New Vulnerabilities in Portable OpenSSH

An anonymous reader writes "The OpenSSH team has uncovered multiple exploitable vulnerabilities in the days-old portable release of OpenSSH. That's right folks: time to patch *again*. 3.7.1p2 is now available. Instructions and mirror list here. Please note that this vulnerability only affects *portable* OpenSSH--so if you are running OpenBSD, you're safe. This vulnerability apparently has to do with PAM, so you can use the 'UsePam no' option in your config file. Info on the advisory here and here."

Non-standard configuration

[grub]

From the article: At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled)

Priviledge Separation saves the day again. I think this is a testament to the forward thinking of the OpenBSD and OpenSSH people: they know that human error introduces potentially exploitable bugs, hence the work that went into PrivSep to minimize the risk.

"The lengths some people will goto to try and damage Theo's pride" Most moronic submitter comment ever.

Re:Non-standard configuration

[Frymaster]

writers looking for a typewriter-with-memory would be better served by Notepad or the Mac equivalent.

your belt may fail
your suspenders may fail

if you're really serious about keeping your pants up, use both!

this is the theory of theo-n-the-openbsd-cats. you used priv sep plus all the other security goodies.

you don't say that doing nightly backups is a "weak" practice because the backups could fail at the same time as your main drive. do you?

Re:Non-standard configuration

[grub]

Having a small amount of the sshd code running as root with the 'sshd' user handling the rest helps make it harder for other exploits. I don't think anyone would suggest that PrivSep makes an exploit impossible, but it is another great layer on the security-onion.

hmm

[tedtimmons]

Who is pam, and what did she have to do with openssh?

-ted

Re:hmm

[r_j_prahad]

Pam was my ex-wife. She was pluggable by too many.

A solution?

[gpinzone]

This vulnerability apparently has to do with PAM, so you can use the 'UsePam no' option in your config file.

Wouldn't that prevent anyone from loging-in? I guess that's a solution. Why not disconnect the network cable, too?

Time for a new spin on security practices?

Maybe the OSS community needs a Trustworthy Computing initiative =]

Re:Time for a new spin on security practices?

[ninewands]

OpenSSH... A Microsoft product, right? Oppss... Forgot, one can not criticize open source on the same standards we hold "M$"

Well, yes, we should hold them both to the same standard ... so when Microsoft starts announcing it's own self-discovered vulnerabilities and releasing Day-Zero patches to fix them I will be just as critical of OpenSSH security as I am of Windows *cough*security*cough*.

Re:Time for a new spin on security practices?

[evought]

Also, notice that this is a problem which *may* be remotely exploitable in a *non-standard configuration*, when certain default security measures have been *disabled by the user*.
This is not in the same league as "Oops, we left the RPC port open and rootable by default."

The class of errors being fixed by OpenSSH is very different and the design takes security much more seriously.

PAM is not in by default

Before we all panic, note that PAM is not in the default build.

It's also not in slackware builds (thanks Patrick).

Re:I don't understand

[Compenguin]

From the portable openssh website:
"Normal OpenSSH development produces a very small, secure, and easy to maintain version for the OpenBSD project. The OpenSSH Portability Team takes that pure version and adds portability code so that OpenSSH can run on many other operating systems (Unfortunately, in particular since OpenSSH does authentication, it runs into a *lot* of differences between Unix operating systems)."

OpenSSH in RedHat 9 and others

[avij]

The RH-supplied latest OpenSSH (3.5p1-11) doesn't seem to accept the "UsePam no" directive that was suggested as a workaround, so if you go ahead and add that line to your /etc/ssh/sshd_config and say "service sshd restart", SSH will complain about an invalid configuration option and refuse to start. Just for your information..

Re:OpenSSH in RedHat 9 and others

[virtual_mps]

More importantly, the problem only affects OpenSSH 3.7p and 3.7.1p, so adding "UsePam no" to a 3.5p installation is unnecessary.

Re:JEBUS

[Kalzus]

Arguably, this announcement *is* the result of an increase in code vetting on the part of the portable OpenSSH team. Just a thought.

RedHat boxes are safe

[menscher]

Just to alleviate some of the panic, RedHat boxes are safe.

Re:RedHat boxes are safe

[MSG]

Please don't post links to bugzilla. Bugzilla is a database driven application, an linking to it directly from slashdot will certainly swamp that system. The information in the bugzill entry is:

Opened by mjc@redhat.com (Mark J Cox, Security Response Team Lead) on 2003-09-23 11:16

http://www.openssh.com/txt/sshpam.adv came out on Sep23 with two new
vulnerabilities that affect OpenSSH.

Both these issues only affect OpenSSH 3.7 and 3.7.1. Red Hat Linux and Red Hat
Enterprise Linux are not vulnerable to these issues as we ship with earlier
versions (with the addition of backported security fixes for other issues).

Keeping this bug open for a few days to enable users searching bugzilla to find
out that they are not vulnerable.

New Motto

[Greyfox]

15^H^H10 minutes without a remote root exploit!

Yippee!

[mrpuffypants]

oooh! Patching every other day is fun!

This is just like being a MCSE! Now I can hang out with the NT guys and chat about patching!

Re:Just like MS then.

[phliar]

With MS, they're gaping holes that we hear about because the worm actually did do the damage. The bugfixes for OpenSSH are all questions about bugs being found by reading the code, and nonstandard installations -- not known compromises. The speed with which security issues are handled is also much better than anything those yahoos ever do.

fact of life

[NumLk]

I'm not trying to be a tool here, but seriously, does anyone ever expect any piece of software to be 100% foolproof? Software is complex, and in its complexity lies opportunity for problems to arise. Sometimes they are simple coding mistakes, sometimes they are problems that arise when the software isn't used as its developers envisioned.

As users of software though, it is irresponsible to assume that just because it is commercial, open source, MS, non-MS, or whoever is the messiah of the day's product that it will never have unexpected problems. Admittedly, some companies software appears to be worse than others, but that is the gamble we take when we build complex systems.

Re:Is the default config file safe?

[Ratcrow]

No!

From the top of sshd_config:

"The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible, but leave them commented. Uncommented options change a default value."

In other words, simply uncommenting the line changes nothing -- the default is shown commented. For the SRPMS of OpenSSH-3.7p1, UsePAM is set to Yes.

"Patch *again*" == no big deal

[psyconaut]

The poster seems to insinuate that patching again is a chore...security is, by very nature, a moving target. I'm *glad* they find vulnerabilities and post regular patches...proves to me, at least, that somebody is on-the-ball.

Heck, just be thankful they don't belong to the Microsoft school of security and fixes ;-)

-psy