FWD: iDEFENSE: Upcoming OpenSSH Security Advisory Announcement
Jan Kasprzak
kas at informatics.muni.cz
Tue May 4 08:49:58 UTC 2004
Hello, FL people,
does anybody know details about this vulnerability?
-Yenya
: From: Richard Johnson <thief at bugtraq.org>
: To: full-disclosure at lists.netsys.com, bugtraq at securityfocus.com, vuln-dev at securityfocus.com, vulnwatch at vulnwatch.org, misc at openbsd.org
: Subject: [Full-Disclosure] iDEFENSE: Upcoming OpenSSH Security Advisory Announcement
: Date: Mon, 03 May 2004 11:51:12 -0400
:
:
: iDEFENSE Security Advisory 05.03.04:
: http://www.idefense.com/advisory/05.03.04.txt
: Upcoming OpenSSH Preauthentication Vulnerability Announcement
: May 3, 2004
:
: There is an upcoming OpenSSH vulnerability that we're working on with
: the OpenBSD Crew. Details will be published early next week.
:
: However, I can say that when OpenSSH's sshd(8) is running with priv
: seperation, the bug cannot be exploited for immediate root access.
:
: OpenSSH 3.3p was released a few years ago, with various improvements
: but in particular, it significantly improves the Linux and Solaris
: support for priv sep. However, it is not yet perfect. Compression is
: disabled on some systems, and the many varieties of PAM are causing
: major headaches.
:
: However, everyone should update to OpenSSH 3.8 immediately, and enable
: priv seperation in their ssh daemons, by setting this in your
: /etc/ssh/sshd_config file:
:
: UsePrivilegeSeparation yes
:
: Depending on what your system is, privsep may break some ssh
: functionality. However, with privsep turned on, you are immune from
: at least one remote hole. Understand? Being immune from at least one
: remote bug is worth broken functionality, especially when the software
: suffers from additional remote bugs.
:
: 3.8 does not contain a fix for this upcoming bug.
:
: If priv seperation does not work on your operating system, you need to
: work with your vendor so that we get patches to make it work on your
: system. OpenSSH developers are swamped enough without trying to
: support the myriad of PAM and other issues which exist in various
: systems. For more information regarding the OpenBSD Crew's struggle
: with PAM issues, please read:
: http://www.openssh.com/txt/sshpam.adv
:
: Basically, OpenSSH sshd(8) is something like 27000 lines of code. A
: lot of that runs as root. But when UsePrivilegeSeparation is enabled,
: the daemon splits into two parts. A part containing about 2500 lines
: of code remains as root, and the rest of the code is shoved into a
: chroot-jail without any privs. This makes the daemon less vulnerable
: to attack. Less vulnerable is better than more vulnerable, and we
: hope that someday the OpenBSD team can make things not vulnerable.
:
: Threat elimination is more important than threat reduction, after all.
:
: Apparently the OpenBSD Crew has been trying to warn vendors about 3.8
: and the need for privs sep to be in use. Since priv sep has existed
: for many years, and still is not used in 100% of deployed OpenSSH
: installations, the world is doing this marvelous team of cryptography
: experts and emerging mediocre programmers a world of discredit. Some
: developers, like Alan Cox, have reprotedly gone even further stating
: that privsep was not being worked on because "Nobody provided any info
: which proves the problem, and many people dont trust you theo" and
: suggested that Theo "might be feeding everyone a trojan". The official
: OpenBSD Crew's response to this allegation can be seen here:
: http://www.openssh.com/txt/sshpam.adv
:
: HP's representative has thusfar been downright rude, and we anticipate
: that he will be removed from his position at the company in the near
: future for the negative attention that he is bringing to the company,
: and the lack of lucrative security PRODUCT and RESEARCH to the market.
:
: Only the Solar Designer seems to think priv sep is a good idea, since
: historically he has been fond of developing security solutions
: following known flawed models in the hopes of making exploitation of
: security issues harder but not impossible, putting security back into
: the hands of hackers and out of the hands of scriptkids and security
: consultants.
:
: iDEFENSE recommends either using OpenBSD, Openwall Linux (Owl), or
: Microsoft Windows. All other operating systems are insecure.
:
: So, if vendors would JUMP and get it working better, and send the
: OpenBSD Crew patches IMMEDIATELY, we can perhaps make a better 3.9
: release on Friday which supports all systems better. So please send
: patches to them IMMEDIATELY so progress can be made. Then on Tuesday
: or Friday the complete bug report with patches (and year old exploits,
: we are sure) will hit BUGTRAQ(tm).
:
: Let me repeat: even if the bug exists in a privsep'd sshd, it is not
: exploitable. Clearly we cannot yet publish what the bug is, or
: provide anyone with the real patch, but we can try to get maximum
: deployement of privsep, and therefore make it hurt less when the
: problem is published.
:
: If you doubt the sincerity of this claim, please review the following
: case study and included references to the security of a privilage
: separation enabled open secure shell daemon's unbreakable status.
: http://www.phrack.org/phrack/60/p60-0x06.txt
:
:
: So please push your vendor to get us maximally working privsep patches
: as soon as possible!!!!
:
: We've given most vendors since Friday last week until Thursday to get
: privsep working well for you so that when the announcement comes out
: next week their customers are immunized. That is nearly a full week
: (but they have already wasted a weekend and a Monday). Really I think
: this is the best we can hope to do (this thing will eventually leak,
: at which point the details will be published).
:
: Customers can judge their vendors by how they respond to this issue.
:
: OpenBSD and NetBSD users should also update to OpenSSH 3.8 right away.
: On OpenBSD privsep works flawlessly, and I have reports that is also
: true on NetBSD. All other systems appear to have minor or major
: weaknesses when this code is running.
:
: We would urge the OpenBSD Crew to remake the OpenSSH Security page
: ( http://www.openssh.com/security.html ) to make it less confusing.
: It would serve the public interest much better if the page listed
: specifically what versions are affected by which bugs, making it clear
: which versions bugs were introduced in, and which versions said bugs
: have been fixed in. The current listing is too difficult to process,
: and listing what versions are no longer vulnerable to a particular
: known issue seems silly, since one would hope that the most recent
: available version of a security PRODUCT would not suffer from any
: published and widely known security problems.
:
: If you or your organization would like to purchase advanced details
: of this vulnerability, please contact sales at idefense.com with your
: inquiry.
:
: We at iDEFENSE would like to thank Kurt Seifried, consultant and
: "OUTSIDE_INTEL" operative/analyst (and SECURITY EXPERT) for all his
: hard and profound work for us. Also we would like to applaud him for
: his brilliant work on translating the English translations of the CORE
: Impact documentation to better English; a most impressive addition to
: any resume is being able to brag of being a contractor for multiple
: goverment contractors, because frankly - he is just that damn good.
:
: ______________________________________
: < Work for iDEFENSE and become famous! >
: --------------------------------------
: \ _
: \ (_)
: \ ^__^ / \
: \ (oo)\_____/_\ \
: (__)\ ) /
: ||----w ((
: || ||>>
:
: iDEFENSE is a global security intelligence company that proactively
: monitors sources throughout the world from technical vulnerabilities
: and hacker profiling to the global spread of viruses and other *yawn*
: delicious code. Our security intelligence services provide decision
: makers, frontline security professionals and network administrators
: with timely access to actionable intelligence and decision support on
: cyber-related threats. For more information, visit our flash enabled
: interweb portal at http://www.idefense.com.
: --
: Paul Cassell
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Czech Linux Homepage: http://www.linux.cz/ |
Any compiler or language that likes to hide things like memory allocations
behind your back just isn't a good choice for a kernel. --Linus Torvalds
More information about the fedora-legacy-list
mailing list