> -----Original Message-----
> From: email@example.com
firstname.lastname@example.org]On Behalf Of
> Richard Johnson
> Sent: May 3, 2004 11:51
> To: email@example.com
> Subject: iDEFENSE: Upcoming OpenSSH Security Advisory Announcement
> iDEFENSE Security Advisory 05.03.04:
> Upcoming OpenSSH Preauthentication Vulnerability Announcement
> May 3, 2004
> There is an upcoming OpenSSH vulnerability that we're
> working on with
> the OpenBSD Crew. Details will be published early next week.
> However, I can say that when OpenSSH's sshd(8) is running with priv
> seperation, the bug cannot be exploited for immediate root access.
> OpenSSH 3.3p was released a few years ago, with various improvements
> but in particular, it significantly improves the Linux and Solaris
> support for priv sep. However, it is not yet perfect.
> Compression is
> disabled on some systems, and the many varieties of PAM are causing
> major headaches.
> However, everyone should update to OpenSSH 3.8 immediately,
> and enable
> priv seperation in their ssh daemons, by setting this in your
> /etc/ssh/sshd_config file:
> UsePrivilegeSeparation yes
> Depending on what your system is, privsep may break some ssh
> functionality. However, with privsep turned on, you are immune from
> at least one remote hole. Understand? Being immune from
> at least one
> remote bug is worth broken functionality, especially when
> the software
> suffers from additional remote bugs.
> 3.8 does not contain a fix for this upcoming bug.
> If priv seperation does not work on your operating system,
> you need to
> work with your vendor so that we get patches to make it work on your
> system. OpenSSH developers are swamped enough without trying to
> support the myriad of PAM and other issues which exist in various
> systems. For more information regarding the OpenBSD Crew's
> with PAM issues, please read:
> Basically, OpenSSH sshd(8) is something like 27000 lines of code. A
> lot of that runs as root. But when UsePrivilegeSeparation
> is enabled,
> the daemon splits into two parts. A part containing about
> 2500 lines
> of code remains as root, and the rest of the code is shoved into a
> chroot-jail without any privs. This makes the daemon less
> to attack. Less vulnerable is better than more vulnerable, and we
> hope that someday the OpenBSD team can make things not vulnerable.
> Threat elimination is more important than threat reduction,
> after all.
> Apparently the OpenBSD Crew has been trying to warn vendors
> about 3.8
> and the need for privs sep to be in use. Since priv sep
> has existed
> for many years, and still is not used in 100% of deployed OpenSSH
> installations, the world is doing this marvelous team of
> experts and emerging mediocre programmers a world of
> discredit. Some
> developers, like Alan Cox, have reprotedly gone even further stating
> that privsep was not being worked on because "Nobody
> provided any info
> which proves the problem, and many people dont trust you theo" and
> suggested that Theo "might be feeding everyone a trojan".
> The official
> OpenBSD Crew's response to this allegation can be seen here:
> HP's representative has thusfar been downright rude, and we
> that he will be removed from his position at the company in
> the near
> future for the negative attention that he is bringing to
> the company,
> and the lack of lucrative security PRODUCT and RESEARCH to
> the market.
> Only the Solar Designer seems to think priv sep is a good
> idea, since
> historically he has been fond of developing security solutions
> following known flawed models in the hopes of making exploitation of
> security issues harder but not impossible, putting security
> back into
> the hands of hackers and out of the hands of scriptkids and
> iDEFENSE recommends either using OpenBSD, Openwall Linux (Owl), or
> Microsoft Windows. All other operating systems are insecure.
> So, if vendors would JUMP and get it working better, and send the
> OpenBSD Crew patches IMMEDIATELY, we can perhaps make a better 3.9
> release on Friday which supports all systems better. So please send
> patches to them IMMEDIATELY so progress can be made. Then
> on Tuesday
> or Friday the complete bug report with patches (and year
> old exploits,
> we are sure) will hit BUGTRAQ(tm).
> Let me repeat: even if the bug exists in a privsep'd sshd, it is not
> exploitable. Clearly we cannot yet publish what the bug is, or
> provide anyone with the real patch, but we can try to get maximum
> deployement of privsep, and therefore make it hurt less when the
> problem is published.
> If you doubt the sincerity of this claim, please review the
> case study and included references to the security of a privilage
> separation enabled open secure shell daemon's unbreakable status.
> So please push your vendor to get us maximally working
> privsep patches
> as soon as possible!!!!
> We've given most vendors since Friday last week until
> Thursday to get
> privsep working well for you so that when the announcement comes out
> next week their customers are immunized. That is nearly a full week
> (but they have already wasted a weekend and a Monday).
> Really I think
> this is the best we can hope to do (this thing will eventually leak,
> at which point the details will be published).
> Customers can judge their vendors by how they respond to this issue.
> OpenBSD and NetBSD users should also update to OpenSSH 3.8
> right away.
> On OpenBSD privsep works flawlessly, and I have reports that is also
> true on NetBSD. All other systems appear to have minor or major
> weaknesses when this code is running.
> We would urge the OpenBSD Crew to remake the OpenSSH Security page
> ( http://www.openssh.com/security.html
) to make it less confusing.
> It would serve the public interest much better if the page listed
> specifically what versions are affected by which bugs,
> making it clear
> which versions bugs were introduced in, and which versions
> said bugs
> have been fixed in. The current listing is too difficult
> to process,
> and listing what versions are no longer vulnerable to a particular
> known issue seems silly, since one would hope that the most recent
> available version of a security PRODUCT would not suffer from any
> published and widely known security problems.
> If you or your organization would like to purchase advanced details
> of this vulnerability, please contact firstname.lastname@example.org
> We at iDEFENSE would like to thank Kurt Seifried, consultant and
> "OUTSIDE_INTEL" operative/analyst (and SECURITY EXPERT) for all his
> hard and profound work for us. Also we would like to
> applaud him for
> his brilliant work on translating the English translations
> of the CORE
> Impact documentation to better English; a most impressive
> addition to
> any resume is being able to brag of being a contractor for multiple
> goverment contractors, because frankly - he is just that damn good.
> < Work for iDEFENSE and become famous! >
> \ _
> \ (_)
> \ ^__^ / \
> \ (oo)\_____/_\ \
> (__)\ ) /
> ||----w ((
> || ||>>
> iDEFENSE is a global security intelligence company that proactively
> monitors sources throughout the world from technical vulnerabilities
> and hacker profiling to the global spread of viruses and
> other *yawn*
> delicious code. Our security intelligence services provide decision
> makers, frontline security professionals and network administrators
> with timely access to actionable intelligence and decision
> support on
> cyber-related threats. For more information, visit our
> flash enabled
> interweb portal at http://www.idefense.com.
> Richard Johnson, CISSP
> Senior Security Researcher
> iDEFENSE Inc.
> Get paid for security stuff!!!!!!