OpenSSH Vulnerability Disclosed, Version 3.4 Released

Dan writes: "OpenSSH 3.4 has been released and will be shortly available on all mirrors. All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 fixes this bug." And kylus writes: "The previously mentioned vulnerability in OpenSSH has been disclosed by ISS X-Force today on the BugTraq list. This is a potential remote root compromise, and while there is a workaround, it's advised that users upgrade to version 3.4 as soon as they can."

Workaround here:

[codewolf]

locate the "ChallengeResponseAuthentication" line in /etc/ssh/sshd_config (typically) change to :
"ChallengeResponseAuthentication no" and restart sshd

Re:Workaround here:

[f00l]

So if it is commented out, is it enabled, or disabled?

#ChallengeResponseAuthentication yes

Re:Workaround here:

[Squeezer]

It will take whatever the default is that is programmed into the code, which is prolly yes. So in other words if its commented out its more then likely enabled. So uncomment it and change it to no.

I think I should start an OpenSSH remote root exploit of the month club.

Re:Workaround here:

[lunenburg]

That would indicate that the default is "yes", so if you want to disable it, you need to uncomment it and set ChallengeResponseAuthentication to "no". Then restart sshd.

Re:Workaround here:

[codewolf]

Actually, it is safe to make the ChallengeResponseAuthentication no change and restart, until you upgrade. But, you can not assume your version is vulnerable solely from the config file, it's a compile time option that makes it vulnerable, and this is different on many systems, so be safe, do the workaround until you upgrade.

Why was it kept hush hush?

[wub]

Does anyone know why it was kept so hush? It's so unlike the open source community to not just put it all right out there.

Re:Why was it kept hush hush?

[Tyrall]

Nope, the big delay wasn't vendors didn't believe 'it' was real, they had no clue what 'it' was.

They were told to release an upgrade to a version that broke existing functionality, was largely untested, and were also told that it didn't directly fix the issue anyhow. The were told this without any details of what the vulnerability was, or even if it would affect them (and it turns out that nearly every distro will be unaffected).

I don't blame any distro for being a little wary and asking for more information. I believe Debian summed it up very well in their advisory.

Re:Why was it kept hush hush?

[reelbk]

The details of the bug weren't disclosed immediately because there was no patch available. Now that it can be patched, most system will be protected from the script-kiddie storm. But, as usual, there are plenty of lazy and/or ignorant sysadmins who won't patch this.
It was hinted on bugtraq a while ago that a remote root exploit for SSH was discovered but would only be disclosed once patches were available.

Re:Why was it kept hush hush?

[mkldev]

The OpenSSH guys are guilty of the worst kind of underhanded dealing in this matter. As a vendor, I'm frankly, disgusted in every sense of the word. They deliberately compromised the security of other vendors through their actions by:

* posting a workaround that broke functionality but didn't fix the problem,

* failing to disclose (in advance) a workaround that does close the hole,

* failing to release the source code to vendors before detailing the vulerability to the general public,

* deliberately releasing the vulnerability five days earlier than expected, catching vendors off-guard, and

* using strong-arm scare tactics to force a very broken feature on the end-user community.

In short, they have made a mockery of reasonable procedure for security updates.

If this is what we should expect from OpenSSH when future security vulnerabilities arise, then I, for one, will be investigating alternatives to OpenSSH, and I strongly encourage other vendors to do the same. The security of our users' systems is too precious to be left in the hands of someone who does not have their best interests in mind.

Re:Why was it kept hush hush?

[wackysootroom]

I could be that ISS does not want another PR fiasco like the one that it got when it released the Apache advisory recently

Re:Why was it kept hush hush?

[kevinank]

The rationale not exposing the exploit was that if the exploit became known then immediately there would be many thousands of machines that could be exploited. That would be bad, so the question became 'is there some way to disable the problem code without fixing the bug', then a bug fix can be delivered after without anyone getting hacked.

There were basically two ways to fix your configuration. One was simple, and actually the default on most systems. The other is a pain in the ass, but Theo likes the second method because it is aesthetically more pure; a better implementation of a security conscious application.

The distributions (who couldn't get any information about the nature of the bug, just the suggestion that they fix the pain in the ass way of using sshd) correctly figured that they were being railroaded and balked.

For what it is worth, privelege separation is a better architecture for a security concious program, but setting up a chroot jail and adding new users, along with the brokeness of several ports of the new privsep code especially in the area of pluggable authentication modules (ie: RedHat) means that although I now have 3.4p1 iunstalled on my boxen, I also have privsep turned off. Less pure, but I'm a pragmatist, not an idealist.

Re:Why was it kept hush hush?

[John+Hasler]

"The distributions (who couldn't get any information about the nature of the bug, just the suggestion that they fix the pain in the ass way of using sshd) correctly figured that they were being railroaded and balked. "

The Debian security team just about killed themselves getting the upgrade out for all eleven architectures and patching and backporting it to Potato.

And now we find out that we were never vulnerable.
I think there will be a movement to put a price on Theo's head.

Re:Why was it kept hush hush?

[datajack]

The last couple of weeks has demonstrated precisley what is wrong, from an end-user standpoint, with 'responsible disclosure' (yeuch!)

I don't know why, but ISS seemed to get under the skin of a lot of security researchers with their release of details of the recent Apache problem. This release was *directly responsible* for someone (I forget who, but thanks are due) to code a fairly simple work-around in the form of an Apache module, so that people can quickly install some protection whilst waiting for a fix to appear, and ancilliary apache addons (modssl, php etc.) to catch up with the new Apache release, so we are now maore-or-less protected whilst compiling, testing and installing new versiona of about half a dozen bits of software. Because of this release, the problem can be handled in a calm and non-disruptive manner.
Oh, and someone reported being hit with similar symptoms to this problem, well before ISS released the details.

Take that in contrast to when this OpenSSH problem hit the net. I was well aware of OpenSSH 3.3 and the new security features, and had a plan to wait till the next release (to check for implementation problems) and then upgrade all our servers in an orderly manner.
However,this morning, I opened Bugtraq to find a load of peeps that should know better (i.e. OpenSSH developers) screaming that there was a major root-exploit in the code I was currently running, that I had to upgrade immidiately, and no, they won't tell me what the problem is. Based on the available information, I made a judgement call, and suspended all incoming ssh access at the firewall until I could upgrade. As you can imagine, this pissed off a lot of customers. I also had to then reschedule my day to get, test and install this new version of SSH - I did not have time to put it through our usual QA process - to get us operational again.

To add insult to injury, when the details were released, it turns out to be a problem with a feature we do not even use and a simple config change was a suitable work-around.

Who do I get to bill for our (useless) 3 hour downtime?

Re:Why was it kept hush hush?

[kevinank]

And now we find out that we were never vulnerable. I think there will be a movement to put a price on Theo's head.

Before getting too upset with Theo, you should at least consider that security is Theo's life blood. The way he sees it, the primary bug in earlier versions of OpenSSH was the security architecture; by fixing that bug Debian is far ahead of the crowd since you will be impervious to a whole class of programming errors, of which this particular error is only a specific example.

He certainly didn't believe he was giving bad advice, and the fact that this whole thing has backfired on him will probably be setback enough. I'd certainly hate to see him burned so badly that he decides to drop out, just educated that even rational, well educated people don't always come to the same conclusions given the same data, and that he must let others come to their conclusions on their own.

For what it is worth I do admire the work the Debian team has done to get the new release integrated. I think it speaks volumes that the open team is also the only Linux distribution to have integrated the new features before the patch was released.

Re:Why was it kept hush hush?

[epine]

Every choice in handling this matter carries a different consequence for different groups of people. Theo can't serve every group equally.

As it turns out, recent OpenBSD installations were exposed to this, where many other platforms were not exposed.

The first question Theo had to decide was whether to spread the information around before his own user community was protected. Of course every vendor thinks they are entitled to this information. No black hats here! No rooted systems here! Your secrets are safe with us. Tell enough vendors, your secret is certain to escape.

The next question to decide is whether to create a window of opportunity for his own user base to protect themselves before giving away anything of use to the black hat community.

He can't do this without admitting that there is a big problem here. But any further details he gives become clues for those who might try to discover the flaw themselves.

As it stood, he had an option to put forward which allowed his user base to protect themselves while giving nothing away to his black hat adversaries. privsep is a case of Doing The Right Thing. I'm sure Theo does get frustrated that vendors don't put a higher priority on Do The Right Thing initiatives.

On OpenBSD itself, privsep has been there quite a while and I don't think it would be considered untested in its nascient environment.

He couldn't very well suggest to his user base "disable challenge/response". That's like backing away from Mike Tyson.

What could he have done differently?

He could have informed his own user base to install the reasonably well tested privsep version *in advance* of informing other vendors of the actual problem in secrecy *after* he completed the actual bug fix patch. This would have meant keeping the patch secret for another week or two.

But instead he chose to put his boot up the ass of vendors who think that compatibility with PAM is more important than adopting a model which eliminates 90% of the future prospect for more of the same.

If Theo were entirely sane he wouldn't be doing what he's doing. Maybe he has your best interests at heart, but the same best interests you chose for yourself.

There are always people who have good reasons for delaying The Right Thing. In the long term, I think these people contribute more to the sorry state of security that brash actions by people like Theo.

If you invest your faith in Doing The Right Thing on the technical merits, I think you'll stick with OpenSSH. If you prefer the relationship model of working hand in hand behind the scenes, maybe you won't.

Re:Why was it kept hush hush?

[pdqlamb]

Re: "a version that broke existing functionality." FWIW, I was worried whtn Theo threw out his gentle hints (or was that a stinkbomb?) yesterday and tried to upgrade my systems to openssh 3.3. Fortunately, I tested it on one system before broadly deploying it. 3.3 was broke. Neither ssh nor sshd would interoperate with anything else. 3.4 seems to be working, with some (relatively minor) nits.

But after seeing the easy patch (ChallengeResponseAuthentication no in the sshd_config file and restart sshd), I wonder where I can contribute to the "get Theo's attention" fund.

Re:Why was it kept hush hush?

[kevin+lyda]

huh?

the moment that the openssh team stands up and says to set challengeresponse to no, everyone knows what the bug is. yes, everyone has a chance to be secure, but it increases the chances that an exploit could exist while people are upgrading (remember, a fair portion of the world was asleep when the announcement went out).

and why all this abuse of theo? it was iss that released the details a week early with less then a day's notice.

Re:Why was it kept hush hush?

[John+Hasler]

"the moment that the openssh team stands up and says to set challengeresponse to no, everyone knows what the bug is."

All had to do was tell us that pre-3.0 versions weren't vulnerable.

"it was iss that released the details a week early with less then a day's notice."

It was Theo who sent out a notice telling us we had _four_ _hours_ to package 3.3 while neglecting to mention that our stable distribution was not vulnerable.

Re:Why was it kept hush hush?

[rodgerd]

Which rather substantiates Alan Cos's scepticism...

Re:Why was it kept hush hush?

[cygnusx]

I have a question: Today OpenSSH was upped to 3.3p1 in stable because the team did not know what the problem was. Is there a chance that the Debian security team will decide that it's worth it to `go back' to the older version of OpenSSH which potato was using (which wasn't vulnerable), in keeping with the tradition of no-new-features in stable?

Re:Why was it kept hush hush?

[kevin+lyda]

er, no.

openssh 2.9 was vulnerable too. a revised statement came out that says that openssh back to 2.3 is vulnerable.

Was there ever a working 'sploit?

[toupsie]

I have read much about this problem in OpenSSH and fearing the worst...checking logs to see how often my SSH version was scanned. However, as far as I know, I haven't had any break ins using a SSH exploit. Thank God for TCP Wrappers, at least that helps when you find out about these things.

Did any one of the many black hat groups out there actually work up a exploit or was this caught in time that it was just a possibility of being exploited?

Re:Was there ever a working 'sploit?

[evilviper]

I have it on good authority from a collegue of mine (okay, fine, he's a script kiddie, but he keeps up on all the '0day' exploits, so he comes in hanndy) that not only is there an exploit for OpenSSH, but there is one for the latest version of SSH.com's ssh server (3.2.0 IIRC).

He's a rather reliable source. In fact, he let me know that Apache on essentially ANY platform was vulnerable, long before IIS or Bugtrack had that info. Interestingly enough, a few days later, one of our servers (not one that I admin-I NEVER run Apache as Root) was Root'ed. It was just a small workgroup server, no real harm done.

New Slogan!

[skinney]

"One remote hole in the default install, in nearly 6 years!" you can see it here: OpenBSD

~Shane

Re:New Slogan!

[AndrewHowe]

It was suitably humble of them to admit it and update their homepage.
Unfortunately, one remote hole is all you need. Such is the Unix nature.

Re:New Slogan!

[Oztun]

No actually one exploit is all you need and so far no one seems to have it.

Re:New Slogan!

[AndrewHowe]

That would be pure speculation on your part.

Re:New Slogan!

[bbh]

Yeah, it was probably the guy with the exploit that updated the webpage :P

bbh

Re:New Slogan!

You only think your toaster is secure.

Re:New Slogan!

[zulux]

Isn't one remote hole all Windows needs too? Or isn't that the Windows nature?

The biggest security hole in Windows is the power-button. Turn it on, and POW! HACKED BY CHIN33SE!

Re:New Slogan!

[Rogerborg]

And that is the difference between open source and proprietary. You can argue until the cows come home which one is better, but open source is demonstrably more honest. If there's a hole, you find out about it. It isn't hushed up and smushed into the next Service Pack, regardless of whether it's being sploited or not.

I'm currently building a firewall machine for my brother. I'd considered openBSD, but was going to just stick to what I know and use a cut down Linux distro. But this changes my mind. I'm still old fashioned enough to respect honesty and integrity; people who display those virtues (I've found) tend to write better code, because they're more open to positive criticism and apply higher standards to their work. So openBSD it is, and roll on the next vulnerability, sometime in 2008.

Re:New Slogan!

[T-Ranger]

True, but your "secure by default" is important to the OpenBSD people. There goal is to create a secure opearating system, period.

With other OS distros, be it linux, other bsd's, commercial unix'x or stuff from MS, many services are turned on by default. Services provided by packages not necessaraly developed in house. The vendor hasent audited the code so is realy unaware of the risk of running it. The sysadmin is doubly unaware of the risk; he hasent audited the code (or is taking the word of a trusted auditor..) and may not be compleatly aware that the code is even running.

OpenBSD "secure by default" means that when a system is installed somebody has to make a concious decision to enable services, and thus make the system less secure (bug free services or not; think "airplane rule" here). Hopefully the person enabling the service will think about the security consiquences of doing so. If they dont thats not realy OpenBSDs fault.

Re:New Slogan!

[Wakko+Warner]

Unfortunately, one remote hole is all you need.

Sort of like cock pushups.

Except the rooting is of a different nature.

- A.P.

Re:New Slogan!

[cachapa]

It's better than the alternative:
"5 hours without remote holes in the default install"

Re:New Slogan!

[Neon+Spiral+Injector]

And that is how all operating systems should be.

As another poster said above, the biggest hole in Windows is the power button. The default install of what ever Microsoft is calling the server addition of Windows 2000, has IIS running. If you just connect to the Internet to get your Windows Update you'll probally be exploited before it is done.

I know I put Apache on a machine that had never been a webserver before. I started right away testing the server side includes. When they didn't work I checked the error log. I was suprised to see that an IIS worm had attempted to exploit my machine before I even began testing.

I wish more Linux installs would ship with all listening services disabled. Make you turn on what you need, not turn off what you don't.

Re:New Slogan!

[Neon+Spiral+Injector]

Don't get me wrong, that is what I do. Actually I build custom Linux installs from embeded to clustered servers. I only install what is needed.

But what I'm saying is, for the less than professional people out there, installs should be much tighter from the initial boot.

And I know there must be enough of these less-than-professional people out there, from the rate at which my new born machine started seeing IIS worm requests.

Re:New Slogan!

[carlfish]

Or, as JWZ put it: "___0___ days without an on-site injury!" (sic)

(although I had to un-caps it to get past the lameness filter)

Re:New Slogan!

[AndrewHowe]

You are assuming that anyone with an exploit would be jumping up and down, waving their dick in the air, shouting, "Me! Me! I have an exploit". Well, maybe they do, and meybe they don't. And maybe their dick is too small to see from where you are sitting...

Re:New Slogan!

[AndrewHowe]

Hmm. Well, everything in Windows is controlled by ACLs. Erm, well apparently in the distant past that was not true... But we can forget about that! Now this is something that is anticipated for inclusion into the Linux kernel, for example. 2.5? Who knows?
Anyway. The interesting thing is that the whole problem in the this OpenBSD case was to do with this "mitigation" feature. That is to say, that to mitigate the problems associated with a hack against the OpenSSH system, not all r00t facilities should have been available. Unfortunately, erm, well the exploit would get around that. So, you get this situation in which a single r00t hole (and here you see the difference between 0 and 1 [dontcha love binary?]) gives you carte blanche to do whatever the fuck your black evil heart desires.
Now, you might say to me, well, no fucker actually uses ACLs properly in Windows.
And you would probably be right.
Sigh.

There's security leaks everywhere

[Black+Aardvark+House]

Whether the source is open or closed, you're going to have something slip through all those lines of code.

The key here is that it is caught and corrected, and solutions offered.

I'm impressed

[bigberk]

I'm impressed that the OpenSSH team gave us advance warning that this bug was going to be announced, and also how to reduce the risk (privilege separation).

From [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability

"There is an upcoming OpenSSH vulnerability that we're working on with ISS. Details will be published early next week.

However, I can say that when OpenSSH's sshd(8) is running with priv seperation, the bug cannot be exploited.
. . .
We've given most vendors since Friday last week until Thursday to get privsep working well for you so that when the announcement comes out next week their customers are immunized. That is nearly a full week (but they have already wasted a weekend and a Monday). Really I think this is the best we can hope to do (this thing will eventually leak, at which point the details will be published)."

Is it just me....

[GnomeKing]

...or does anyone else think that the way that this particular exploit was handled was, to say the least, irregular...

Personally, I'd go as far to say that I would rather switch to an alternative SSHd in the period that we were given from the presence of the exploit being announced to the fix being released - rather than following the "everyone upgrade now to our super-duper-improved privaledged seperated version"

It just seems to me that rather than attempting to help us users, the way that this bug was handled was just a huge PR stunt...

and I dont like it

Re:Is it just me....

[rosie_bhjp]

I'm not sure why people think this was handled badly.
OpenSSH enjoys a broad user base and is on a lot of trusted systems, a lot of admins trust their jobs to it. Theo, Neils, Markus et al. have been pushing for people to upgrade to the later versions that contain support for Privilege Separation which make this hole pretty much worthless in the first place. However, as Theo stated on the Announce list people have been hesitant to upgrade to the newer version.
ISS notified the OpenBSD/OpenSSH group of the security hole and just like every other exploit they find, they worked WITH the developers to give them a little time to develop/test the patch before they made the announcement. How is this different than anyone else?
Theo also said OpenSSH and the exploit wouldn't be released until next Monday, but the fix has been released today. My guess is that they agreed to do the announcement as soon as the patch was developed or Monday, whichever was sooner. The patch was completed/tested ahead of schedule, so there you go.
Congrats to ISS for discovering the flaw, they killed the five year streak.
Congrats to the OpenBSD team for putting together such a good system and hopefully the next streak will be even longer.

Now the hole has been disclosed, the patch has been released. Get off your arse and start patching or don't bitch when you get rooted.

Re:Is it just me....

[tzanger]

...or does anyone else think that the way that this particular exploit was handled was, to say the least, irregular...

I agree totally. What is that dude Theo smoking? We've had remote root exploits before and they were handled properly. This one was like a forced push for untested brand new privsep code. No thanks. I just added "ChallengeRepsonseAuthentication no" in my config instead.

To me it seemed like a PR stunt. Why it was handled this way I don't know, but I'm not going to jump when he demands everyone upgrade or else.

I'd go as far as to say I want to see a working exploit for this. It sounds fishy. An integer overflow (not a string overflow) causing remote root? I find that very hard to believe.

Pay no attention to the man behind the curtain...

Re:Is it just me....

[Crispy+Critters]

I would rather switch to an alternative SSHd in the period that we were given from the presence of the exploit being announced to the fix being released

You have found the big hole in the "window of opportunity" description of the danger of a bug (Bruce Schneier, Cryptograms and books). Fortunately, it gives even further support to the "full disclosure" movement.

We don't need to wait for the bug-fix release to secure our systems. We can switch to alternate products, change config files, and even turn off convenient services that are not strictly necessary or block them at the firewall temporarily.

Schneier says the window is open between discovery of the bug and the time when a fix is released (and longer until everyone fixes their systems). This is a perfect example of how full disclosure allows you to close the window even before a patch is developed.

Re:Is it just me....

[Znork]

The reason people think this was handled badly is because most people arent affected. As far as I can tell, pretty much everyone who isnt running xBSD hasnt been affected, and a workaround by changing one line in the config is _far_ easier than upgrading to a sortof broken version, followed by yet another upgrade to a less broken version.

Cheers, Theo

[gorf]

All that you need to do, as far aas I understand it, is turn Challenge/Response authentication off (which nobody uses anyway). So the line in /etc/ssh/sshd_config reads:

ChallengeResponseAuthentication no

and then restart the daemon.

Big deal.

I don't see any need to upgrade anything. Yes, privilege separation is nice in terms of future security, but I prefer the (more likely) known stability of software that has been in use for a while.

Debian security policy is that vulnerability fixes are backported (to avoid adding anything that could cause instability or further insecurity); this was made impossible by Theo's and ISS' advisory which lacked any details about the exploit. This may have been justified had the exploit not be able to be prevented by a simple configuration change (in order to give administrators time to prepare an upgrade their systems), but not for this.

Cheers, Theo, you just cried Wolf for the entire community. If there ever is a hole major enough that everyone should (or might want to) upgrade to a version which is by nature immune rather than give away the exploit by releasing a patch, noboby's going to believe you now, and probably not anyone else either.

Re:Cheers, Theo

[BJH]

Hmmm, that's weird... disabling ChallengeResponseAuthentication causes OpenSSH to show the username and hostname when asking for the password, whereas before it only showed the "Password:" prompt.
(In other words, it now displays "USER@HOST.NAME's password:")

It's not really a problem, since (obviously) you need to know what user you're trying to log in as, but it would suggest that it goes through different code paths when the option's enabled compared with when it's disabled, even if you're using the same authentication type each time.

Re:Cheers, Theo

[Matts]

You're trusting the same organisation that told us that the Apache bug wasn't exploitable on x86 Linux (and we later found out it was), that this is a trustable workaround?

No thanks, I'll upgrade my servers and enable priviledge separation. We may or may not see exploits that get around turning off the ChallengeResponseAuthentication bugs, but I'm not taking that chance.

Re:Cheers, Theo

[transient]

This is a problem throughout most of the security community, and it's the reason I don't subscribe to bugtraq anymore. At the risk of starting a flamewar, my impression of people who are really into security as a group is that they have an over-inflated sense of their own importance. Every seminar I attend, every publication I read, and every security expert I speak to tells me the same thing: that hordes of hackers (and now terrorists, too) are out to melt my hard drives and make me lose $1 million a minute.

This is simply not true. I believe that security is important, and that there are certain measures sysadmins should take in order to keep undesirables out of their systems. But every time somebody finds some tiny little problem in a program, suddenly the world screeches to a halt, everyone panics, and we get bombarded with headlines and emails demanding that we upgrade immediately or our data centers will explode. Oh, and by the way, don't forget to put two pages of credits on the exploit's "whitepaper".

The result of all this horn-tooting is that I don't care anymore. Whenever someone utters the words "security advisory" I simply stop listening, because 99% of advisories are crap.

Re:Cheers, Theo

[platypus]

You're trusting the same organisation that told us that the Apache bug wasn't exploitable on x86 Linux (and we later found out it was), that this is a trustable workaround?

Minor correction (only AFAIK, please correct me if I'm wrong):
ISS told us that the bug was not exploitable on any 32bit plattform, later we found out that this bug is exploitable on 32bit BSDs (free* and open* IIRC).
It's not exploitable on x86 linux.

Re:Cheers, Theo

[gorf]

Hold on a minute...

There's nothing to say that this isn't a vulnerability in ssh, nor that is isn't exploitable. I'm complaining about the way it was handled, not the fact that it doesn't exist!

I have seen few "crap" advisories. Most bugtraq postings refer to real vulnerabilities, and the ones that don't are quickly pointed out.

It is important to keep up; the results from those who didn't are well known.

...because 99% of advisories are crap

Then at the very least listen to (hopefully digitally signed) advisories from your own vendor.

Re:Cheers, Theo

[platypus]

Ok, you're right, looked at the source of the last file they released, apache-nosejob.c, and they claim apache+linux2.4 to be vulnerable, also Sun Solaris 6-8 (sparc/x86).

Ok, my server run on 2.2, so I'm safe (just joking ;-)).

Re:Cheers, Theo

[BlowCat]

$ telnet goatse.cx 22
Trying 209.242.124.241...
Connected to goatse.cx (209.242.124.241).
Escape character is '^]'.
SSH-2.0-3.1.0 SSH Secure Shell (non-commercial)

What a pity, it's not OpenSSH! I'm sorry, I cannot upgrade that hole remotely.

Re:Cheers, Theo

[Sircus]

I imagine he's probably trusting the OpenSSH team who have finally admitted that this simple workaround works just fine.

The dire warnings suggesting upgrades to 3.3 were, as far as I can tell, just a strawman to get vendor assistance in actually getting 3.3 to work. Although priviledge separation isn't a bad idea in principle, I'd question its value when you're still left with 2500 of recently-written, can't-possibly-have-been-thoroughly-audited code in the priviledged half after the 'upgrade'.

Re:Cheers, Theo

[dmiller]

Cheers, Theo, you just cried Wolf for the entire community.

Perhaps you would have preferred to leave the people who need kbd-int authentication hanging out to dry? That's a pretty selfish attitude to take.

Re:Cheers, Theo

[gorf]

I don't think complaining about the fact that I just upgraded my box to a version that was vulnerable (and largely untested) when it was fine in the first place is particularly selfish. YMMV.

well...

[ChrisMG999]

Well at least they are honest about it, and are trying to fix it. There's a company out here in redmond that could take lessons in honesty and security from them.

What is ChallengeResponseAuthentication?

[rherbert]

How does this authentication method work? I just disabled it, and I was still able to log in using my RSA keys and password authentication (which are the only methods I use). The documentation says it's for s/key authentication, but what is that? How common is this authentication method, and who would use it?

Re:What is ChallengeResponseAuthentication?

[diamondc]

s/key auth. is a one time use password system. first, you'd generate some passwords and write them down.the passwords only work once. They come in handy if you're in an insecure network.

http://www.openbsd.org/faq/faq8.html#SKey

Re:What is ChallengeResponseAuthentication?

[D_Gr8_BoB]

None of the Redhat 7.x series are vulnerable. To quote from the advisory:

OpenSSH supports the SKEY and BSD_AUTH authentication options. These are compile-time options. At least one of these options must be enabled before the OpenSSH binaries are compiled for the vulnerable condition to be present.

Both of these options are disabled unless specifically enabled with when configure is run. None of the Redhat 7.x OpenSSH spec files mention anything about BSD auth or SKey support, and so I conclude that they are not vulnerable.

Re:What is ChallengeResponseAuthentication?

[Dahan]

You don't know how to use s/key... if you don't have a s/key calculator to take with you, print up a few passwords before you leave for the Internet cafe and keep the list in your wallet. You don't have to calculate the passwords in your head.

Re:What is ChallengeResponseAuthentication?

[autocracy]

Wow, that's a shitty way to make a conclusion. You're assuming everything in Red Hat is properly documented... Try looking at the source RPM instead...

Re:What is ChallengeResponseAuthentication?

[dmiller]

Redhat installations may be vulnerable if they have enabled PAMAuthenticationViaKbdInt.

Re:What is ChallengeResponseAuthentication?

[D_Gr8_BoB]

Er... the .spec file is the part of the source RPM that details how the package is built.

Re:What is ChallengeResponseAuthentication?

[autocracy]

The .spec file is contained within the source RPM and hence is extractable. Besides, I'm not aware of an archive of just .spec files for Red Hat (though they most likely exist).

Re:What is ChallengeResponseAuthentication?

[Znork]

True. However, it isnt really used that often, and I'd say the OpenBSD folks have ignored their own best practices of turning off all unnecessary features in this case.

Easy workaround

[garett_spencley]

Don't use SSH. Switch to telnet instead....

ChallengeResponse... oh please! Telnet's never had these problems.

(note for the humour impared: this is a *joke*).

--
Garett

Re:Easy workaround

[ajs]

ChallengeResponse... oh please! Telnet's never had these problems.

I know you were trying to be humorous, but keep in mind that telnet *does* support challenge-response via the pam system under Linux and most modern systems.

okay, let me get this straight.

[Dr.+Awktagon]

Okay, busy morning but glancing at the news, here's what I see:

There was a bug in the challenge/response code between 3.0-3.2.3. In fact, it's an "overflow" according the advisory. This means to me, it should be a fairly easy fix. Quote:

It is possible for a remote attacker to send a specially-crafted reply that triggers an overflow. This can result in a remote denial of service attack on the OpenSSH daemon or a complete remote compromise.

In addition, this overflow only works when SKEY and/or BSD_AUTH is enabled. But this seems to be "not enabled...in many distributions". How about Linux? However, OpenBSD has BSD_AUTH enabled (natch). Quote:

At least one of these options must be enabled before the OpenSSH binaries are compiled for the vulnerable condition to be present. OpenBSD 3.0 and later is distributed with BSD_AUTH enabled. The SKEY and BSD_AUTH options are not enabled by default in many distributions.

And now to add insult to injury, the 3.3 I installed yesterday has a new different buffer overflow, so I have to jump to 3.4 now (does it have any new bugs too?)

I don't like to jump versions on production machines. I like to fix what's running for minimum disturbance.

Can someone please explain why this vulnerability was handled this way? Why wasn't there a maintainance release that just fixed the @#$@#% problem?

I know: since the bug affected so many people, Theo thought it would be better to bury the problem in his privsep code, instead of fixing it and letting the blackhats run "diff" and find it for an easy 0-day-'sploit. In other words, security by obscurity, just like the big guys. That stinks, if you ask me.

On the other hand, I charge by the hour when I upgrade my client's machines. So thanks Theo! $-)

Re:okay, let me get this straight.

[Dr.+Awktagon]

ha ha.. it looks like many of my machines already had "ChallengeResponseAuthentication no" for at least the last few months. I'm going to go beat myself in the head with a brick now.

Re:okay, let me get this straight.

[zrodney]

no it's not because he was afraid some black hat
could run diff.

it's because the vendors wouldn't cooperate to
make the privsep work and he got all frustrated
because the other code couldn't be fixed in time
either.

Re:okay, let me get this straight.

[jred]

ha ha.. it looks like many of my machines already had "ChallengeResponseAuthentication no" for at least the last few months. I'm going to go beat myself in the head with a brick now.

You need to get a girlfriend. Then *she* can smack you w/ a brick. Seriously, my gf recently started to carry a brick in her purse. Now if I get out of line she just tosses it from hand to hand & I straighten up real quick :)

Re:okay, let me get this straight.

[dmiller]

In addition, this overflow only works when SKEY and/or BSD_AUTH is enabled. But this seems to be "not enabled...in many distributions". How about Linux? However, OpenBSD has BSD_AUTH enabled (natch).

Actually you may be vulnerable if you have PAMAuthenticationViaKdbInt set as well.

Can someone please explain why this vulnerability was handled this way? Why wasn't there a maintainance release that just fixed the @#$@#% problem?

I know: since the bug affected so many people, Theo thought it would be better to bury the problem in his privsep code, instead of fixing it and letting the blackhats run "diff" and find it for an easy 0-day-'sploit. In other words, security by obscurity, just like the big guys.

No, a release with a workaround (privsep) was distributed to give people a chance to immunise themselves before the real problem was publicised.

That stinks, if you ask me.

Nobody did.

MacOSX update ?

[selderrr]

I wonder is Apple is going to release a minor OSX update for this. If they do, they prove themselves worthy supporters of OpenSource and creators of an OS that truly respects security.
If they don't, welll, they're still a 100 times more secure than 95% of the market

Re:One Word "Gobbles"

[toupsie]

I thought that was the Apache 'sploit on OpenBSD systems. Private Distro channels? What is that? P2P for script kiddies?

Gobble! Gobble!

For gods sake

[Mr_Silver]

Never have I seen such a pathetic display of whinging. Bug was found, 3 choices:

1. Tell you lot nothing, get the fix done and released (in which case you wouldn't have known about it until the fix came out).

2. Or tell you there is a bug, you can fix it temporarily by doing this until we get the fix out. In which case you decide either to follow him or do nothing (because after all, thats what you'd have been doing if nothing was said)

3. Or say, we have a bug, it's this and this and this is how you exploit it and then you lot all either scramble to install something else or sit around praying you don't get rooted whilst they compose a fix because now everyone and their dog know exactly how to exploit it.

Geeesh, be thankful he actually told you number 1. Next time, I think he should probably stick with number 2 and just tell you when the fix is out - at least then you can't whinge about it.

Re:For gods sake

[tzanger]

Geeesh, be thankful he actually told you number 1. Next time, I think he should probably stick with number 2 and just tell you when the fix is out - at least then you can't whinge about it.

I agree. 1 is better than 3, but 2 is what he has been doing for a long long time. This was a stunt to try and make everyone upgrade to 3.4 with the nifty privsep code that isn't fully working on all platforms yet. I suppose he's running out of alpha/beta testers and needed more or something.

Re:For gods sake

[DustMagnet]

Sure, given your choices that's best, but they could also:

A. Tell me that it only effects a small portion of installed systems.

Geesh, why make it sound like everyone had this problem?

Re:For gods sake

[sjames]

Geeesh, be thankful he actually told you number 1. Next time, I think he should probably stick with number 2 and just tell you when the fix is out - at least then you can't whinge about it.

4. Tell reputable distro maintainers exactly what the problem is while the bug is fixed. Let the maintainers figure out what their user base needs to do.

Number 4 is especially important in the situation with OpenSSH. Many who did the upgrade BECAME vulnerable to the lesser non-root expolit when the version they 'upgraded' from had no known holes! That would have been averted if distro maintainers had been in the loop.

Where are the vendor statements?

[embobo]

Where are vendor statements that usually accompany such announcements?

Thankfully the default setup on SuSE 7.3 is "ChallengeResponseAuthentication no". Unfortunately, the default on Redhat 7.[0123] is "ChallengeResponseAuthentication yes".

Better workaround: Mandrake

[Anarchofascist]

"Naaah, OSS has no security holes."

According to my sshd configuration under Mandrake 8.0, this is already set to "n". In fact, the comment above the line makes things even more clear:


# Comment to enable s/key passwords or PAM interactive authentication
# NB. Neither of these are compiled in by default. Please read the
# notes in the sshd(8) manpage before enabling this on a PAM system.
ChallengeResponseAuthentication no

Probable Reason for Theo's Approach

[Foresto]

Although it looks like Theo could have simply told everyone to disable challenge/response authentication, I'll venture to guess that he had a reason for not doing so. Consider that his original announcement was deliberately obscure, in order to avoid advertising the vulnerability to crackers, while vendors scrambled to patch their systems. If Theo had originally said "turn off challenge/response", all the crackers would immediately know where to look for the vulnerability, and the vendors would no longer have the head start they needed.

Here it is a few days later, the vendors have been given time to implement fixes, and we have disclosure. What are you people complaining about? Apart from the lack of social grace that he's famous for, I'd say Theo handled this about as securely as he could. Moreover, he did so by folloing the procedure widely accepted in the security community. Am I missing something?

Re:Probable Reason for Theo's Approach

[esper]

the vendors would no longer have the head start they needed

Except the vendors didn't get a head start because the vulnerability wasn't disclosed to them either. They were just handed OpenSSH 3.3 and told, "Here. Use this. It doesn't fix the hole that we won't tell you about, but it will prevent it from being exploited." Now, today, the vendors have finally been allowed to see a patch and can start implementing fixes other than "upgrade to the newest version".

Hmm... "There's a problem, we won't tell you what it is, but if you upgrade to the newest version, it will go away, plus you'll get nifty new features along with it!" Where have I heard that before?

Re:Probable Reason for Theo's Approach

[gorf]

Apart from the lack of social grace that he's famous for, I'd say Theo handled this about as securely as he could.

Yes, he did.

Moreover, he did so by folloing the procedure widely accepted in the security community.

No, I don't think he did. Normally the exploit is announced at the same time as the fix or workaround. Instead of this, he told everyone to upgrade (which is an unnecessary inconvenience for at least some people, who could just use the workaround). He has basically forced us to (unnecessarily) upgrade to a version which has known problems.

I don't think this is standard practice, but clearly it isn't a standard situation (ssh is the one thing that locked-down boxes still may have open, and the upgrade conveniently stopped the exploit without giving it away). I'll admit that whether or not he did the right thing isn't clear cut, but I don't think he did.

With every other exploit/fix that's announced there's a "Window of Exposure" during which you are vulnerable, and that was still the case here. The only difference is that there was a chance that fewer people knew about it. But given that the exploit was found, there's no reason that it hasn't already been actively exploited for a while by black-hats.

It's generally accepted that there's always going to be a "Window of Exposure", and that the way to keep this to a minimum is to coordinate the announcement of the exploit with the announcement of the fix. I don't see why that couldn't have been the case here.

While I accept the advantages of his approach, in my particular case the disadvantages far outweigh them (if I had decided to upgrade all the boxes I'm responsible for, this would have taken me maybe about 36 hours and many remote reboots. Had I messed up then entire businesses would have gone without functional computers). My problem is that he made the decision for us, and this is exactly what full disclosure is not supposed to do.

Re:Probable Reason for Theo's Approach

[Bishop]

Except in this case the vendors, such as Debian, didn't have any head start. As per the above post Theo didn't tell the vendors anything either.

Re:Probable Reason for Theo's Approach

[PD]

I just my three systems in 30 seconds. I was already logged into each one, so I did

>su -
>apt-get update
>apt-get upgrade

All done.

Re:Probable Reason for Theo's Approach

[rabidcow]

Hmm... "There's a problem, we won't tell you what it is, but if you upgrade to the newest version, it will go away, plus you'll get nifty new features along with it!" Where have I heard that before?

From every programmer ever? It's pretty standard when reporting a bug to get "please upgrade to the latest version and try again." Nobody wants to have to go back and fix bugs in every version of every program they've ever written.

Re:Probable Reason for Theo's Approach

[esper]

From every programmer ever?

Nope. I guess I just forgot that the Debian security team, which backports security fixes, is an anomaly.

More seriously, though, one of the often-touted benefits of open source/free software is that we produce security patches which don't introduce hordes of new features (and bugs). It's sad to see good projects starting to behave like proprietary software vendors and doubly so that it would be something as respectable as openssh.

Slackware not vulnerable

[volkerdi]

Slackware is not affected by this security problem. You need BSD_AUTH, S/KEY, or PAM to have a potential problem (PAM is still not verified), and we've never compiled in any of those options, nor are they options in a default build. So, you could just keep using a version with working compression, just don't include those options.

More simple is usually more secure.

Re:Slackware not vulnerable

[|<amikaze]

Agreed. I have been hardcore into Slackware since around 1997 and always keep coming back. Thank you for you rhard work, and keeping slackware the way it is, and the way linux should be.

The good news ...

[joe_fish]

... is that on the 2 RedHat 7.3 boxen I have access to already have "ChallengeResponseAuthentication no" - so I guess this means I'm not vulnerable?

Assuming this is true for all RH7.3 boxen, there aren't hundreds of boxes waiting to be r00ted. It sounds from the comments like Debian is vulnerable - what about older RedHats, and other distros?

I get the feeling this was is a molehill made into a mountain.

Re:The good news ...

[volkerdi]

A lot of them compile in PAM, though. The bug involves keyboard-interactive mode plus one of the following: BSD_AUTH, S/KEY, or PAM.

Re:What version does OSX ship with?

[mithras+the+prophet]

Welcome to Darwin!
[mithras:~] mithras% ssh -V
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f

and
cat /etc/sshd_config
...
# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

so it seems plausible that we're vulnerable, though I'm not sure.

However, this note indicates that 3.3p1 (and presumable now 3.4) compiles fine, including the privilege-separation option, without problems.

While Apple expects to have shipped 5 million computers with Mac OS X (and OpenSSH) by the end of the year, SSH is turned off by default. So this and future problems should affect only those who know what the hell SSH is...

How to fix ...

[joe_fish]

Just add a line to your /etc/ssh/sshd_config like this:

CheckPasswords false

And then reboot your sshd.

Finally mail me, and I'll check that you really are safe. Oh and don't about slashdot users giving you bad advice you can be sure to only get accurate information here.

I like the new slogan...

[bluebomber]

the openbsd website has been updated:

One remote hole in the default install, in nearly 6 years!

*sigh*

Fun while it lasted, I guess...

Affects who?

[MSG]

So, what do we know about who is affected? Immediately after reading the announcement, I checked Red Hat Linux's build of OpenSSH. The configure script positively reports that the affected authentication mechanisms are not available. 'ssh -v' does not indicate that challenge-response authentication methods are available either. I imagine that other Linux distros are similar?

RHL configure output:
OpenSSH has been configured with the following options:
...
Smartcard support: no
S/KEY support: no
BSD Auth support: no

Code Audits, the UNIX security model

[Nerant]

How secure any software you're running on your system(s) depends on the quality of the code audit done on the code. I'm not judging the standard of the OpenSSH's team code audit here: things will slip through given the inherent complexity of software.
Privilege separation is a step in the right direction. By minimising the amount of code running as root, it makes code audits simpler and more through, and minimises the damage any potential exploit could do in the part running as a normal user.
Stepping back from the situation, privilege separation is just a bandaid for the lousy UNIX security model. Yes, granted, UNIX / Linux (i have no experience with other UNIX systems, so i shall reserve comment) have a security model that's used, as compared to Windows 9X. (Windows 2K has a security model, but the MS culture makes it difficult to administer it, but i digress). However, this security model is too coarse grained: it grants "root" too many privileges, too many rights. This is evident in the move towards ACLs, for example in NSA's SE Linux, as well as LIDS.
We need to overhaul the security model to one that's not prone to insecure software as much. Note I said as much:No system is 100% secure, and I don't want to replace my system with a toaster.
Appreciate feedback. Thanks. =)

Re:Code Audits, the UNIX security model

[fw3]

suggest you go have a look at LSM - Linux Security Module ... see the .mp3 of the lsm presentation at this weeks kernel summit at lsm discussion. LSM creates hooks in the kernel functions which are security relevant (about 150) and can mitigate access to a couple dozen kenel data structures.

security model is too coarse grained: ... move towards ACLs, for example in NSA's SE Linux, as well as LIDS

Actually SELinux does not implement ACL's, but rather Type Enforcement. It also has potential (and experimental impementation) to implement MLS or other security policies / methods.

What type enforcement gets you is the ability to create highly fine-grained security controls, so that the program and user-security-context have privilege to execute critical functions and that privilege can be removed from the root user.

One of the debian SELinux implementers placed an SELinux system on the 'net with root-password / ssh access advertised. This is not a proof of safety, but in fact noone succeeded in escalating privilege.

As it looks like LSM is on track to be in kernel 2.6, at least the way is presently paved.

Do I assume this is set at no?

[antdude]

In my /etc/ssh/sshd_config:

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

This was on my Red Hat Linux 7.1 workstation (also acts like a private server only to me). Do I assume this is at no value right now and I don't need to worry?

Thank you in advance. :)

Re:Do I assume this is set at no?

[RollingThunder]

Generally, the defaults are displayed in the config file, as commented out instructions. In other words, the default is yes.

Summary?

[Snafoo]

Is there a page anywhere that summarizes the holes/bugs/exploits in OpenSSH discovered in the last, say, two years? year? six months?

Compression and 2.2.x kernels?

[cjpez]

The 3.3 release of OpenSSH required that with PrivilegeSeparation turned on, Compression had to be turned off for Linux kernels in the 2.2 line. Does anyone know if this is true for the 3.4 release as well, or has that been fixed?

Re:Compression and 2.2.x kernels?

[D_Gr8_BoB]

It's still broken, but at least now it'll tell you they don't work together rather than just breaking.

Re:Compression and 2.2.x kernels?

[cjpez]

Yeah, I knew how to disable Compression, just wanted to know if I still had to before upgrading . . . I suppose I could have just tried it out myself, but why waste my time when I can waste my time AND someone else's at once? :P

As to the typing, if that's a serious question, I tend to type pretty quickly. Couldn't give you a WPM, though. Why the query?

Re:Compression and 2.2.x kernels?

[cjpez]

Aaaaaah, no, I've got it now. :) Not terribly funny, but not bad, either. :)

3.4 is a double-edged sword on Solaris

[koreth]

I discovered after downloading and building 3.4p1 on my Solaris 7 box that Solaris doesn't support a shared memory feature 3.4's privilege separation uses. As a result, you can enable privilege separation or compression, but not both at the same time. Just something to be aware of if you're considering an upgrade. (It's possible more recent versions of Solaris don't have this problem.)

Yes: http://www.openssh.com/security.html

[David+McBride]

(See subject.)

Try something else.

[TheLink]

I use stunnel and telnet (plus mandatory ssl certs - so even though telnetd might have a bug, you can't exploit it without a valid cert).

Years ago I took a look at ssh and thought it would have lots of problems (kludgy, lots of complex features stuffed into one binary). The "Sendmail" of remote admin.

The past years have vindicated my decision many times over.

Sure stunnel and openssl have had some problems too, but as long as the stunnel people don't try to stuff tons of features in, it'll still be much better than ssh securitywise.

You could try vnc over stunnel if you really need GUIs.

Cheerio,
Link.

How soon until djbssh?

[GregGardner]

I can't wait until djb decides to write his own ssh. You can say what you want about djb and his personality, but he does know how to write some secure software. Sure, it's not the easiest thing to install and you have to create a boatload of users, but privilege separation has been in qmail since 1.0.0. Theo is getting around to it in v3.3? Never heard of any root compromises from qmail or djbdns. So hopefully this latest hole in OpenSSH has annoyed djb to the point of rolling his own.

Re:How soon until djbssh?

[GregGardner]

Security is not everything in software you know...

It is in a product called Open Secure Shell.

telnet+SSL+certs

[TheLink]

if you don't need all the features of SSH, try telnet+SSL+certs

It's likely to be safer.

I've been using stunnel+telnet for years and I have had to patch/upgrade a lot fewer times than people using SSH.

Cheerio,
Link.

Re:telnet+SSL+certs

[Zaffle]

I've been using stunnel+telnet for years and I have had to patch/upgrade a lot fewer times than people using SSH.

Hmmm, funny, IIRC (if I recall correctly), this is the first time an upgrade of OpenSSH has been required. Sure, upgrades are always around for fixing various bugs, but this is the first remote security hole bug.

(Ok, now I think about it, there was that Linux local root comprimise w/ openssh, but that wasn't remote, and afaik, linux only).

Although telnet+SSL+certs can be safer, it requires a lot more setup and general maintaince.

The most secure box is the one under my couch. Its got no screen, no keyboard, no floppy, no network, and its OFF!

Red Hat too?!

[alienmole]

My SSH config on Red Hat 7.2 has exactly the same comment and setting you quoted, with challenge/response set to no. I can't remember now how I installed SSHD originally, though, i.e. whether I downloaded a newer version or used the one on the Red Hat CDs.

Fuck it.

[xmutex]

I'm going back to telnetd and blind optimism.

This all could have been avoided...

[chrsbrwn]

Meaning this brouhaha, of course...

Just to combat some of the misinformation that has been spreading around here:

• privsep is not a "new" feature... it has been available since OpenSSH 3.1p was released, almost 2 months ago. In that two months none of the various vendors and users who are whinging now appear to have bothered to help the openssh team test the privsep code and develop patches to make it work better.
• With privsep enabled, this hole, and any future root hole are made much more difficult, sometimes even impossible, to exploit. Privilege separation is just the right way to code network daemons -- postfix does it, apache does it, courier imap does it, qmail does it -- and now, openssh does it. It is a bit more complicated for openssh to do it because it needs to interface directly with some operating system facilities like authentication, PAM, etc that require root privileges.
• I installed 3.3p yesterday on all of my network facing systems, and will be upgrading to 3.4 as soon as Debian has it available -- I firmly believe in the concept of privilege separation, and will always seek out network daemons that use it.
• I thank the Debian team, OpenBSD/OpenSSH teams, Wietse Venema and the rest of the Postfix hackers, the mailman team, the GNU project, all the Linux kernel hackers, and anybody else who has contributed free software that I rely on to do my job for making my job as a sysadmin smoother than it might otherwise be. I know the alternative, because I am also responsible for an Exchange server, and I spend far more time patching that and making sure it is up to date than I do with any of my Debian servers.

Don't complain too much folks... you could have to do without a robust free ssh implementation.

Difference between Theo and the Borg

[bee]

The difference here is:

1) The problem was fixed in a couple of days

2) The upgrade was free

3) This is the first serious security hole OpenBSD has had in nearly 6 years.

For extra credit, compute the following: average number of days between disclosure and fix, times the cost of the upgrade that gives it to you, times the number of remote-root-level security exploits in your average BorgOS over 6 years.

Re:still getting buffer overflows huh?

[gorilla]

There are lots of people who would prefer not to program in C or C++, but find that all the alternatives have drawbacks, including a lack of avilable enviroments for all platforms. Chip Salzenberg's comments on the language selection for the failed Topaz project are very interesting.

What is wrong with this picture

[nelsonb]

What the hell is wrong with the people at ISS? This is the second "incident" in as many weeks. The message from the Theo at OpenSSH and other Linux Vendors said the info AND the realfix would be released early next week. This certainly seemed like a very responsible method of alerting people. Give everyone a week to upgrade to 3.3 and enable an option that could help mitigate any potential damage and then release a fixed version of the program and the full details. This gives large production houses enough time to get the new version/config through change control and even gives admins who don't read bugtraq lists time enough to hear about throughanother channel. Everything was working out pretty well and ISS has to go and screw up a pretty good plan. Does ISS have a problem with queued up advisories and techs with itchy trigger fingers? Does Time some how run differently in Atlanta? I guess another lame self-justification will be forthcoming from ISS, but there is no excuse for this. What about the little people? Were you in such a hurry to get your X-Press Update advertisement out that you don't even consider the ultimate end-user? Is it so easy to forget that not everyone is in organizations that discover or releases 0-day info amongst themselves? Most administrators don't read bugtraq, and those thatdo received a polite, clear note from Theo:

Monday, June 24, 2002 11:22 PM

There is an upcoming OpenSSH vulnerability that we're working on with ISS.
Details will be published early next week.
....etc etc etc

Now ISS has up'd the ante and released it justa day and a half later. 1 and 1/2 days isn't a lot to verify that a production environment will not be adversely effected byANY new/changed element. So it would seem that "working with ISS on this issue"is synonymous"we are waiting to get blindsided". This also leads into another interesting issue. Why did ISS's reckless announcement take minutes to get through bugtraq and the OpenSSH's initial, responsible warning take 24+ hours to process? I can plainly see that Theo's letter was sent on Monday but for some reason only gets here today. I know that SMTP mail is slow..but I don't thinkmy server isTHAT slow. Fortunately, it showed up on the vuln-watch list as well and we were able to help spread the word.

> X-Force is aware of active exploit development forthis vulnerability.

I don't know if I really even believe you on this certainlyyour recent actions are not that of a company that seeks to garner trust. Of course the minute anyone suggests there is a problem with product XYZ, thousands of bored people are going to start poking around "actively" trying to develop an exploit! But blind testing from scratch would certainly have taken longer than the proposed "quiet week" before publishing details.So, lets suppose it was a more informed testing. So who knew enough about this to let it out? ISS and the OpenSSH dev team. One is made up of hard working developers who love aprogram enough give their time away to make a really great product. The other is composed of people who routinely socialize with the underground "active exploit development" community. In my opinion, at least one side would have absolutelyno motive leak their information. So I propose: A: Your analysis of the exploit development process was faulty B: there was no active development for an exploit, and you released the info for your own good.C. Someone's teamis leaking information.

In any event, there no need for any furtherunderground exploit "R&D"; everyone now has the diff blueprints to get directly to the end goal. Granted, there are people out there intelligent enough totake the time find the issue and to code an exploit without this knowledge. But these type of people wouldn't likely release it to the general populace, instead it would be used for select targets. Targets that would most likely already have security teams in placeand be up on warnings and patches. Instead we have a patch diffs in the hands of everybody and now lower skilled programmers can code the exploit. These people will spread the exploit far and wide simply for fame; only this time the targets will be everyone.

No one wins with this route you have chosen ISS. You and your X-force team used to be a respected group in my book. In the past they have provided valuable information to the security community and helped companies across the world to better secure themselves, but the handling of this and the Apache vulnerabilities are shining examples of how NOT to do things. So much for ISS being a "Trusted" center of knowledge. Trust and honor are coins you can only spend once.

Nelson Bunker, CISSP VP of Security Critical Watch The opinions expressed in this advisory and program are my own and not of any company. The big print giveth, the little print taketh away

Re:What is wrong with this picture

[Todd+Knarr]

Actually, I know what's wrong. Theo's notice was basically "There's a hole, wait until we release a new version and then do a major version upgrade in a hurry.". ISS's notice was "Here's the hole, here's the way to close it in your existing software.". I'd rather Theo have told everybody the simple way to close the hole right off, rather than leaving everyone hanging.

Re:A Question

[John+Hasler]

So how long did it take you to find the bug? And why didn't you tell us about it?

Much easier to do this on RedHat 6.2...

[emil]

...rather than rebuilding. Generating new RPMs for 6.2 is a total nightmare.

Re:Much easier to do this on RedHat 6.2...

[emil]

Exactly - RH62 requires an older OpenSSL for rpm dependence, but you have to install a newer version to get the SRPM to compile, which means temporarily removing the older OpenSSL RPM.

After you've built the RPMs, you remove the newer OpenSSH, put back the old one, and then when you try to install the OpenSSH RPMs you've built, rpm complains about OpenSSH dependencies, forcing an override with --force (or --nodeps, I can't remember).

I think 6.2 is still alive enough to warrant binaries at openssh.com. This is exactly the sort of thing that my Debian friends say is totally solved by apt.

CERT Advisory.

[hearingaid]

There's a full CERT advisory on the OpenSSH bug and the implications for your particular platform. Sysadmins, read it. Of course, you prolly all got it in your email like me, right? :)

ftp.openssh.org is getting hammered right now... sigh.

bitch, bitch, bitch

[Erris]

And now to add insult to injury, the 3.3 I installed yesterday has a new different buffer overflow, so I have to jump to 3.4 now (does it have any new bugs too?)...

Can someone please explain why this vulnerability was handled this way? Why wasn't there a maintainance release that just fixed the @#$@#% problem?

On the other hand, I charge by the hour when I upgrade my client's machines. So thanks Theo! $-)

Why don't YOU make a fix and give it away? How about a whole OS? Oh, I see, so shut up.

Re:My complaint

[Mr_Silver]

My complaint is that they forced everyone to upgrade to 3.3

They did? Are you saying that someone physically came around to your house, put a gun to your head and forced you to upgrade?

If not (and I suspect not) then you weren't forced to do anything.

Even worse than that

[sjames]

Hmm... "There's a problem, we won't tell you what it is, but if you upgrade to the newest version, it will go away, plus you'll get nifty new features along with it!" Where have I heard that before?

The worst part is that many who upgraded (Anyone using Debian Potato for instance) actually BECAME vulnerable to at least a non-root exploit by upgrading where the old 1.2.3 version they were using didn't have the hole at all.

While I understand that full disclosure before a fix is available can be a bad thing, leading people to break their systems AND become vulnerable to the exploit when a simple configuration change could have protected the vast majority of users is far worse.

I would think that full disclosure to maintainers is a MUST.