Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Vulnerabilities in Portable OpenSSH

Posted by michael on from the will-get-it-right-eventually dept.

An anonymous reader writes "The OpenSSH team has uncovered multiple exploitable vulnerabilities in the days-old portable release of OpenSSH. That's right folks: time to patch *again*. 3.7.1p2 is now available. Instructions and mirror list here. Please note that this vulnerability only affects *portable* OpenSSH--so if you are running OpenBSD, you're safe. This vulnerability apparently has to do with PAM, so you can use the 'UsePam no' option in your config file. Info on the advisory here and here."

21 of 324 comments (clear)

  1. Non-standard configuration by grub · · Score: 5, Informative


    From the article: At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled)

    Priviledge Separation saves the day again. I think this is a testament to the forward thinking of the OpenBSD and OpenSSH people: they know that human error introduces potentially exploitable bugs, hence the work that went into PrivSep to minimize the risk.

    "The lengths some people will goto to try and damage Theo's pride" Most moronic submitter comment ever.

    --
    Trolling is a art,
    1. Re:Non-standard configuration by Oestergaard · · Score: 2, Informative

      Unfortunately, privilege separation does not work with with OPIE, the one-time password system.

      So either you run privsep, or you run OTP.

      Without OTP, you'd be crazy to log on to your ssh box from anything but a trusted terminal (e.g. your office workstation or your personal laptop). Without OTP, you cannot log on from a net cafe or anything like that, if you're just slightly security concious.

      So I'm stuck with privsep and no OTP on some machines, and OTP without privsep on another (which I need to be able to log on to from untrusted terminals).

      It sucks, but it's the best we have for now, it seems.

      I do look forward to finally getting that 2.6 SELinux toy box set up ;)

    2. Re:Non-standard configuration by Oestergaard · · Score: 2, Informative

      Interesting.

      Is that using PAM?

      My box is on Debian 3.0 - the explanation I saw at that time was that the combination of PAM and the extra OPIE password query wouldn't work with privsep because of some too simplified assumptions in SSH/privsep about what would be asked by the system and what would be submitted by the user.

      Or something like that. I set it up half a year ago and to be honest I don't remember the details - I just remember that at that time OPIE+privsep was a no-go, at least on a Debian box with PAM.

      It sounded like it was something that could be fixed fairly easily - I was lazy and didn't bother to try doing that myself, and just went with no privsep to get a working setup. I suppose someone could have fixed whatever the problem was, in the mean time. Or maybe the problem somehow exists on Debian and not on NetBSD - I'm sure there is a reasonable explanation somewhere ;)

      Thanks for letting me know. I should check up on it.

  2. PAM is not in by default by Anonymous Coward · · Score: 4, Informative

    Before we all panic, note that PAM is not in the default build.

    It's also not in slackware builds (thanks Patrick).

  3. Re:I don't understand by SwansonMarpalum · · Score: 3, Informative

    Portable OpenSSH refers to OpenSSH running on some system which is not OpenBSD

    --
    "Give away the stone, let the oceans take and transmutate this cold and faded anchor." - Maynard James Keenan
  4. Re:I don't understand by Compenguin · · Score: 4, Informative

    From the portable openssh website:
    "Normal OpenSSH development produces a very small, secure, and easy to maintain version for the OpenBSD project. The OpenSSH Portability Team takes that pure version and adds portability code so that OpenSSH can run on many other operating systems (Unfortunately, in particular since OpenSSH does authentication, it runs into a *lot* of differences between Unix operating systems)."

  5. Re:I don't understand by V.+Mole · · Score: 3, Informative

    OpenSSH is OpenBSD specific. "Portable SSH" is what everybody else uses. In other words, the OpenBSD developers (quite reasonably) don't spend any effort making SSH portable off of OpenBSD, and sometimes use OpenBSD specific functions. Other people then spend the time/effort to make run on Linux, etc. There are features (such as, presumably, PAM support) that are not in the core OpenBSD version.

  6. Re:A better solution by Anonymous Coward · · Score: 1, Informative

    What, you mean the same lsh that was just exploited two days ago?

    Frankly, I think you'd have better luck searching the web for 'ssh'.

  7. OpenSSH in RedHat 9 and others by avij · · Score: 5, Informative

    The RH-supplied latest OpenSSH (3.5p1-11) doesn't seem to accept the "UsePam no" directive that was suggested as a workaround, so if you go ahead and add that line to your /etc/ssh/sshd_config and say "service sshd restart", SSH will complain about an invalid configuration option and refuse to start. Just for your information..

    --

    Follow your Euro bills at EBT
    1. Re:OpenSSH in RedHat 9 and others by ZerothAngel · · Score: 3, Informative

      Well, the advisory states that "Older versions of portable OpenSSH are not vulnerable." So it's probably not much of a worry anyway.

    2. Re:OpenSSH in RedHat 9 and others by virtual_mps · · Score: 4, Informative

      More importantly, the problem only affects OpenSSH 3.7p and 3.7.1p, so adding "UsePam no" to a 3.5p installation is unnecessary.

    3. Re:OpenSSH in RedHat 9 and others by Eric+Seppanen · · Score: 3, Informative

      According to Redhat Bugzilla bug 104917, Red Hat has never shipped openssh 3.7, so they're not vulnerable to this. No workaround or fix is needed.

      --
      314-15-9265
  8. Re:A solution? Read advisory by Anonymous Coward · · Score: 1, Informative

    Advisory

    Subject: Portable OpenSSH Security Advisory: sshpam.adv

    This document can be found at: http://www.openssh.com/txt/sshpam.adv

    1. Versions affected:

    Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
    vulnerabilities in the new PAM code. At least one of these bugs
    is remotely exploitable (under a non-standard configuration,
    with privsep disabled).

    The OpenBSD releases of OpenSSH do not contain this code and
    are not vulnerable. Older versions of portable OpenSSH are not
    vulnerable.

    2. Solution:

    Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM
    support ("UsePam no" in sshd_config).

    Due to complexity, inconsistencies in the specification and
    differences between vendors' PAM implementations we recommend
    that PAM be left disabled in sshd_config unless there is a need
    for its use. Sites only using public key or simple password
    authentication usually have little need to enable PAM support.

  9. RedHat boxes are safe by menscher · · Score: 4, Informative

    Just to alleviate some of the panic, RedHat boxes are safe.

    1. Re:RedHat boxes are safe by Jhon · · Score: 2, Informative

      Is that accurate? I read that as saying "With the version shipped with RH and RH Enterprise" -- which is an OLDER version. Doesn't that mean that if an RH user has updated SSH to a newer version, they are vulnerable?

  10. Re:Is the default config file safe? by Ratcrow · · Score: 4, Informative

    No!

    From the top of sshd_config:

    "The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible, but leave them commented. Uncommented options change a default value."

    In other words, simply uncommenting the line changes nothing -- the default is shown commented. For the SRPMS of OpenSSH-3.7p1, UsePAM is set to Yes.

  11. RPM's for Red Hat 7.2, 7.3 and 8.0 by corz · · Score: 2, Informative
    I created these a little earlier today:

    http://projects.standblue.net/rpms/openssh/3.7.1p2 /

    Enjoy.

  12. More fixes than PAM by Soft · · Score: 3, Informative
    According to the Changelog:
    - markus@cvs.openbsd.org 2003/09/18 08:49:45
    [deattack.c misc.c session.c ssh-agent.c]
    more buffer allocation fixes; from Solar Designer; CAN-2003-0682;
    it would seem that in addition to the PAM patch, there are more buffer management-related fixes which didn't find their way into 3.7.1p1 but prompted Debian to make a third update to ssh. One may want to update even on OpenBSD or with PAM disabled.
  13. Re:JEBUS by Ed+Avis · · Score: 3, Informative

    One of the principles behind OpenBSD (and therefore OpenSSH) is full disclosure of security vulnerability. They don't want to lie about how secure the software is or try to conceal things from you. Therefore the vulnerability reports (and fixes) are published as soon as possible. In practice, I think they do wait to have a patched version before announcing the bug.

    --
    -- Ed Avis ed@membled.com
  14. To repeat a post above... by Paulo · · Score: 2, Informative

    Nimda:
    Patch Released: August 15, 2001
    Major Exploit Starts: September 18, 2001

    SQL Slammer Worm:
    Patch Released: July 24, 2002
    Major Exploit Starts: January 25, 2003

    MS Blaster Worm:
    Patch Released: July 16, 2003
    Patch Released: August 11, 2003

    So, how was this about "ignoring the problem" again?

  15. Re:Time for a new spin on security practices? by Short+Circuit · · Score: 2, Informative

    Sure, dependencies can be an issue. But saying that upgrading and patching *nix platforms does not produce any mind-numbing dependency issues is simply a self delusion.

    I used to run Debian Woody (stable). At the cost of not getting the latest features, I got all the stability I could ask for, with all of the security patches backported. Now I run Debian Sid (unstable), which tends to have dependency problems, but I at least have control over them. And if worse comes to worst, I can install the patches personally.

    --
    tasks(723) drafts(105) languages(484) examples(29106)