Slashdot Mirror

← Back to Stories (view on slashdot.org)

New ssh Exploit in the Wild

Posted by CmdrTaco on from the brace-for-impact dept.

veg writes "In the last few hours there have been several reports of a new ssh bug, with an exploit seemingly in the wild. Oh god not again... The lengths some people will goto to try and damage Theo's pride." Update: 09/17 00:24 GMT by T : friscolr writes "Hot on the heels of rev 1 of the buffer.adv advisory, here is revision 2, which fixes more than revision 1 did. Also see the 3.7.1 release notes."

16 of 754 comments (clear)

  1. GOOD!! Red Hat, fix your RPMs!! by RedHat+Rocky · · Score: 5, Insightful

    Great, now maybe Redhat will fix their damn openssh RPMs that they fubarred with their last patch!

    --
    Anything is possible given time and money.
  2. Re:very early by NaugaHunter · · Score: 3, Insightful

    On the other hand, it's good to have the heads up if something might not be as secure as we think it is. This warning gives those who turn it on occasionally the knowledge they need to turn it off if not needed, and not just leave it on.

    It also may give those who need it on something to watch for until a patch does come out.

    --
    R: That voice. Where have I heard that voice before? B: In about 365 other episodes. But I don't know who it is either.
  3. Re:very early by Kaa · · Score: 4, Insightful

    I appreciate it when Slashdot informs me of a patch I need to apply, but really, I'd rather hear about it once the exploit is actually understood and the patch is available.

    Really?

    How about hearing about it when you find your machines rooted?

    Even though there is no patch available (yet), this heads-up is extremely valuable, as it allows people who cannot afford to be compromised to shut down or appropriately filter SSH on their systems.

    --

    Kaa
    Kaa's Law: In any sufficiently large group of people most are idiots.
  4. Re:Update for debian by bartman · · Score: 5, Insightful

    Debian is absolutely amazing.

    bug 211205, which deals with this expoit, was resolved in 2h after the announcement. I had my box patched 15min after the slashdot story hit.

    Really good stuff.

    --
    -- bartman
  5. For Gentoo by jehreg · · Score: 5, Insightful
    Just go to your net-misc/openssh directory:
    • cp openssh-3.6.1_p2.ebuild openssh-3.7_p1.ebuild
    • emerge --update openssh
    The emerge will fetch the file and complain that there is no digest.
    • ebuild openssh-3.7_p1.ebuild digest
    • emerge --update openssh
    Just tested it here, worked fine.
    Pat
  6. Right... by guinsu · · Score: 4, Insightful

    As opposed to the lengths people will go to to damage Microsoft? But that's ok, right?

  7. Re:very early by s.d. · · Score: 5, Insightful

    Even though there is no patch available (yet)

    There is a patch available, as well as it being fixed in 3.7, which was just released this morning. That's the point of all of this. The mention of the bug was in the 3.7 release notes, i believe.

  8. Why all the lsh plugs? by kakos · · Score: 5, Insightful

    It seems to me that a package that goes through code security audits regularly and is actually finished is infinitely more secure than an incomplete package?

    Why are there people suggesting to go from a secure package to an insecure one?

  9. Re:Coincidence, Or... by s.d. · · Score: 3, Insightful

    Why the conspiracy theory? Why isn't it possible that the bug had been identified, the developers decided it was enough of a reason to push a new release, and when the new release is pushed, with the reason being b/c of a bug that may or may not be exploitable. Then unsubstantiated rumors of exploits start floating around b/c of this.

    There isn't a grand conspiracy. It's just how people work. I person says something like, "So I heared that there is the possibility of an exploit due to a bug in OpenSSH they found." Someone overhears and turns around and tells the next person they see, "There's a hole in ssh that's exploitable!" and it takes off from there.

  10. Re:OpenSSH is big and fat by Tuck · · Score: 4, Insightful

    A significant number of changes in 3.7 are removals (Kerberos 4, Kerberos5 in SSH1, AFS, Rhosts auth). Most people agree that simplicity is a wonderful goal... until that means the dropping (or not including) the feature they need or want. Then simplicity versus functionality versus security becomes a balancing act.

    To put the size comment in perspective (this is 3.7p1 on Linux/x86):
    $ du -ks /usr/local/sbin/sshd /usr/local/bin/ssh
    272 /usr/local/sbin/sshd
    224 /usr/local/bin/ssh

    --
    $ find /pub -beer "James Squire Amber Ale" -drink
  11. The "Full Disclosure" message is stupid by JoeBuck · · Score: 4, Insightful

    It appears that the OpenSSH people found this bug first, and released a fix in version 3.7. People who studied this fix then found the exploit. So it's stupid for this guy to tell people "upgrade to lsh", since the whole reason his buds know about this bug is because 3.7 fixes it.

  12. Suggestions? by devphil · · Score: 4, Insightful
    Now we have a big and fat tool that can do nearly everything,

    That's right! It can form remote connections, and generate random keys, and... and... uh, well, that's about it, actually. Form connections, generate session keys.

    Public/private key generation? Different program. Managing keys on a local machine? Different program. Transferring files securely? Different (wrapper) program.

    It would have been a better idea to do a small diet and dis-integrate functions into different tools

    Got any concrete suggestions there? Exactly how would you divide the existing tools up? Precisely which tools would you create? In what ways -- details, now -- would they be different from the half-dozen programs that come with ssh now?

    --
    You cannot apply a technological solution to a sociological problem. (Edwards' Law)
  13. Re:Pot = Kettle = Black by ReelOddeeo · · Score: 3, Insightful

    Obviously the *NIX side of the world isn't bulletproof either. Now perhaps we might be spared (at least for a day or two) about the anti-M$ rants about insecure M$ code. It can happen, and it can happen regardless of OS platform.

    The MS rants are well deserved.

    While your statement about security bugs can happen on any platform is technically correct, unintended bugs are not the only thing that causes security problems. Both MS and *NIX can have unintentional bugs, which lead to security problems. In this case, MS should not be blamed for "insecure" code.

    Where the MS rants are well deserved is when a system is insecure by design. It may not have been a design goal, but the design can still be insecure. Just one past example: IIS runs under the SYSTEM account. It is installed by default and turned on by default. These kinds of problems deserve to be ranted about, and MS deserves the resulting reputation. Apache may or may not be installed and/or turned on by default, depending on distribution, but even if it could be compromised, it runs as "nobody" or "wwwrun" or some other unprivileged account.

    --

    Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
  14. Re:deceit by Anonymous Coward · · Score: 3, Insightful

    Amazing how a newsworthy point about a ssh bug becomes an attack on an entire operating system and/or person.

    "Given that the default install has ssh turned on, will they change it to "two remote holes" ?"

    Yes, if they confirm the exploit. They've changed this notice in the past. It went from 0 to 1.

    "Lets make some noise and force Theo to finally update that!"

    Why? Just to piss off the developers? The openssh code is open and subject to review by anyone.

    I think since you didn't catch this bug, we should all be asses and target you for harrassment.

    "If you follow misc@ carefully you have probably seen it done before."

    Bullshit. If you follow misc@, most of the exploits discussed hit previous unpatched versions of OpenBSD. The point of OBSD is to catch bugs and bad code ahead of time; it undergoes near constant review.

    A lot of folks want OBSD to add to this count stuff OBSD noticed may have been exploitable, then patched it anyways, frequently weeks or months or years ahead of a known exploit. When the known exploit comes out, they point to the OBSD version 6 months ago.

    Exploits are counted that can violate current, stable systems, not OBSD 2.8.

    This is like blaming MS for the exploit that allowed slammer to spread; if people patched their systems when they were supposed to, they wouldn't have been inconvenienced. OTOH, MS should have caught the bug ahead of time.

    I feel OBSD falls into the latter category, not the former. They are more than likely ahead of the game. Given what I've seen of security reports on Linux and FreeBSD over the past 2 years, OBSD tends to play catchup in coming up with fixes. Rather, they tend to fight the tide that their "policy" in reporting exploits is wrong.

    Oddly, I think that is more a testament to them doing things right as opposed to your attitude that they are being purposefully deceitful.

  15. Re:Ermm.. can anyone say "Microsoft" by Overly+Critical+Guy · · Score: 4, Insightful

    No, it would still be an ssh vulnerability.

    Remember, we're supposed to seperate the OS and the apps that have the holes...remember?

    Or are we still using the term "Windows hole" when referring to Outlook?

    --
    "Sufferin' succotash."
  16. Re:Mirror of the vulnerability description by Aardpig · · Score: 4, Insightful

    Why are they bothering with proper cleanup? This is FATAL CONDITION! ABANDON SHIP!

    Only guessing, but how about to ensure that the freed memory isn't handed over to a subsequently-run app, still stuffed full of cryptographically-sensitive information?

    --
    Tubal-Cain smokes the white owl.