New Vulnerabilities in Portable OpenSSH

An anonymous reader writes "The OpenSSH team has uncovered multiple exploitable vulnerabilities in the days-old portable release of OpenSSH. That's right folks: time to patch *again*. 3.7.1p2 is now available. Instructions and mirror list here. Please note that this vulnerability only affects *portable* OpenSSH--so if you are running OpenBSD, you're safe. This vulnerability apparently has to do with PAM, so you can use the 'UsePam no' option in your config file. Info on the advisory here and here."

Re:A solution?

[Asgard]

Disabling PAM would only be a problem if you had only allowed PAM-specific authentication methods.

Re:Non-standard configuration

[Frymaster]

writers looking for a typewriter-with-memory would be better served by Notepad or the Mac equivalent.

your belt may fail
your suspenders may fail

if you're really serious about keeping your pants up, use both!

this is the theory of theo-n-the-openbsd-cats. you used priv sep plus all the other security goodies.

you don't say that doing nightly backups is a "weak" practice because the backups could fail at the same time as your main drive. do you?

JEBUS

[tempest303]

This is getting ridiculous. Maybe it's time for OpenSSH development to completely halt for the moment, and do some serious auditing? This is just plain sad... I know people have been joking about switching to lsh, but at a current "score" of 3 to 1, I'm starting to consider it, at least for the time being... :-/

Re:JEBUS

[Kalzus]

Arguably, this announcement *is* the result of an increase in code vetting on the part of the portable OpenSSH team. Just a thought.

Re:JEBUS

[Corgha]

On the contrary, arguably, this announcement is the result of 3.7p1 and 3.7.1p1 being rushed out the door with new, unvetted PAM code.

That's why it doesn't affect earlier versions.

Re:JEBUS

[JoeBuck]

No, the vulnerabilities are due to new code in 3.7; the Red Hat and Debian people who backported only the security fixes to older OpenSSH versions are safe. They are not old vulnerabilities that were discovered by an increase in code vetting.

Re:JEBUS

The flaw was _found_ by the OpenSSH team. It wasn't a latest warez thing, because they _found_ it and _fixed_ it. They _did_ audit there code. Read a bit before posting. Yesh.

Just like MS then.

[clard11]

So how is this different to MS having multiple attempts to resolve their security bugs ? I don't see a difference. Doesn't this prove that closed or OSS, security code is a difficult software engineering challange ? Maybe slashdotters should cut MS some slack in this area.

Re:Just like MS then.

[phliar]

With MS, they're gaping holes that we hear about because the worm actually did do the damage. The bugfixes for OpenSSH are all questions about bugs being found by reading the code, and nonstandard installations -- not known compromises. The speed with which security issues are handled is also much better than anything those yahoos ever do.

Re:Just like MS then.

[fyrie]

Are you serious? When was the last MS patch that came out AFTER the virus hit? Usually the patch has come out way in advance, sometimes even over a year in advance.

Software defects are a part of software engineering. It doesn't matter if it is open or closed source. As long as humans are doing the coding, there will be 1 defect for X lines of code. It is as simple as that.

Pass me the crack pipe please. C U bye!

Re:Just like MS then.

[pmz]

I don't see a difference.

1) The people behind OpenBSD and OpenSSH are much less driven by time-to-market and ooh-shiney crap than the monkeys at Microsoft are.

2) OpenBSD and OpenSSH actually strive for simplicity rather than obsess over bullet-points.

3) OpenBSD's default install has basically only OpenSSH as a public service (among a handful more). This is already light-years ahead of numerous (thousands undiscovered, probably) default-available remote-root exploits in Windows.

4) The people behind OpenSSH are much less likely (although no one's perfect) to sweep things under the rug than Microsoft.

Microsoft is like a car dealership complete with greasy salespeople. OpenBSD/OpenSSH basically have no salespeople (word of mouth, who'd have thunk that?).

Which makes you feel more warm and cozy?

Re:Just like MS then.

[Shdwdrgn]

It's different because they advised everyone immediately of the problems, and released a patch as soon as they had one. MS has in the past spent considerable time blaming the customers for problems (for instance, IE automatically downloading and executing exe files from websites, without the user's consent).

It's different because this is only one of a handful of programs which have required security updates in the past X weeks. How many security updates has MS released in the same amount of time?

All of the MS advocates are spending a lot of time complaining about how everyone here bashes MS. I've been using Windows since 3.1 was released. Now I have a choice. Linux isn't for everyone. It requires a lot of time to learn it. Windows also required a lot of time to learn, but most people don't remember that. Back in the days when GUI's were new, we expected things to be difficult, and we lived with that until it was fixed. Now linux is coming in and trying to do everything the right way, but apparently many people are unwilling to give linux the same chance they originally gave to Windows.

Windows is like a first-draft program. It's a kludge. It works, and with enough effort you can add a lot of eye-candy to make it look like a polished system, but underneath, it's still a kludge. They started with a vague idea of what they were going to write, and created it as best they could.

Linux is more like a second-draft program. It's built from scratch completely based off of all the concepts that were discovered in writing the original version. The goal is in site, the mistakes can mostly be avoided, and they have a clear idea of what they're doing from start to finish. It's still not going to be perfect, but it's built on a solid understanding of what needs to be done.

Up next..? Who knows, but I imagine that comparing the next generation software to what we have now will be like comparing a finely-tuned Indy car to a horseless carriage.

Re:Non-standard configuration

[grub]

Having a small amount of the sshd code running as root with the 'sshd' user handling the rest helps make it harder for other exploits. I don't think anyone would suggest that PrivSep makes an exploit impossible, but it is another great layer on the security-onion.

Re:A better solution

[sqlrob]

More secure?

Re:Case matters

[avij]

Um, no.

man sshd: keywords are case-insensitive and arguments are case-sensitive, meaning that usepam and UsePam and UsePAM are equivalent.

Re:Apple affected?

[bnenning]

The vulnerability apparently only affects OpenSSH version 3.7, and Mac OS X uses 3.4, so we should be ok.

Re:Time for a new spin on security practices?

[ninewands]

OpenSSH... A Microsoft product, right? Oppss... Forgot, one can not criticize open source on the same standards we hold "M$"

Well, yes, we should hold them both to the same standard ... so when Microsoft starts announcing it's own self-discovered vulnerabilities and releasing Day-Zero patches to fix them I will be just as critical of OpenSSH security as I am of Windows *cough*security*cough*.

fact of life

[NumLk]

I'm not trying to be a tool here, but seriously, does anyone ever expect any piece of software to be 100% foolproof? Software is complex, and in its complexity lies opportunity for problems to arise. Sometimes they are simple coding mistakes, sometimes they are problems that arise when the software isn't used as its developers envisioned.

As users of software though, it is irresponsible to assume that just because it is commercial, open source, MS, non-MS, or whoever is the messiah of the day's product that it will never have unexpected problems. Admittedly, some companies software appears to be worse than others, but that is the gamble we take when we build complex systems.

Re:RedHat boxes are safe

[MSG]

Please don't post links to bugzilla. Bugzilla is a database driven application, an linking to it directly from slashdot will certainly swamp that system. The information in the bugzill entry is:

Opened by mjc@redhat.com (Mark J Cox, Security Response Team Lead) on 2003-09-23 11:16

http://www.openssh.com/txt/sshpam.adv came out on Sep23 with two new
vulnerabilities that affect OpenSSH.

Both these issues only affect OpenSSH 3.7 and 3.7.1. Red Hat Linux and Red Hat
Enterprise Linux are not vulnerable to these issues as we ship with earlier
versions (with the addition of backported security fixes for other issues).

Keeping this bug open for a few days to enable users searching bugzilla to find
out that they are not vulnerable.

"Patch *again*" == no big deal

[psyconaut]

The poster seems to insinuate that patching again is a chore...security is, by very nature, a moving target. I'm *glad* they find vulnerabilities and post regular patches...proves to me, at least, that somebody is on-the-ball.

Heck, just be thankful they don't belong to the Microsoft school of security and fixes ;-)

-psy

Re:Time for a new spin on security practices?

[ajs]

Bravo! I'm glad someone is paying attention to this. Just because we happen to have a community that expects the patch to be available 20 seconds before the first person finds it is no reason to measure Linux and Windows on different yard-sticks. If the OpenSSH team can get a patch to vendors and vendors release a fix within a day or two, then that's what we should expect from Windows. And when Windows doesn't keep to that standard, we should all wonder why.

Re:Time for a new spin on security practices?

[evought]

Also, notice that this is a problem which *may* be remotely exploitable in a *non-standard configuration*, when certain default security measures have been *disabled by the user*.
This is not in the same league as "Oops, we left the RPC port open and rootable by default."

The class of errors being fixed by OpenSSH is very different and the design takes security much more seriously.

Re:PAM is not in by default

[volkerdi]

Newsflash genius, most people don't use slackware.

Most people use Windows.

In addition not having pam normally is not something to be proud of!

No, normally it is. A quick glace through the BugTraq archives will show how often there are vulnerabilities having something to do with PAM. By comparision, sendmail looks mighty bug free.

Re:EXCUSE ME!?

[reverendslappy]

Huh?

Nimda:
Patch Released: August 15, 2001
Major Exploit Starts: September 18, 2001

SQL Slammer Worm:
Patch Released: July 24, 2002
Major Exploit Starts: January 25, 2003

MS Blaster Worm:
Patch Released: July 16, 2003
Patch Released: August 11, 2003

Use real ssh.

I stopped using OpenSSH last year, These problems were hinted in the massive flaws from last year. Sure everything has flaws, but this is like everyday, for something that we're supposed to trust FOR security. Hell, at this rate, running telnetd is more secure. Its less likely you'll be sniffed then get hit by some passing worm within 5 mins of putting a box online.

ssh from ssh.fi is more secure out of the box (no ssh1), requires alot less depedencies on other programs, and is more configurable. Not to mention its the offical version of SSH.

OpenSSH == wuftpd/sendmail of security software, get rid of it. At least for now.

Re:Time for a new spin on security practices?

[tshak]

when Microsoft starts announcing it's own self-discovered vulnerabilities and releasing Day-Zero patches to fix them

They will once the OSS community start providing 0-day enterprise quality patches that actually get regression tested before being installed on mission critical servers. MS may have a few poorly tested patches in its relatively distant history, but MS still puts its patches through far more testing than most OSS patches are put through when released. Testing takes time, period.