Results 1 to 4 of 4

Thread: Upcoming OpenSSH security advisory...

  1. #1
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027

    Upcoming OpenSSH security advisory...

    Just got this on misc@openbsd.org:

    > -----Original Message-----
    > From: owner-misc@openbsd.org
    > [mailtowner-misc@openbsd.org]On Behalf Of
    > Richard Johnson
    > Sent: May 3, 2004 11:51
    > To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com;
    > vuln-dev@securityfocus.com; vulnwatch@vulnwatch.org;
    > misc@openbsd.org
    > Subject: iDEFENSE: Upcoming OpenSSH Security Advisory Announcement
    >
    >
    > iDEFENSE Security Advisory 05.03.04:
    > http://www.idefense.com/advisory/05.03.04.txt
    > Upcoming OpenSSH Preauthentication Vulnerability Announcement
    > May 3, 2004
    >
    > There is an upcoming OpenSSH vulnerability that we're
    > working on with
    > the OpenBSD Crew. Details will be published early next week.
    >
    > However, I can say that when OpenSSH's sshd(8) is running with priv
    > seperation, the bug cannot be exploited for immediate root access.
    >
    > OpenSSH 3.3p was released a few years ago, with various improvements
    > but in particular, it significantly improves the Linux and Solaris
    > support for priv sep. However, it is not yet perfect.
    > Compression is
    > disabled on some systems, and the many varieties of PAM are causing
    > major headaches.
    >
    > However, everyone should update to OpenSSH 3.8 immediately,
    > and enable
    > priv seperation in their ssh daemons, by setting this in your
    > /etc/ssh/sshd_config file:
    >
    > UsePrivilegeSeparation yes
    >
    > Depending on what your system is, privsep may break some ssh
    > functionality. However, with privsep turned on, you are immune from
    > at least one remote hole. Understand? Being immune from
    > at least one
    > remote bug is worth broken functionality, especially when
    > the software
    > suffers from additional remote bugs.
    >
    > 3.8 does not contain a fix for this upcoming bug.
    >
    > If priv seperation does not work on your operating system,
    > you need to
    > work with your vendor so that we get patches to make it work on your
    > system. OpenSSH developers are swamped enough without trying to
    > support the myriad of PAM and other issues which exist in various
    > systems. For more information regarding the OpenBSD Crew's
    > struggle
    > with PAM issues, please read:
    > http://www.openssh.com/txt/sshpam.adv
    >
    > Basically, OpenSSH sshd(8) is something like 27000 lines of code. A
    > lot of that runs as root. But when UsePrivilegeSeparation
    > is enabled,
    > the daemon splits into two parts. A part containing about
    > 2500 lines
    > of code remains as root, and the rest of the code is shoved into a
    > chroot-jail without any privs. This makes the daemon less
    > vulnerable
    > to attack. Less vulnerable is better than more vulnerable, and we
    > hope that someday the OpenBSD team can make things not vulnerable.
    >
    > Threat elimination is more important than threat reduction,
    > after all.
    >
    > Apparently the OpenBSD Crew has been trying to warn vendors
    > about 3.8
    > and the need for privs sep to be in use. Since priv sep
    > has existed
    > for many years, and still is not used in 100% of deployed OpenSSH
    > installations, the world is doing this marvelous team of
    > cryptography
    > experts and emerging mediocre programmers a world of
    > discredit. Some
    > developers, like Alan Cox, have reprotedly gone even further stating
    > that privsep was not being worked on because "Nobody
    > provided any info
    > which proves the problem, and many people dont trust you theo" and
    > suggested that Theo "might be feeding everyone a trojan".
    > The official
    > OpenBSD Crew's response to this allegation can be seen here:
    > http://www.openssh.com/txt/sshpam.adv
    >
    > HP's representative has thusfar been downright rude, and we
    > anticipate
    > that he will be removed from his position at the company in
    > the near
    > future for the negative attention that he is bringing to
    > the company,
    > and the lack of lucrative security PRODUCT and RESEARCH to
    > the market.
    >
    > Only the Solar Designer seems to think priv sep is a good
    > idea, since
    > historically he has been fond of developing security solutions
    > following known flawed models in the hopes of making exploitation of
    > security issues harder but not impossible, putting security
    > back into
    > the hands of hackers and out of the hands of scriptkids and
    > security
    > consultants.
    >
    > iDEFENSE recommends either using OpenBSD, Openwall Linux (Owl), or
    > Microsoft Windows. All other operating systems are insecure.
    >
    > So, if vendors would JUMP and get it working better, and send the
    > OpenBSD Crew patches IMMEDIATELY, we can perhaps make a better 3.9
    > release on Friday which supports all systems better. So please send
    > patches to them IMMEDIATELY so progress can be made. Then
    > on Tuesday
    > or Friday the complete bug report with patches (and year
    > old exploits,
    > we are sure) will hit BUGTRAQ(tm).
    >
    > Let me repeat: even if the bug exists in a privsep'd sshd, it is not
    > exploitable. Clearly we cannot yet publish what the bug is, or
    > provide anyone with the real patch, but we can try to get maximum
    > deployement of privsep, and therefore make it hurt less when the
    > problem is published.
    >
    > If you doubt the sincerity of this claim, please review the
    > following
    > case study and included references to the security of a privilage
    > separation enabled open secure shell daemon's unbreakable status.
    > http://www.phrack.org/phrack/60/p60-0x06.txt
    >
    >
    > So please push your vendor to get us maximally working
    > privsep patches
    > as soon as possible!!!!
    >
    > We've given most vendors since Friday last week until
    > Thursday to get
    > privsep working well for you so that when the announcement comes out
    > next week their customers are immunized. That is nearly a full week
    > (but they have already wasted a weekend and a Monday).
    > Really I think
    > this is the best we can hope to do (this thing will eventually leak,
    > at which point the details will be published).
    >
    > Customers can judge their vendors by how they respond to this issue.
    >
    > OpenBSD and NetBSD users should also update to OpenSSH 3.8
    > right away.
    > On OpenBSD privsep works flawlessly, and I have reports that is also
    > true on NetBSD. All other systems appear to have minor or major
    > weaknesses when this code is running.
    >
    > We would urge the OpenBSD Crew to remake the OpenSSH Security page
    > ( http://www.openssh.com/security.html ) to make it less confusing.
    > It would serve the public interest much better if the page listed
    > specifically what versions are affected by which bugs,
    > making it clear
    > which versions bugs were introduced in, and which versions
    > said bugs
    > have been fixed in. The current listing is too difficult
    > to process,
    > and listing what versions are no longer vulnerable to a particular
    > known issue seems silly, since one would hope that the most recent
    > available version of a security PRODUCT would not suffer from any
    > published and widely known security problems.
    >
    > If you or your organization would like to purchase advanced details
    > of this vulnerability, please contact sales@idefense.com with your
    > inquiry.
    >
    > We at iDEFENSE would like to thank Kurt Seifried, consultant and
    > "OUTSIDE_INTEL" operative/analyst (and SECURITY EXPERT) for all his
    > hard and profound work for us. Also we would like to
    > applaud him for
    > his brilliant work on translating the English translations
    > of the CORE
    > Impact documentation to better English; a most impressive
    > addition to
    > any resume is being able to brag of being a contractor for multiple
    > goverment contractors, because frankly - he is just that damn good.
    >
    > ______________________________________
    > < Work for iDEFENSE and become famous! >
    > --------------------------------------
    > \ _
    > \ (_)
    > \ ^__^ / \
    > \ (oo)\_____/_\ \
    > (__)\ ) /
    > ||----w ((
    > || ||>>
    >
    > iDEFENSE is a global security intelligence company that proactively
    > monitors sources throughout the world from technical vulnerabilities
    > and hacker profiling to the global spread of viruses and
    > other *yawn*
    > delicious code. Our security intelligence services provide decision
    > makers, frontline security professionals and network administrators
    > with timely access to actionable intelligence and decision
    > support on
    > cyber-related threats. For more information, visit our
    > flash enabled
    > interweb portal at http://www.idefense.com.
    >
    > --
    > Richard Johnson, CISSP
    > Senior Security Researcher
    > iDEFENSE Inc.
    > thief@bugtraq.org
    >
    > Get paid for security stuff!!!!!!
    > http://www.idefense.com/contributor.html
    >
    So I guess the message is pretty clear: make sure you have OpenSSH running in priviledge seperation mode and be ready to patch...

    Ammo
    Credit travels up, blame travels down -- The Boss

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Hum, well, I guess it does read a bit "odd"... Seems like it might just be a hoax after all...

    Ammo
    Credit travels up, blame travels down -- The Boss

  3. #3
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    Not an image or image does not exist!
    Not an image or image does not exist!

  4. #4
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    Not an image or image does not exist!
    Not an image or image does not exist!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •