Slashdot Mirror
OpenSSH Vulnerability Disclosed, Version 3.4 Released
Dan writes: "OpenSSH 3.4 has been released and will be shortly available on all mirrors. All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 fixes this bug." And kylus writes: "The previously mentioned vulnerability in OpenSSH has been disclosed by ISS X-Force today on the BugTraq list. This is a potential remote root compromise, and while there is a workaround, it's advised that users upgrade to version 3.4 as soon as they can."
locate the "ChallengeResponseAuthentication" line in /etc/ssh/sshd_config (typically) change to :
"ChallengeResponseAuthentication no" and restart sshd
http://www.codewolf.com - Just good stuff to waste time
it wasn't kept quiet for very long -- maybe a week
or two while solutions were implemented. The big
delay was that the vendors didn't believe it was
real.
Well at least they are honest about it, and are trying to fix it. There's a company out here in redmond that could take lessons in honesty and security from them.
They were told to release an upgrade to a version that broke existing functionality, was largely untested, and were also told that it didn't directly fix the issue anyhow. The were told this without any details of what the vulnerability was, or even if it would affect them (and it turns out that nearly every distro will be unaffected).
I don't blame any distro for being a little wary and asking for more information. I believe Debian summed it up very well in their advisory.
s/key auth. is a one time use password system. first, you'd generate some passwords and write them down.the passwords only work once. They come in handy if you're in an insecure network.
http://www.openbsd.org/faq/faq8.html#SKey
"I keep looking in the want-ads under 'revolutionary' but there don't seem to be any listings.. "
The details of the bug weren't disclosed immediately because there was no patch available. Now that it can be patched, most system will be protected from the script-kiddie storm. But, as usual, there are plenty of lazy and/or ignorant sysadmins who won't patch this.
It was hinted on bugtraq a while ago that a remote root exploit for SSH was discovered but would only be disclosed once patches were available.
- A real programmer uses $ cat > a.out
Although it looks like Theo could have simply told everyone to disable challenge/response authentication, I'll venture to guess that he had a reason for not doing so. Consider that his original announcement was deliberately obscure, in order to avoid advertising the vulnerability to crackers, while vendors scrambled to patch their systems. If Theo had originally said "turn off challenge/response", all the crackers would immediately know where to look for the vulnerability, and the vendors would no longer have the head start they needed.
Here it is a few days later, the vendors have been given time to implement fixes, and we have disclosure. What are you people complaining about? Apart from the lack of social grace that he's famous for, I'd say Theo handled this about as securely as he could. Moreover, he did so by folloing the procedure widely accepted in the security community. Am I missing something?
More simple is usually more secure.
RedHat 7.2 (at least) does not come compiled with support for either of the vunerable options.
/* Define if you want S/Key support */
/* #undef SKEY */
/* Define if you have BSD auth support */
/* #undef BSD_AUTH */
[mithras:~] mithras% ssh -V
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
and
cat
# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no
so it seems plausible that we're vulnerable, though I'm not sure.
However, this note indicates that 3.3p1 (and presumable now 3.4) compiles fine, including the privilege-separation option, without problems.
While Apple expects to have shipped 5 million computers with Mac OS X (and OpenSSH) by the end of the year, SSH is turned off by default. So this and future problems should affect only those who know what the hell SSH is...four nine eighteen twenty-7 thirty-nine forty-7 fiftyeight sixty-nine seventy-9 eighty-8 one-hundred-and-nine one-twenty
You're trusting the same organisation that told us that the Apache bug wasn't exploitable on x86 Linux (and we later found out it was), that this is a trustable workaround?
No thanks, I'll upgrade my servers and enable priviledge separation. We may or may not see exploits that get around turning off the ChallengeResponseAuthentication bugs, but I'm not taking that chance.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
A lot of them compile in PAM, though. The bug involves keyboard-interactive mode plus one of the following: BSD_AUTH, S/KEY, or PAM.
OpenSSH supports the SKEY and BSD_AUTH authentication options. These are compile-time options. At least one of these options must be enabled before the OpenSSH binaries are compiled for the vulnerable condition to be present.
Both of these options are disabled unless specifically enabled with when configure is run. None of the Redhat 7.x OpenSSH spec files mention anything about BSD auth or SKey support, and so I conclude that they are not vulnerable.
You're trusting the same organisation that told us that the Apache bug wasn't exploitable on x86 Linux (and we later found out it was), that this is a trustable workaround?
Minor correction (only AFAIK, please correct me if I'm wrong):
ISS told us that the bug was not exploitable on any 32bit plattform, later we found out that this bug is exploitable on 32bit BSDs (free* and open* IIRC).
It's not exploitable on x86 linux.
There were basically two ways to fix your configuration. One was simple, and actually the default on most systems. The other is a pain in the ass, but Theo likes the second method because it is aesthetically more pure; a better implementation of a security conscious application.
The distributions (who couldn't get any information about the nature of the bug, just the suggestion that they fix the pain in the ass way of using sshd) correctly figured that they were being railroaded and balked.
For what it is worth, privelege separation is a better architecture for a security concious program, but setting up a chroot jail and adding new users, along with the brokeness of several ports of the new privsep code especially in the area of pluggable authentication modules (ie: RedHat) means that although I now have 3.4p1 iunstalled on my boxen, I also have privsep turned off. Less pure, but I'm a pragmatist, not an idealist.
LibBT: BitTorrent for C - small - fast - clean (Now Versio
(See subject.)
Generally, the defaults are displayed in the config file, as commented out instructions. In other words, the default is yes.
Not true. My RH 7.2 and 7.3 systems default to "no". In fact, you can't set it to yes because support isn't even compiled in.
security model is too coarse grained: ... move towards ACLs, for example in NSA's SE Linux, as well as LIDS
Actually SELinux does not implement ACL's, but rather Type Enforcement. It also has potential (and experimental impementation) to implement MLS or other security policies / methods.
What type enforcement gets you is the ability to create highly fine-grained security controls, so that the program and user-security-context have privilege to execute critical functions and that privilege can be removed from the root user.
One of the debian SELinux implementers placed an SELinux system on the 'net with root-password / ssh access advertised. This is not a proof of safety, but in fact noone succeeded in escalating privilege.
As it looks like LSM is on track to be in kernel 2.6, at least the way is presently paved.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
Meaning this brouhaha, of course...
Just to combat some of the misinformation that has been spreading around here:
Don't complain too much folks... you could have to do without a robust free ssh implementation.
ftp.openssh.org is getting hammered right now... sigh.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore