Slashdot Mirror

← Back to Stories (view on slashdot.org)

New FreeBSD, NetBSD Security Advisories

Posted by timothy on from the tell-everyone-why-don't-you dept.

Dan writes "FreeBSD has formally announced a security advisory entitled "OpenSSH buffer management error" for the now famous OpenSSH advisory (OpenSSH has released a new version 3.7.1 to address this issue). NetBSD has issued a similar advisory and fix for this issue. NetBSD has released two additional security advisories entitled "Kernel memory disclosure via ibcs2" and "Insufficient argument checking in sysctl(2)"."

71 comments

  1. Patches vs. Fixes by Dancin_Santa · · Score: 5, Interesting

    If you ever take a look at the patched code for one of these security advisories, you mainly see some special case code stuck in there to patch up the problem. You never see a reconsideration of the problem. I wonder how long it takes to go from a release version through patch after patch until a piece of code is just old and crufty and in need of wholesale replacement.

    1. Re:Patches vs. Fixes by Horny+Smurf · · Score: 4, Informative

      in this case, the problem was a bug rather than a design issue, so a 3-line code change is appropriate. I do agree that there is a lot of "special case" "fixes" that try to hide fundamental problems.

    2. Re:Patches vs. Fixes by Anonymous Coward · · Score: 4, Insightful

      If you ever take a look at the patched code for one of these security advisories, you mainly see some special case code stuck in there to patch up the problem.

      If you ever take a look at the actual *problem*, you'll find that hey are usually just buffer overflows or other unchecked data, in which case 'some special case code' is the only appropriate course of action.

    3. Re:Patches vs. Fixes by Anonymous Coward · · Score: 0
      Fact: *BSD is dying

      Indeed, it is common knowledge that *BSD is dying. Yes, ever hapless *BSD is mired in an irrecoverable and mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but FreeBSD may be hurting the most. Look at the numbers. The loss of user base for FreeBSD continues in a head spinning downward spiral.

      OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of BSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

      Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

      All major marketing surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among hobbyist dilettante dabblers. In truth, for all practical purposes *BSD is already dead. It is a dead man walking.

      Fact: *BSD is dying

  2. I'll tell you what's REAL BSD news by Anonymous Coward · · Score: 5, Funny

    The first comment on a BSD story wasn't a BSD troll, now that my freinds is news for nerds, stuff that matters.

  3. OS X by Zelet · · Score: 4, Interesting

    Does this affect OS X's implementation of SSHD? So far Apple has not released a patch.

    --
    ...And when they came for me, there was no one left to speak out for me." - Martin Niemoeller (1892-1984)
    1. Re:OS X by dthable · · Score: 5, Informative
      I'm running 10.2.6 and I have OpenSSH 3.4p1. So yes, we are at risk.

      Check your system. In terminal type:
      sshd -v
    2. Re:OS X by endx7 · · Score: 1

      The lazy answer is, does mac OS X use openssh? If so, then it most likely would (since as far as I can tell, this is an openssh-only problem).

    3. Re:OS X by dthable · · Score: 1

      It does use OpenSSH, but the desktop version has it disabled by default. If you really wanted to, you can grab the code, compile and install it yourself.

    4. Re:OS X by Anonymous Coward · · Score: 0

      Or use Fink?

  4. Just Remember by rudy_wayne · · Score: 1, Insightful

    Having to fix a security flaw in a closed source program is proof than closed source is bad. Fixing a security flaw in an open source program is proof that open source is good.

    1. Re:Just Remember by Anonymous Coward · · Score: 0

      > Having to fix a security flaw in a closed source program is proof than closed source is bad. Fixing a security flaw in an open source program is proof that open source is good.

      Let's restate this a bit more completely and accurately:

      Having to completely depend on a vendor to fix a security flaw in a closed source program is proof than closed source is bad.

      The ability to hire a consultant, or use in-house staff to start Fixing a security flaw in an open source program is proof that open source is good.

  5. deceit. by Anonymous Coward · · Score: 0

    Only one remote hole in the default install, in more than 7 years! [openbsd.org]

    Oops!

    Given that the default install has ssh turned on, will they change it to "two remote holes" ?

    How much do you want to bet they'll just sweep it under the carpet and hope people forget? If you follow misc@ carefully you have probably seen it done before. Lets make some noise and force Theo to finally update that!

    1. Re:deceit. by zulux · · Score: 4, Informative

      Given that the default install has ssh turned on, will they change it to "two remote holes" ?

      If you look carefully at the bug - at first glance, it lookls like when SSHD faluts out, some extra memory will be wiped with nulls.

      Perhaps there's more to this but basically whats is going on

      SSHD need more memory.
      Memrory counter is added to.
      Memeory is allocated.
      Repeat (until memory allocation fails)

      then...

      Because SSHD needs to wipe all it's memory to null so no crpto stuff is left lying around, all the memory pointed to my them memory counter is wiped. But unfortunalty some of that memory doesen't belong to SSHD because the memory allocation failed.

      --

      Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.

    2. Re:deceit. by sirket · · Score: 2, Insightful

      This isn't a hole on OpenBSD. According to Theo this can only crash SSHD, not give access.

      -sirket

    3. Re:deceit. by Anonymous Coward · · Score: 1, Insightful

      If someone could get remote access to an OpenBSD system but the only thing they could do was shut down a service (let's say SSHD) I'd have to think that would be considered a hole.

      But if someone can just crash it remotely without even getting to a shell it's not a hole? That doesn't makes sense to me.

      I run OpenBSD on a home made firewall at home and I love it as much as the next guy, but I don't see how this can't be considered a hole.

    4. Re:deceit. by R.Caley · · Score: 2, Interesting
      [...]But if someone can just crash it remotely without even getting to a shell it's not a hole? That doesn't makes sense to me.

      The difference is that if they could get even a very limited shell, that would turn all the local exploit bugs into potential remote exploit holes. That is clearly an order of magnitude more dangerous than a simple DOS.

      So, I think it makes sense to distinguish between the two cases, though I think just talking about `holes' is silly. Didn't they used to have `remote root exploit' or similar wording in there? Perhaps the PHBs didn't understand.

      --
      _O_
      .|<       The named which can be named is not the true named
    5. Re:deceit. by pooh666 · · Score: 1

      You can get your ass dos attacked, or you could get a dos attack your DNS servers and no one has to log in. Your logic is very weak.

    6. Re:deceit. by tedu · · Score: 1

      you can crash *your* sshd on the server. not the parent. so your connection closes, and everyone else's stays there, and the parent keeps listening for more.

    7. Re:deceit. by Anonymous Coward · · Score: 0

      And you forget two vulnarabilities in DNS resolver and one in the SSH client. That makes 4 holes in OpenBSD default install, if you count only one hole for the latest OpenSSH hole... there has been many patches.

    8. Re:deceit. by Anonymous Coward · · Score: 0

      sorry Darren, not today

  6. Old by OpperNerd · · Score: 0

    This advisory was snt out almost 24 hours ago, so what's the news?

    From: FreeBSD Security Advisories
    Date: Tue Sep 16, 2003 20:17:01 Europe/Amsterdam
    To: FreeBSD Security Advisories
    Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:12.openssh

    --
    -- unix is for people without a social life - Patrick van Eijk
  7. So what? by pbrammer · · Score: 2, Informative

    All of the other vendors released similar bulletins... Most of them questioned the validity of this hole, but to be safe, they issued these notes to their customers to update OpenSSH. I know RedHat and Mandrake did.

    Phil

    1. Re:So what? by MavEtJu · · Score: 2, Insightful

      It wasn't so much an exploit but more a denial of service.

      If there is a way for third parties to disable a service running on my computer, yes I would like to be informed by it :-)

      --
      bash$ :(){ :|:&};:
    2. Re:So what? by Anonymous Coward · · Score: 0

      nothing important happens in teh bsd world

  8. linux sucks donkey dick by Horny+Smurf · · Score: 1
    I downloaded the OpenSSH 3.6 port for FreeBSD last night. It included the buffer overflow fix (which confused me, since I was planning on doing the patching myself :)

    Of course, it installed sshd in /usr/local/sbin... sshd 2.9 (i think) was still located in /usr/sbin.

    1. Re:linux sucks donkey dick by akharon · · Score: 1

      put
      OPENSSH_OVERWRITE_BASE= true
      in your /etc/rc.conf. I'll leave it to you to figure out what that does to the port...

    2. Re:linux sucks donkey dick by Not_Wiggins · · Score: 1

      It also creates a startup file in /usr/local/etc/rc.d for you to use, if you wish.

      No biggie... just disable the default invocation and rename the sshd.sh.example script in the above directory to sshd.sh.

      What *I* found a little confusing is that everything I read stated I should be using 3.7.1, but they're providing a patched version of 3.6.1. 8/

      --
      Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
    3. Re:linux sucks donkey dick by MavEtJu · · Score: 1

      in your /etc/rc.conf

      Make that /etc/make.conf

      --
      bash$ :(){ :|:&};:
    4. Re:linux sucks donkey dick by cozman69 · · Score: 0

      Please make sure to mention that the variable only works with /usr/ports/security/openssh-portable .. and that it won't work with /usr/ports/security/openssh.

      Also, you may want to add NO_OPENSSH=true to your /etc/make.conf so that the base openssh doesn't get built and installed when you do a make buildworld.

  9. Also remember by BoomerSooner · · Score: 1, Insightful

    It is significantly easier for hackers to find exploits in programs that come with the source. This vunerability could have been exploited for 6 months or more. Being closed source has nothing to do with being able to fix security flaws. It does however mean that only the company/person who has the code can fix it.

    There are security flaws in all software (maybe with the exception of Hello, World!), this has nothing to do with the availability of the source.

    1. Re:Also remember by Anonymous Coward · · Score: 0

      This is MAJOR apples and oranges shit, hmm I might crash ssh, vs I might have someone LOGGING into my computer. Which is worse?

      And which is worse? A fundamental flaw that never goes away entirely, or a very hard to expolit flaw that is never the same flaw anyway?

  10. Actual Question... by agent+dero · · Score: 1

    I was having problems the day before last, and I updated the SSH program to OpenSSH to fix some other problems, how might I find out if the version I installed had the fixer-upper in it? (and not by getting hacked :-p)

    --
    Error 407 - No creative sig found
    1. Re:Actual Question... by Anonymous Coward · · Score: 0

      Post your IP address - I'll tell you...

  11. Hey give us trolls a chance by Anonymous Coward · · Score: 3, Funny

    We only come out at night...

  12. for FreeBSD 4.8 by ubiquitin · · Score: 1

    Hi there fellow slashdaughters, this got me upgraded:

    ./configure --prefix=/opt --sysconfdir=/etc/ssh
    make
    make install
    use ps -aux to find the ##### of the process of sshd.

    kill -HUP #####

    Anyone who reboots to accomplish this upgrade shouldn't be a sysadmin. Have fun!

    --
    http://tinyurl.com/4ny52
    1. Re:for FreeBSD 4.8 by MavEtJu · · Score: 4, Funny

      congratulations, you just have let your old sshd reread its configuration instead of stopping it and starting the new one.

      --
      bash$ :(){ :|:&};:
    2. Re:for FreeBSD 4.8 by Anonymous Coward · · Score: 0

      Actually no, that does kill the old ssh and starts the new one provided you install the new one to the same path as the old.

    3. Re:for FreeBSD 4.8 by ubiquitin · · Score: 1

      Not sure why your comment got moderated up so high, since it might confuse people. Something not mentioned in the parent post that might make things a little clearer is that you'll want to replace the prefix path:
      --prefix=/opt
      with whatever is appropriate for your setup. Do a which sshd to find out where your sshd has been installed. What I ended up using on my FreeBSD 4.8 box was actually --prefix=/usr

      Last but not least, if you've done much lock-down or modifications to your sshd_conf, you'd actually want to be using the original configuration instead of a new default one. Hope that helps.

      --
      http://tinyurl.com/4ny52
    4. Re:for FreeBSD 4.8 by Shanep · · Score: 1

      Not sure why your comment got moderated up so high, since it might confuse people.

      I think he is refering to the kill -HUP #####

      Which will send the currently running ssh daemon the hangup signal, instructing it to re-read its configuration.

      I think it is you who will be doing the confusing.

      Anyone who reboots to accomplish this upgrade shouldn't be a sysadmin.

      What an absolutely absurd statement. I bet you've just recently figured that you can upgrade a daemon without rebooting, so anyone who upgrades one and reboots cannot be as good as you?

      Grow up.

      BTW, if you kindly give me your IP address, I will gladly (from one friendly BSD user to another) provide you with a security audit free of charge. I'm sure with your leet skillz, I will be able to give you a glowing report. (psstt, hey, I'll give you a tip first, kill and restart your sshd properly before you give me that IP! If you can't figure out how to do that, just give your machine a reboot).

      Wanker.

      --
      War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
    5. Re:for FreeBSD 4.8 by Shanep · · Score: 1

      Which will send the currently running ssh daemon the hangup signal, instructing it to re-read its configuration.

      Since processes decide themselves what they should do with a hangup signal, in this case I am wrong...

      http://www.openbsd.org/cgi-bin/man.cgi?query=sshd

      Your attitude still needs some adjustment though.

      --
      War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
    6. Re:for FreeBSD 4.8 by Anonymous Coward · · Score: 0

      OpenSSH will treat the -HUP as a restart. Try reading the man page before you open your crap-catcher.

  13. stop this by meshko · · Score: 1

    I can't stand it when Dan posts stories about FreeBSD with links to his bsdforums site. This is so useless. The link should go to the mailing list archive or a web site with the advisory, not to the discussion of it on your site.
    Dan, please don't do it! Please! It looks really bad.

    --
    I passed the Turing test.
  14. Copy/Paste Trolls by nurb432 · · Score: 1

    Gotta love them, zero originality.

    --
    ---- Booth was a patriot ----
    1. Re:Copy/Paste Trolls by Anonymous Coward · · Score: 0

      and we all know that pointing this out time and time again will magically make them stop

  15. fucking well suck my hairy troll's cock.. by Anonymous Coward · · Score: 0

    there, that has to be original. Of course I hear that copy and paste doesn't work very welll under *BSD.

    Troll out.

  16. hey darren by Triumph+The+Insult+C · · Score: 0, Troll

    you fucked up your license. get over it.

    seen the code to the exploit? i have. there is no exploit. funny that. it's a local system trojan. it doesn't do *ANYTHING* to sshd. it mails the ip and master.passwd to an email address. big fucking do.

    if you followed misc@, you'd know that too.

    --
    vodka, straight up, thank you!
  17. ESR rules by Anonymous Coward · · Score: 0

    BSD drools