Slashdot Mirror
Slashback: OpenSSH, Bio, Timeliness
Things that make you want to bring back thumbscrews. A few days ago, we mentioned the release of OpenSSH 3.3; compared to previous versions, the biggest change in 3.3 is increased emphasis on privilege separation. Today, Theo de Raadt sent word of an OpenSSH vulnerability being worked on by ISS and the OpenBSD team, details of which are expected to be published early next week.
In an announcement sent to bugtraq, he wrote: "However, I can say that when OpenSSH's sshd(8) is running with priv separation, the bug cannot be exploited.
OpenSSH 3.3p was released a few days ago, with various improvements but in particular, it significantly improves the Linux and Solaris support for priv sep. However, it is not yet perfect. Compression is disabled on some systems, and the many varieties of PAM are causing major headaches.
However, everyone should update to OpenSSH 3.3 immediately, and enable priv separation in their ssh daemons, by setting this in your /etc/ssh/sshd_config file:
UsePrivilegeSeparation yes
Depending on what your system is, privsep may break some ssh functionality. However, with privsep turned on, you are immune from at least one remote hole. Understand?
3.3 does not contain a fix for this upcoming bug.
If priv separation does not work on your operating system, you need to work with your vendor so that we get patches to make it work on your system. Our developers are swamped enough without trying to support the myriad of PAM and other issues which exist in various systems. You must call on your vendors to help us."
Theo emphasizes the role of vendor cooperation in making privilege separation work on the full range of systems on which OpenSSH runs. "If the vendors don't start pulling their part," he says in an email, "by the time the bug is posted their customers will be left unprotected. These vendors who do not do the right job and instead just 'sell sell sell' are starting to become annoying. On a lot of systems today, privsep does NOT work well at all. The vendors have not been helping!"
A patched version of OpenSSH could be released as soon as Friday, incorporating vendor patches received by this Thursday.
Read More on Stallman. Vamphyri writes: "Sam Williams, author of 'Free as in Freedom', biography of GNU/Linux founder Richard M. Stallman has gone live with the online free version 1.0 of FAIFzilla.org. The paper pulp version publishers O'Reilly & Associates agreed under the terms of the GNU Free Document License and have their own version up at their site. Williams' site allows for content and corrections to be submitted by readers. He hopes for contributions to be included in later editions of the O'Reilly bio. Also: CGI coders wanted for site enhancement, paragraph and line numbering, searches etc. Maybe a CVS Tree is in order? :)"
"Urpmi Norton" doesn't work for some reason. MrResistor writes "Upon logging in to my computer at work this morning, I was greeted by a virus update notice from McAfee SecurityCenter. The update for today includes W97M/Melissa@MM, and of course McAfees newly manuf^H^H^H^H^Hdiscovered threat, the W32/Perrun JPEG virus (which was also highlighted in yesterdays update). All of the updates in the last week or so have been rated Low or No Threat (except for Perrun, which is "Low On Watch". It seems that in addition to manufacturing new threats, they're also rehashing old threats to keep subscription renewals up. Perhaps it's time for Slashdot to add an Ethics topic?"
On the contrary, a lot of people go to school just to study ethics. With computers becoming such a major part of everyones lives, isn't it important to discuss computer ethics in an open forum?
Ex-Parrot: I don't think I need or want Slashdot to tell me what is or isn't ethical.
Lemmy Caution: Then they don't need or want you telling them that it isn't ethical for them to tell you what is or isn't ethical.
Technically, Ex-Parrot only stated what he didn't need or want, not that he believed it unethical for /. to inform him (hypotheticaly) of ethics. Don't confuse desire for ethics.
I believe that the original poster was making a remark on the heralded "270,000 installations without a default-enabled root-level vulnerability" statement that OpenBSD uses. I don't use BSD, so I don't know the exact quote, but if the affected version of OpenSSH is enabled by default, this would jeapordize that tagline.
This could be flamebait, but it should be said.
..
Consider this, would you rather use an Operating System, where the community just shrugs off the frequently once a week remote holes with simply, "go grab the updates"
.. or an Operating System where the community is surprised and in disbelief that a remote hole was found after 5 years which causes entire community to start bitch fights over the right to claim its the most secure Operating System still, despite the fact the remote hole was found by the Operating System developers, and fixed before it has actually been exploited.
You don't have to be Stephen Wolfram to figure this one out.
..There's a-dooin's a-transpirin'
"We won't tell you what the problem is, unless you're a big distributor."
Do you have some evidence to support this claim that they have revealed the exploit to big distributors? As far as I can tell they have told no one.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I guess Theo is just offended that he's not offered more trust for quality software than the vendors' own employees.
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
The upside is that they do tend to produce useful things, or have a salutary effect on those around them. So unless you disagree with what they do, you should simply dismiss their personal peccadilloes as the price you pay for having someone devote the majority of their brainpower to a single issue, and do useful work on your (and everyone else's) behalf.
Time to take a lesson from the PHB playbook - the natural response to an email like Theo's goes something like "Yeah, yeah, Theo, nice work. Keep it up. Oh, and have it done by the end of the week, willya?"
No... Can't Be!
For fucks sake... you people are always "oh we have bug fixes in 24 hours... Fsck you M$ *uNF* *uNF* *uNF*" and now you have to use a WORKAROUND that may not work on everyone's systems and it's the VENDOR'S fault that SSH wants to use some specific feature that *THEY* think every vendor should have.
I'm sorry. It doesn't work like that. Fucking fix it the first time or don't release stuff you KNOW has security exploits in it. It's plain fucking irresponsible to do it.
LSH (http://www.net.lut.ac.uk/psst/)
I love SSH. It's been installed on my boxen (regardless of OS) since it was stable enough to kill off telnet.
My problem with both the announcement as well as the patch is thus.
1. Theo nor any of the posters I've seen are willing to tell us what the hell is broken. Only that we must upgrade. That just don't cut it, I won't blindly patch without an idea of what is broken. The Debian security release summed it up best.
"Theo de Raadt announced that the OpenBSD team is working with ISS
on a remote exploit for OpenSSH (a free implementation of the
Secure SHell protocol). They are refusing to provide any details on
the vulnerability but instead are advising everyone to upgrade to
the latest release, version 3.3.
This version was released 3 days ago and introduced a new feature
to reduce the effect of exploits in the network handling code
called privilege separation. Unfortunately this release has a few
known problems: compression does not work on all operating systems
since the code relies on specific mmap features, and the PAM
support has not been completed. There may be other problems as
well."
2. Sudden, lack of belief in Full disclosure. Am I the only guy who remembers the days before full disclosure? The OpenBSD Security policy ( http://www.openbsd.org/security.html ) is pretty point blank (to quote)
"we believe in full disclosure of security problems. In the operating system arena, we were probably the first to embrace the concept. Many vendors, even of free software, still try to hide issues from their users"
I think posting a "fix" (ok, workaround) and not telling anyone *why* they should use it is "try[ing] to hide issues from their users"
I'll be firing up R.A.T.S and checking out LSH ( http://www.net.lut.ac.uk/psst/ ) (GNU'd SSH2ish) for my needs from here own out.
and yes, this needs a rant tag and yes I know the OSSH and OBSD teams are seperate, but they share enough philosophy and team members that I gather they have the same opinion on security.
Bugs Bunny was right.
replying to yourself is always a bad thing, but here goes...
if you cut through the bullshit (theo certainly has an interesting way of putting things), what he's saying is this:
there's a hole in sshd. we are working on a patch. if we release it now, you are all f'd, because all your systems will be compromised before you have time to patch them. we are giving you the next week to update your sshd, so that you are no longer vulnerable when we publish the bug+patch. yes, the new sshd has the bug, but is not vulnerable to it. if we fixed it now, the black hats will diff the results and be able to develop a compromise, and you still won't have a patch. oh yeah, we need your vendors' help so that you're all safe by next week.
make sense?
I don't have an OpenBSD 3.1 box handy to check to see if priv seperation is enabled by default. However, I know it wasn't on 3.0.
But, we need not jump to conclusions. Theo was saying quite a bit about vendor support, which means he was strugling with the PORTABLE version, he made no mention of the native OpenBSD version, and we have yet to even hear the implications of this bug (hell, maybe it's not exploitable on OpenBSD, just OTHER platoforms running OpenSSH).
Again, don't jump to conclusions.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
"Read it; you might need to pass the word on to your vendor, too."
If you need to pass the word on to your vendor you need a new vendor.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Well I just spent a few hours upgrading a handful of openssh installs and firewalling about a dozen others. This is weird though, is there NO other information about this hole except that it's "fixed" by 3.3?
If I have ssh blocked in /etc/hosts.allow, does that stop the bug? If I have AllowRootLogin off, does that stop the bug? Is it SSH protocol 1 or 2? Can this affect existing SSH connections? Is there any other work-around?????
I think we just saw TWO irresponsible announcements in the Open Source world, and I hope it's not a trend.
(SSH is one piece of software I do not like upgrading remotely..)
PS: I haven't gotten his message from Bugtraq yet. In fact I've only gotten 2 messages from Bugtraq today...weird...
No, the talk about vendor cooperation is in regards to getting privilege separation working, not fixing the real bug. The only people who know about the bug (judging from the email) are at ISS.
"Another interpretation would be that he wants vendors to port the privilege separated version of sshd to their platforms..."
That is exactly what he wants.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
An important skill for anyone who uses UNIX, *BSD, or Linux is being able to build and install software from source. If you haven't done it before, take some time to learn how to do it properly. It's easier than you might think, just download the source and read the README and INSTALL files.
That's kind of why all the source is released -- you really don't have to wait for packages from your vendor. The packages make future uninstall simpler, true, but sometimes you don't have the luxury of time.
Leaving the OS Wars aside (I run Linux, yes, but I also run FreeBSD, and I would run OpenBSD if they would just get unanal about bootable iso's): Okay, swell. 3.3 has a hole.
How far BACK does this hole extend? Does my 3.1 have it? Does EVERY copy of OpenSSH since the dawn of time have it? Can someone make this clear to me? Is it only versions that have privledge separation? Where is the boundary of this bug?
Anyway. My guess is that this hole is something substantial, possibly very plateform dependent and any patches aren't going to be trivial. Seeing as all you people who felt the need to use fsck in their posts more than once know about as I do about this then my assumptions are as good as yours (and I don't feel the need to use the word fsck as an expletive once). Non-trivial patches mean that commercial vendors are going to take for ever to release final patches and if you are running anything open to the internet then it's likely to be ssh. Add it all up it means this could be very bad.
Now the OpenSSH team is actually two. One that develops new stuff and does code audits specifically for OpenBSD and another that takes that and ports it to other architectures.
All those bitching about full disclosure, you manage to be completely committed to a cause, idiots and miss the point of full disclosure all at once. If the bug is bad then releasing it when only the OpenBSD version of OpenSSH is patched would be an absolute security nightmare. Giving vendors advance notice is very much required in this case. When the vulnerability is announced then I'm sure it will be fully disclosed which will provide the opportunity to test a system for vulnerabilities.
As for you people who are saying Theo is being pro-OpenBSD, read the above paragraph again and answer this question. If Theo really wanted to really rip on other OS's then what could he have done with this announcement? Only OpenBSD not vulnerable and with mindless full disclosure to cover his arse. You do the maths.
The fact is Theo is a complete arsehole when it comes to security. Some see this as not a bad thing. With OpenBSD security is pretty much everything. To the vast majority of other "vendors" security is something they also do and with this Theo has a legitimate gripe. He has got a shitty reception from other vendors to something that will make a vital link in the security chain more secure. Is he making a point of this? Probably. Is he right to do that? Depends on your point of view. If it gets the "vendors" off their arses and add support for priviledge seperation in their ports then would this be considered a good thing? Most definately.
When it boils down to it, Theo would be well within his rights to patch the OpenBSD version of OpenSSH (by using priviledge seperation) and hanging the other vendors out to dry. He didn't. Deal with it.
Nerd: Derogatory term typically directed at anybody with a lower Slashdot ID than you.
In common with every single other network OS out there, it has several remote root holes. We just haven't figured out what they are yet.
This is my World Wide Web of Whatever