Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerability In SSH1

Posted by Hemos on from the no-good-for-any-one dept.

matt666 writes "Bindview released an advisory yesterday warning us that "[a]n integer-overflow problem is present in common code of recent ssh daemons, deattack.c, which was developed by CORE SDI to protect against cryptographic attacks on SSH protocol. [...] This effectively allows an attacker to overwrite arbitrary portions of memory". Practically all common versions of SSH1 are affected, except OpenSSH 2.3.0." A whole slew of people have written in regarding this - from the folks at SmoothWall advising of an update, to a bunch of people just saying "Oh No!". My understanding is that a fix is already in the works.

6 of 118 comments (clear)

  1. Re:switch to openSSH by mkettler · · Score: 5
    I had similar troubles trying to compile OpenSSH on my linux box. Then I discovered they have a separate "portable" distribution for non OpenBSD boxes. I picked the portable one, ./cofigure; make; make install, done.

    The "standard" tarball linked under "getting source" on the OpenSSH page is for OpenBSD and does not have a configure script, just a installer.

    If you download OpenSSH for a non OpenBSD box, make sure you pick the portable version. (under operating systems click on your operating system, or go to: http://www.openssh.com/portable.html).

    --
    -Matt
  2. Re:Software vulnerabilities by Multiple+Sanchez · · Score: 5

    Script kiddie this, script kiddie that. I'm sick of it. I pay my taxes, I'm balding, I'm in serious debt to MasterCard... I'm a script adult.

  3. switch to openSSH by Saint+Nobody · · Score: 5

    there were arguments to switch to openssh before, but never one that was this practical in nature.

    the only downside of openssh that i've seen was that it was a pain to figure out which compile-time options i needed. make sure you know exactly how your passwords are stored on your box. once i had that figured out, i liked it better than i ever liked the commercial SSH.

    --
    #define F(x) int main(){printf(#x,10,#x);}
    F(#define F(x) int main(){printf(#x,10,#x);}%cF(%s))
  4. All this wouldn't have happened... by SpanishInquisition · · Score: 5
    ...if we still used telnet.

    --
    Je t'aime Stéphanie
  5. Debian Users... by Xibby · · Score: 5

    Debian 2.2 OpenSSH package has allready been fixed. As usual, they have backported the fix to the version of ssh in stable (v1.2.3).

    Make sure you have the Debian security sources in /etc/apt/sources.list, then apt-get update && apt-get upgrade.

    deb http://security.debian.org/ stable/updates main contrib non-free deb-src http://security.debian.org/ stable/updates main contrib non-free

    /usr/share/doc/ssh/changelog.Debian.gz
    openssh (1:1.2.3-9.2) stable; urgency=high
    * Non-maintainer upload by Security Team
    * Added backported fix for a buffer overflow (thanks to Piotr Roszatycki)
    * Added modified build dependencies from unstable for convenience
    * Added patch that fixes an rsa key exchange problem made public by CORE SDI.

    -- Martin Schulze Thu, 8 Feb 2001 22:15:04 +0100

    --
    I'm going to go back in my box and will think within the limits of my box: MS Sucks Linux Good I read too much Slashdot.
  6. Re:Here's the patch and how to apply it by Wills · · Score: 5

    What is it with caching contents of a POST method -- netscape picked up its cached version of my previous post...

    Last correction: patch < deattack.c.patch using the following text copied into deattack.c.patch

    --- deattack.c Wed May 12 12:19:25 1999
    +++ deattack.c.orig Fri Feb 9 20:00:21 2001
    @@ -79,7 +79,7 @@
    detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
    {
    static word16 *h = (word16 *) NULL;
    - static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
    + static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE;
    register word32 i, j;
    word32 l;
    register unsigned char *c;

    --
    Scroogle