Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Vulnerabilities in Portable OpenSSH

Posted by michael on from the will-get-it-right-eventually dept.

An anonymous reader writes "The OpenSSH team has uncovered multiple exploitable vulnerabilities in the days-old portable release of OpenSSH. That's right folks: time to patch *again*. 3.7.1p2 is now available. Instructions and mirror list here. Please note that this vulnerability only affects *portable* OpenSSH--so if you are running OpenBSD, you're safe. This vulnerability apparently has to do with PAM, so you can use the 'UsePam no' option in your config file. Info on the advisory here and here."

13 of 324 comments (clear)

  1. Non-standard configuration by grub · · Score: 5, Informative


    From the article: At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled)

    Priviledge Separation saves the day again. I think this is a testament to the forward thinking of the OpenBSD and OpenSSH people: they know that human error introduces potentially exploitable bugs, hence the work that went into PrivSep to minimize the risk.

    "The lengths some people will goto to try and damage Theo's pride" Most moronic submitter comment ever.

    --
    Trolling is a art,
  2. PAM is not in by default by Anonymous Coward · · Score: 4, Informative

    Before we all panic, note that PAM is not in the default build.

    It's also not in slackware builds (thanks Patrick).

  3. Re:I don't understand by SwansonMarpalum · · Score: 3, Informative

    Portable OpenSSH refers to OpenSSH running on some system which is not OpenBSD

    --
    "Give away the stone, let the oceans take and transmutate this cold and faded anchor." - Maynard James Keenan
  4. Re:I don't understand by Compenguin · · Score: 4, Informative

    From the portable openssh website:
    "Normal OpenSSH development produces a very small, secure, and easy to maintain version for the OpenBSD project. The OpenSSH Portability Team takes that pure version and adds portability code so that OpenSSH can run on many other operating systems (Unfortunately, in particular since OpenSSH does authentication, it runs into a *lot* of differences between Unix operating systems)."

  5. Re:I don't understand by V.+Mole · · Score: 3, Informative

    OpenSSH is OpenBSD specific. "Portable SSH" is what everybody else uses. In other words, the OpenBSD developers (quite reasonably) don't spend any effort making SSH portable off of OpenBSD, and sometimes use OpenBSD specific functions. Other people then spend the time/effort to make run on Linux, etc. There are features (such as, presumably, PAM support) that are not in the core OpenBSD version.

  6. OpenSSH in RedHat 9 and others by avij · · Score: 5, Informative

    The RH-supplied latest OpenSSH (3.5p1-11) doesn't seem to accept the "UsePam no" directive that was suggested as a workaround, so if you go ahead and add that line to your /etc/ssh/sshd_config and say "service sshd restart", SSH will complain about an invalid configuration option and refuse to start. Just for your information..

    --

    Follow your Euro bills at EBT
    1. Re:OpenSSH in RedHat 9 and others by ZerothAngel · · Score: 3, Informative

      Well, the advisory states that "Older versions of portable OpenSSH are not vulnerable." So it's probably not much of a worry anyway.

    2. Re:OpenSSH in RedHat 9 and others by virtual_mps · · Score: 4, Informative

      More importantly, the problem only affects OpenSSH 3.7p and 3.7.1p, so adding "UsePam no" to a 3.5p installation is unnecessary.

    3. Re:OpenSSH in RedHat 9 and others by Eric+Seppanen · · Score: 3, Informative

      According to Redhat Bugzilla bug 104917, Red Hat has never shipped openssh 3.7, so they're not vulnerable to this. No workaround or fix is needed.

      --
      314-15-9265
  7. RedHat boxes are safe by menscher · · Score: 4, Informative

    Just to alleviate some of the panic, RedHat boxes are safe.

  8. Re:Is the default config file safe? by Ratcrow · · Score: 4, Informative

    No!

    From the top of sshd_config:

    "The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible, but leave them commented. Uncommented options change a default value."

    In other words, simply uncommenting the line changes nothing -- the default is shown commented. For the SRPMS of OpenSSH-3.7p1, UsePAM is set to Yes.

  9. More fixes than PAM by Soft · · Score: 3, Informative
    According to the Changelog:
    - markus@cvs.openbsd.org 2003/09/18 08:49:45
    [deattack.c misc.c session.c ssh-agent.c]
    more buffer allocation fixes; from Solar Designer; CAN-2003-0682;
    it would seem that in addition to the PAM patch, there are more buffer management-related fixes which didn't find their way into 3.7.1p1 but prompted Debian to make a third update to ssh. One may want to update even on OpenBSD or with PAM disabled.
  10. Re:JEBUS by Ed+Avis · · Score: 3, Informative

    One of the principles behind OpenBSD (and therefore OpenSSH) is full disclosure of security vulnerability. They don't want to lie about how secure the software is or try to conceal things from you. Therefore the vulnerability reports (and fixes) are published as soon as possible. In practice, I think they do wait to have a patched version before announcing the bug.

    --
    -- Ed Avis ed@membled.com