
ISS told us that the bug was not exploitable on any 32bit plattform, later we found out that this bug is exploitable on 32bit BSDs (free* and open* IIRC).
It's not exploitable on x86 linux.
Re:Cheers, Theo (Score:2)
Ok, my server run on 2.2, so I'm safe (just joking
Re:Cheers, Theo (Score:2)
The dire warnings suggesting upgrades to 3.3 were, as far as I can tell, just a strawman to get vendor assistance in actually getting 3.3 to work. Although priviledge separation isn't a bad idea in principle, I'd question its value when you're still left with 2500 of recently-written, can't-possibly-have-been-thoroughly-audited code in the priviledged half after the 'upgrade'.
Re:Cheers, Theo (Score:5, Insightful)
This is simply not true. I believe that security is important, and that there are certain measures sysadmins should take in order to keep undesirables out of their systems. But every time somebody finds some tiny little problem in a program, suddenly the world screeches to a halt, everyone panics, and we get bombarded with headlines and emails demanding that we upgrade immediately or our data centers will explode. Oh, and by the way, don't forget to put two pages of credits on the exploit's "whitepaper".
The result of all this horn-tooting is that I don't care anymore. Whenever someone utters the words "security advisory" I simply stop listening, because 99% of advisories are crap.
Re:Cheers, Theo (Score:2)
Hold on a minute...
There's nothing to say that this isn't a vulnerability in ssh, nor that is isn't exploitable. I'm complaining about the way it was handled, not the fact that it doesn't exist!
I have seen few "crap" advisories. Most bugtraq postings refer to real vulnerabilities, and the ones that don't are quickly pointed out.
It is important to keep up; the results from those who didn't are well known.
Then at the very least listen to (hopefully digitally signed) advisories from your own vendor.
Re:Cheers, Theo (Score:3, Interesting)
(In other words, it now displays "USER@HOST.NAME's password:")
It's not really a problem, since (obviously) you need to know what user you're trying to log in as, but it would suggest that it goes through different code paths when the option's enabled compared with when it's disabled, even if you're using the same authentication type each time.
Re:Cheers, Theo (Score:2)
Trying 209.242.124.241...
Connected to goatse.cx (209.242.124.241).
Escape character is '^]'.
SSH-2.0-3.1.0 SSH Secure Shell (non-commercial)
What a pity, it's not OpenSSH! I'm sorry, I cannot upgrade that hole remotely.
well... (Score:2, Informative)
Hope HP gets their patch out (Score:2)
Thank goodness for closed networks!
What is ChallengeResponseAuthentication? (Score:5, Interesting)
Re:What is ChallengeResponseAuthentication? (Score:4, Informative)
http://www.openbsd.org/faq/faq8.html#SKey
Re:What is ChallengeResponseAuthentication? (Score:2, Informative)
OpenSSH supports the SKEY and BSD_AUTH authentication options. These are compile-time options. At least one of these options must be enabled before the OpenSSH binaries are compiled for the vulnerable condition to be present.
Both of these options are disabled unless specifically enabled with when configure is run. None of the Redhat 7.x OpenSSH spec files mention anything about BSD auth or SKey support, and so I conclude that they are not vulnerable.
Re:What is ChallengeResponseAuthentication? (Score:3, Insightful)
Easy workaround (Score:5, Funny)
ChallengeResponse... oh please! Telnet's never had these problems.
(note for the humour impared: this is a *joke*).
--
Garett
telnet+SSL+certs (Score:3, Interesting)
It's likely to be safer.
I've been using stunnel+telnet for years and I have had to patch/upgrade a lot fewer times than people using SSH.
Cheerio,
Link.
Re:Easy workaround (Score:2)
I know you were trying to be humorous, but keep in mind that telnet *does* support challenge-response via the pam system under Linux and most modern systems.
okay, let me get this straight. (Score:5, Interesting)
Okay, busy morning but glancing at the news, here's what I see:
There was a bug in the challenge/response code between 3.0-3.2.3. In fact, it's an "overflow" according the advisory. This means to me, it should be a fairly easy fix. Quote:
In addition, this overflow only works when SKEY and/or BSD_AUTH is enabled. But this seems to be "not enabled...in many distributions". How about Linux? However, OpenBSD has BSD_AUTH enabled (natch). Quote:
And now to add insult to injury, the 3.3 I installed yesterday has a new different buffer overflow, so I have to jump to 3.4 now (does it have any new bugs too?)
I don't like to jump versions on production machines. I like to fix what's running for minimum disturbance.
Can someone please explain why this vulnerability was handled this way? Why wasn't there a maintainance release that just fixed the @#$@#% problem?
I know: since the bug affected so many people, Theo thought it would be better to bury the problem in his privsep code, instead of fixing it and letting the blackhats run "diff" and find it for an easy 0-day-'sploit. In other words, security by obscurity, just like the big guys. That stinks, if you ask me.
On the other hand, I charge by the hour when I upgrade my client's machines. So thanks Theo! $-)
Re:okay, let me get this straight. (Score:2)
ha ha.. it looks like many of my machines already had "ChallengeResponseAuthentication no" for at least the last few months. I'm going to go beat myself in the head with a brick now.
Re:okay, let me get this straight. (Score:2)
You need to get a girlfriend. Then *she* can smack you w/ a brick. Seriously, my gf recently started to carry a brick in her purse. Now if I get out of line she just tosses it from hand to hand & I straighten up real quick
Re:okay, let me get this straight. (Score:2, Insightful)
could run diff.
it's because the vendors wouldn't cooperate to
make the privsep work and he got all frustrated
because the other code couldn't be fixed in time
either.
MacOSX update ? (Score:2, Interesting)
If they don't, welll, they're still a 100 times more secure than 95% of the market
Re:What version does OSX ship with? (Score:2, Informative)
[mithras:~] mithras% ssh -V
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
and
cat
# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no
so it seems plausible that we're vulnerable, though I'm not sure.
However, this note [macintouch.com] indicates that 3.3p1 (and presumable now 3.4) compiles fine, including the privilege-separation option, without problems.
While Apple expects [com.com] to have shipped 5 million computers with Mac OS X (and OpenSSH) by the end of the year, SSH is turned off by default. So this and future problems should affect only those who know what the hell SSH is...For gods sake (Score:5, Insightful)
1. Tell you lot nothing, get the fix done and released (in which case you wouldn't have known about it until the fix came out).
2. Or tell you there is a bug, you can fix it temporarily by doing this until we get the fix out. In which case you decide either to follow him or do nothing (because after all, thats what you'd have been doing if nothing was said)
3. Or say, we have a bug, it's this and this and this is how you exploit it and then you lot all either scramble to install something else or sit around praying you don't get rooted whilst they compose a fix because now everyone and their dog know exactly how to exploit it.
Geeesh, be thankful he actually told you number 1. Next time, I think he should probably stick with number 2 and just tell you when the fix is out - at least then you can't whinge about it.
Re:For gods sake (Score:2)
Geeesh, be thankful he actually told you number 1. Next time, I think he should probably stick with number 2 and just tell you when the fix is out - at least then you can't whinge about it.
I agree. 1 is better than 3, but 2 is what he has been doing for a long long time. This was a stunt to try and make everyone upgrade to 3.4 with the nifty privsep code that isn't fully working on all platforms yet. I suppose he's running out of alpha/beta testers and needed more or something.
Re:For gods sake (Score:2, Insightful)
A. Tell me that it only effects a small portion of installed systems.
Geesh, why make it sound like everyone had this problem?
Where are the vendor statements? (Score:2)
Thankfully the default setup on SuSE 7.3 is "ChallengeResponseAuthentication no". Unfortunately, the default on Redhat 7.[0123] is "ChallengeResponseAuthentication yes".
The good news ... (Score:3, Insightful)
Assuming this is true for all RH7.3 boxen, there aren't hundreds of boxes waiting to be r00ted. It sounds from the comments like Debian is vulnerable - what about older RedHats, and other distros?
I get the feeling this was is a molehill made into a mountain.
Re:The good news ... (Score:2, Informative)
How to fix ... (Score:5, Funny)
CheckPasswords false
And then reboot your sshd.
Finally mail me, and I'll check that you really are safe. Oh and don't about slashdot users giving you bad advice you can be sure to only get accurate information here.
I like the new slogan... (Score:3, Insightful)
One remote hole in the default install, in nearly 6 years!
*sigh*
Fun while it lasted, I guess...
Affects who? (Score:4, Interesting)
RHL configure output:
OpenSSH has been configured with the following options:
...
Smartcard support: no
S/KEY support: no
BSD Auth support: no
Code Audits, the UNIX security model (Score:3, Interesting)
Privilege separation is a step in the right direction. By minimising the amount of code running as root, it makes code audits simpler and more through, and minimises the damage any potential exploit could do in the part running as a normal user.
Stepping back from the situation, privilege separation is just a bandaid for the lousy UNIX security model. Yes, granted, UNIX / Linux (i have no experience with other UNIX systems, so i shall reserve comment) have a security model that's used, as compared to Windows 9X. (Windows 2K has a security model, but the MS culture makes it difficult to administer it, but i digress). However, this security model is too coarse grained: it grants "root" too many privileges, too many rights. This is evident in the move towards ACLs, for example in NSA's SE Linux, as well as LIDS.
We need to overhaul the security model to one that's not prone to insecure software as much. Note I said as much:No system is 100% secure, and I don't want to replace my system with a toaster.
Appreciate feedback. Thanks. =)
Re:Code Audits, the UNIX security model (Score:3, Informative)
security model is too coarse grained: ... move towards ACLs, for example in NSA's SE Linux, as well as LIDS
Actually SELinux does not implement ACL's, but rather Type Enforcement. It also has potential (and experimental impementation) to implement MLS or other security policies / methods.
What type enforcement gets you is the ability to create highly fine-grained security controls, so that the program and user-security-context have privilege to execute critical functions and that privilege can be removed from the root user.
One of the debian SELinux implementers placed an SELinux system on the 'net with root-password / ssh access advertised. This is not a proof of safety, but in fact noone succeeded in escalating privilege.
As it looks like LSM is on track to be in kernel 2.6, at least the way is presently paved.
Summary? (Score:2)
Yes: http://www.openssh.com/security.html (Score:2, Informative)
Compression and 2.2.x kernels? (Score:2)
Re:Compression and 2.2.x kernels? (Score:2)
Re:Compression and 2.2.x kernels? (Score:2)
As to the typing, if that's a serious question, I tend to type pretty quickly. Couldn't give you a WPM, though. Why the query?
Re:Compression and 2.2.x kernels? (Score:2)
3.4 is a double-edged sword on Solaris (Score:2)
How soon until djbssh? (Score:4, Interesting)
Fuck it. (Score:2, Funny)
This all could have been avoided... (Score:3, Informative)
Meaning this brouhaha, of course...
Just to combat some of the misinformation that has been spreading around here:
Don't complain too much folks... you could have to do without a robust free ssh implementation.
What is wrong with this picture (Score:3, Interesting)
Monday, June 24, 2002 11:22 PM
There is an upcoming OpenSSH vulnerability that we're working on with ISS.
Details will be published early next week.
....etc etc etc
Now ISS has up'd the ante and released it justa day and a half later. 1 and 1/2 days isn't a lot to verify that a production environment will not be adversely effected byANY new/changed element. So it would seem that "working with ISS on this issue"is synonymous"we are waiting to get blindsided". This also leads into another interesting issue. Why did ISS's reckless announcement take minutes to get through bugtraq and the OpenSSH's initial, responsible warning take 24+ hours to process? I can plainly see that Theo's letter was sent on Monday but for some reason only gets here today. I know that SMTP mail is slow..but I don't thinkmy server isTHAT slow. Fortunately, it showed up on the vuln-watch list as well and we were able to help spread the word.
> X-Force is aware of active exploit development forthis vulnerability.
I don't know if I really even believe you on this certainlyyour recent actions are not that of a company that seeks to garner trust. Of course the minute anyone suggests there is a problem with product XYZ, thousands of bored people are going to start poking around "actively" trying to develop an exploit! But blind testing from scratch would certainly have taken longer than the proposed "quiet week" before publishing details.So, lets suppose it was a more informed testing. So who knew enough about this to let it out? ISS and the OpenSSH dev team. One is made up of hard working developers who love aprogram enough give their time away to make a really great product. The other is composed of people who routinely socialize with the underground "active exploit development" community. In my opinion, at least one side would have absolutelyno motive leak their information. So I propose: A: Your analysis of the exploit development process was faulty B: there was no active development for an exploit, and you released the info for your own good.C. Someone's teamis leaking information.
In any event, there no need for any furtherunderground exploit "R&D"; everyone now has the diff blueprints to get directly to the end goal. Granted, there are people out there intelligent enough totake the time find the issue and to code an exploit without this knowledge. But these type of people wouldn't likely release it to the general populace, instead it would be used for select targets. Targets that would most likely already have security teams in placeand be up on warnings and patches. Instead we have a patch diffs in the hands of everybody and now lower skilled programmers can code the exploit. These people will spread the exploit far and wide simply for fame; only this time the targets will be everyone.
No one wins with this route you have chosen ISS. You and your X-force team used to be a respected group in my book. In the past they have provided valuable information to the security community and helped companies across the world to better secure themselves, but the handling of this and the Apache vulnerabilities are shining examples of how NOT to do things. So much for ISS being a "Trusted" center of knowledge. Trust and honor are coins you can only spend once.
Re:What is wrong with this picture (Score:3, Insightful)
Actually, I know what's wrong. Theo's notice was basically "There's a hole, wait until we release a new version and then do a major version upgrade in a hurry.". ISS's notice was "Here's the hole, here's the way to close it in your existing software.". I'd rather Theo have told everybody the simple way to close the hole right off, rather than leaving everyone hanging.
Slackware not vulnerable (Score:5, Informative)
More simple is usually more secure.
Re:Slackware not vulnerable (Score:2, Insightful)