Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: OpenSSH

  1. #1
    Senior Member
    Join Date
    May 2002
    Posts
    236

    OpenSSH

    To those who use SuSE and OpenBSD there is a undisclosed vulnerability, all SuSE distro's use OpenSSH as a deafult during install and users are urged to get the lates version, 3.3 rpm from ftp.suse.com and enable the useprivilegeseparation
    OpenBSD will release OpenSSH 3.4 on monday wich will fix the vulnerability.

  2. #2
    well, did you get it from a source in theweb? if yes will you mention the address?
    then we can read more.
    Thanks

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    711
    *sigh*

    Unleashed> http://www.openssh.org/

    Ever try checking the obvious? Well... stupid me... of course not...

    <edit>
    (BTW, I believe the details livehere
    </edit>
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  4. #4
    Senior Member
    Join Date
    May 2002
    Posts
    236
    Originally posted here by Unleashed
    well, did you get it from a source in theweb? if yes will you mention the address?
    then we can read more.
    Thanks
    I am subscribed to several mailinglists and regularly talk with the SuSE security team.

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027

    Re: OpenSSH

    Originally posted here by Leviatan
    To those who use SuSE and OpenBSD there is a undisclosed vulnerability, all SuSE distro's use OpenSSH as a deafult during install and users are urged to get the lates version, 3.3 rpm from ftp.suse.com and enable the useprivilegeseparation
    OpenBSD will release OpenSSH 3.4 on monday wich will fix the vulnerability.
    Actually, it affects all systems using OpenSSH...

    (http://openssh.com/users.html)


    And here is the actual advisory e-mail to bugtrack from Theo de Raadt (I couldn't find the mail on the web for some reason...):

    There is an upcoming OpenSSH vulnerability that we're working on with
    ISS. Details will be published early next week.

    However, I can say that when OpenSSH's sshd(8) is running with priv
    seperation, the bug cannot be exploited.

    OpenSSH 3.3p was released a few days ago, with various improvements
    but in particular, it significantly improves the Linux and Solaris
    support for priv sep. However, it is not yet perfect. Compression is
    disabled on some systems, and the many varieties of PAM are causing
    major headaches.

    However, everyone should update to OpenSSH 3.3 immediately, and enable
    priv seperation in their ssh daemons, by setting this in your
    /etc/ssh/sshd_config file:

    UsePrivilegeSeparation yes

    Depending on what your system is, privsep may break some ssh
    functionality. However, with privsep turned on, you are immune from
    at least one remote hole. Understand?

    3.3 does not contain a fix for this upcoming bug.

    If priv seperation does not work on your operating system, you need to
    work with your vendor so that we get patches to make it work on your
    system. Our developers are swamped enough without trying to support
    the myriad of PAM and other issues which exist in various systems.
    You must call on your vendors to help us.

    Basically, OpenSSH sshd(8) is something like 27000 lines of code. A
    lot of that runs as root. But when UsePrivilegeSeparation is enabled,
    the daemon splits into two parts. A part containing about 2500 lines
    of code remains as root, and the rest of the code is shoved into a
    chroot-jail without any privs. This makes the daemon less vulnerable
    to attack.

    We've been trying to warn vendors about 3.3 and the need for privsep,
    but they really have not heeded our call for assistance. They have
    basically ignored us. Some, like Alan Cox, even went further stating
    that privsep was not being worked on because "Nobody provided any info
    which proves the problem, and many people dont trust you theo" and
    suggested I "might be feeding everyone a trojan" (I think I'll publish
    that letter -- it is just so funny). HP's representative was
    downright rude, but that is OK because Compaq is retiring him. Except
    for Solar Designer, I think none of them has helped the OpenSSH
    portable developers make privsep work better on their systems.
    Apparently Solar Designer is the only person who understands the need
    for this stuff.

    So, if vendors would JUMP and get it working better, and send us
    patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday
    which supports these systems better. So send patches by Thursday
    night please. Then on Tuesday or Wednesday the complete bug report
    with patches (and exploits soon after I am sure) will hit BUGTRAQ.

    Let me repeat: even if the bug exists in a privsep'd sshd, it is not
    exploitable. Clearly we cannot yet publish what the bug is, or
    provide anyone with the real patch, but we can try to get maximum
    deployement of privsep, and therefore make it hurt less when the
    problem is published.

    So please push your vendor to get us maximally working privsep patches
    as soon as possible!

    We've given most vendors since Friday last week until Thursday to get
    privsep working well for you so that when the announcement comes out
    next week their customers are immunized. That is nearly a full week
    (but they have already wasted a weekend and a Monday). Really I think
    this is the best we can hope to do (this thing will eventually leak,
    at which point the details will be published).

    Customers can judge their vendors by how they respond to this issue.

    OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away.
    On OpenBSD privsep works flawlessly, and I have reports that is also
    true on NetBSD. All other systems appear to have minor or major
    weaknesses when this code is running.

    (securityfocus postmaster; please post this through immediately, since
    i have bcc'd over 30 other places..)

    Ammo

  6. #6
    Senior Member
    Join Date
    May 2002
    Posts
    236
    True ammo, but what I whas stressing on is that SuSE installs OpenSSH by default.
    I have the mail from Theo de Raad somewhere, if you want it I'll dig through the mails I get from the mailinglist.
    www.deadly.org also has a lot of info.

  7. #7
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    (I got the mail from the bugtrack and security-annonce@openbsd mailing lists)
    yes I check deadly too, it's been busy overthere lately!

    Ammo
    Credit travels up, blame travels down -- The Boss

  8. #8
    Senior Member
    Join Date
    May 2002
    Posts
    236
    Chill out Unleashed, I don't check out sites like www.openssh.org on a daily basis so I rely on the mailinglists to keep me alert so I didn't come up with a url in my first post. Draziw is just reminding you to think logical for yourself, www.google.com next time.

  9. #9
    Senior Member
    Join Date
    Apr 2002
    Posts
    711
    Originally posted here by Unleashed
    draziw > as Leviatan said www.deadly.org , well ...stupid me.. ofcourse not

    Ummm... unleashed? OpenSSH.ORG is the home for OpenSSH (<edit>Ammo also nicely came back with the actual BugTraq post and similiar, which is often the first place people normally hear about stuff like this... thanks Ammo!</edit>). Leviatan came back and later said it was posted to a mailing list he is on... it's not like you posted that information and made it obvious you knew what was going on... in fact, what I believe you said was:

    well, did you get it from a source in theweb?
    ...which indicates really that:

    • You had no clue
    • You didn't actually bother to look


    Most like your post here where you say, and I quote:

    Huum, what is GWAVA?

    Which, again, indicates that you didn't actually look.

    I have an idea... why don't you do through every thread and just insert something like: "Hey, what is <insert title of post here>?" I think you've missed a few.
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  10. #10
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •