Flaw Made Public In OpenSSH Encryption

alimo20 writes "Researchers at the Royal Holloway, University of London have discovered a flaw in Version 4.7 of OpenSSH on Debian/GNU Linux. According to ISG lead professor Kenny Patterson, an attacker has a 2^{-18} (that is, one in 262,144) chance of success. Patterson tells that this is more significant than past discoveries because 'This is a design flaw in OpenSSH. The other vulnerabilities have been more about coding errors.' The vulnerability is possible by a man-in-the-middle intercepting blocks of encrypted material as it passes. The attacker then re-transmits the data back to the server and counts the number of bytes before the server to throws error messages and disconnects the attacker. Using this information, the attacker can work backwards to figure out the first 4 bytes of data before encryption. 'The attack relies on flaws in the RFC (Request for Comments) internet standards that define SSH, said Patterson. ... Patterson said that he did not believe this flaw had been exploited in the wild, and that to deduce a message of appreciable length could take days.'"

Nooooooooo!

Theo?

Re:Nooooooooo!

OpenSSH is broke'd, ya see?

Re:Nooooooooo!

Again!?

Old version = old news

OpenSSH 5.2 was released in February already which has builtin countermeasures against this form of "attack." Next.

Re:Old version = old news

[Thornburg]

I agree. I just checked all the machines I have immediate access to, and they are all on 5.1. Why does a vulnrability in 4.7 matter?

Re:Old version = old news

[characterZer0]

Does 5.1 include the countermeasures?

It sounds like many versions of many implementations are vulnerable. OpenSSH 4.7 in Debian was just the one they used to test it.

Re:Old version = old news

[againjj]

The interesting part here is that more details have been released about what the flaw actually was. Before, it was merely "there is a flaw, and we have notified vendors", but now more details are available. In particular, that while 5.2 has countermeasures, it is a flaw in the protocol itself, and not the implementation. "Countermeasure" does not equal "completely solved".

Re:Old version = old news

[drawfour]

If they're on 5.1, they may be vulnerable. The parent to your post said that 5.2 was released in February, which contains the fix. He didn't say if that's the first version that has the fix or not, but if it is, then your 5.1 is still vulnerable.

Re:Old version = old news

[FunPika]

I think it is all below 5.2 according to http://openssh.com/security.html.

Re:Old version = old news

[againjj]

5.1 does not have the countermeasures. 5.2 does. Upgrade.

Though, while the leaked information is significant, the chance at getting it in tiny, so the risk is small.

Re:Old version = old news

[RajivSLK]

The attacker then re-transmits the data back to the server and counts the number of bytes before the server to throws error messages and disconnects the attacker.

This seems easily fixable. Have the server wait a random amount of time (say between 1 and 5 seconds) before throwing an error and disconnecting. During the "wait" period the server would continue to accept data and simply pipe it to /dev/null.

Patterson said that he did not believe this flaw had been exploited in the wild, and that to deduce a message of appreciable length could take days.

True, but a username/password string is a pretty short message.

Re:Old version = old news

[Prof.Phreak]

O_o

$ ssh -V
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003

Re:Old version = old news

[dave562]

It may be the "old" version, but it is the version most readily available. I setup an Ubuntu server (9.04) a couple of months ago. I used apt to get OpenSSH on it last month. The version it retrieved is

OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007

Just because a new version is out doesn't mean people are using it. People who rely on package maintainers or "the community" to help them out and keep things up to date could very well be let down. Moral of the story, if you want something done right, you have to do it yourself.

Re:Old version = old news

[sirsnork]

Why? Given the now public nature of this and the fact that there are countermeasures how long do you think it will be until an updated package is available for Debian and all it's children projects?

I'm guessing a few days to a week before these countermeasures are patched into Debian's version. The whole point of ditributions is because keeping every piece of software up to date manually on even a single linux box is an arduous task at best.

Re:Old version = old news

[neoform]

Where can I get an rpm of 5.2? All my repos don't have it.. :(

Re:Old version = old news

[Tubal-Cain]

What distro are you using?

Re:Old version = old news

Debian and Ubuntu frequently backport fixes rather than upgrade package versions, although in this case the date is listed as Oct 2007 and it might be infeasible to backport a fix if it requires major design changes.

Re:Old version = old news

[Simetrical]

This seems easily fixable. Have the server wait a random amount of time (say between 1 and 5 seconds) before throwing an error and disconnecting. During the "wait" period the server would continue to accept data and simply pipe it to /dev/null.

Then you wait five seconds between each byte you send. You could also say the server should accept a random number of bytes before giving the error, but that's still only going to slow an attacker down. Just keep submitting the same string over and over, and if you know the distribution of the number of extra bytes accepted, you can figure out to arbitrarily high probability which byte was really responsible for the error. Just check the average byte number rejected after a hundred tries, say, and then subtract however many extra bytes the server will add on average.

Re:Old version = old news

[asdf7890]

If that is the case, then they have updated recently.

Ubuntu/Jaunty (9.04) on my netbook reports the openssh-server package in the standard repo to be 5.1pl-5ubuntu1. Debian/Lenny (5.0, current "stable") shows 5.1p1-5 also. Hopefully an update to 5.2 is coming soon, though 5.2 isn't even in Sid (unstable) yet, so maybe not. Then again, they may have back-ported the changes for this issue instead of upgrading to the full point release. That sort of thing does sometimes happen.

The package in Etch ("oldstable", still very common as Lenny was only promoted to stable a short while ago) is still 4.3p2-9etch3 and I doubt that will get upgraded unless the attack practically useful.

Re:Old version = old news

[le_lotus_604]

waiting for Apple's fix in 7 months

Re:Old version = old news

[buchner.johannes]

What if you have 262144 machines?

Or what if you do a ssh-rsync backup every day? I mean the attacker has the time ...

That is not unrealistic.
Furthermore, the risk is unknown, as it is also determined by the value of your data, not only by the likelihood of a successful attack.

Re:Old version = old news

[Hurricane78]

eix-sync && emerge -auDNtv world && echo "Yay :D"

Re:Old version = old news

I get the exact same thing on my CentOS 4.6 and RHE WS 4 boxes. I can't be bothered to upgrade or patch anything.

Re:Old version = old news

True, but a username/password string is a pretty short message.

Sure maybe yours is, my password is the Necronomicon.

Re:Old version = old news

[diamondsw]

Meanwhile, I was pleasantly surprised to see Mac OS X on 5.1p1. Now that could have dropped this past week with 10.5.7, but it's nice to know that even vendors with perhaps less of a stake in most-current packages are keeping up to date.

Whoever that guy was earlier with 3.9, well o_O indeed.

Re:Old version = old news

[MetalBlade]

Just because a new version is out doesn't mean people are using it. People who rely on package maintainers or "the community" to help them out and keep things up to date could very well be let down. Moral of the story, if you want something done right, you have to do it yourself.

Or use Gentoo, where you can tell portage to sync with the GIT/SVN/CVS server of packages instead of having to wait until updates have been added into the regular portage tree.

It might be risky to always run the latest versions of everything, but it sure feels nice when non-issues like this story shows up.

Re:Old version = old news

[mzs]

5.1 is vulnerable. If you cannot upgrade just disable all CBC mode ciphers on your server. Some clients will not be able to negotiate a ciphersuite then and the connection will fail for those. If you need CBC for those reasons upgrade or back port.

Re:Old version = old news

[RazzleDazzle]

More importantly: can you send me the output of "ifconfig" and "lynx -dump http://www.ipchicken.com/"

Re:Old version = old news

[Phroggy]

Mac OS X 10.4.11:

phroggy@curry:~$ ssh -V
OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006

Re:Old version = old news

Heh, did you know when you type your ip address on slashdot it comes up as stars? Look: this is mine ***.**.***.** try it! it's fun! :)

Re:Old version = old news

[williamgrant]

That's not right - Ubuntu 8.10 and 9.04 have OpenSSH 5.1. Ubuntu 8.04 has 4.7.

Re:Old version = old news

[dave562]

You're right. I misspoke. I'm running 8.04 LTS. It's just a Subversion box sitting in the corner.

Re:Old version = old news

[Tubal-Cain]

Here's the lynx output:

The program 'lynx' can be found in the following packages:
* lynx-cur
* lynx-cur-wrapper
Try: sudo apt-get install <selected package>
bash: lynx: command not found

Re:Old version = old news

[3vi1]

Heh, did you know when you type your ip address on slashdot it comes up as stars? Look: this is mine ***.**.***.** try it! it's fun! :)

127.0.0.1

Re:Old version = old news

[X0563511]

eix-sync && emerge -auDNtv world; sleep 1374261893645973165479613; echo "FINALLY!"

Re:Old version = old news

[X0563511]

screw Ubuntu. apt-get purge command-not-found.

Re:Old version = old news

[jonadab]

Sure, no problem:

nathan@groundhog:~$ ifconfig
bash: ifconfig: command not found
nathan@groundhog:~$ lynx -dump http://www.ipchicken.com/
bash: lynx: command not found
nathan@groundhog:~$

Anything else I can do for you?

Re:Old version = old news

20.158.6.134

Re:Old version = old news

[Hucko]

Liar!

Re:Old version = old news

Uh, that is the point of Debian stable. They are in the business of backporting security fixes, so fixing bugs does not interfere with your server working.

Re:Old version = old news

[Vellmont]

People who rely on package maintainers or "the community" to help them out and keep things up to date could very well be let down. Moral of the story, if you want something done right, you have to do it yourself.

Righto.. The moral of the story is to spend most a large portion of your day tracking down all the security bugs yourself to all the various parts of software on your machine. Then testing, patching, and testing again. Be sure to keep up at night worrying about even the most esoteric, hard to exploit, unlikely to work breaches like these.

If you like doing that sort of thing, that's great. But don't try to tell me everyone has to act like yourself to be "secure". Security has always been about managing the risk, not about creating a perfect impenetrable system. All systems have flaws, it's the nature of the beast.

Re:Old version = old news

[Lavene]

Heh, did you know when you type your ip address on slashdot it comes up as stars? Look: this is mine 146.24.111.02 try it! it's fun! :)

127.0.0.1
I _really_ hope this works or else I'm in deep trouble!

Re:Old version = old news

[Lavene]

For one second there I believed I was the only one thinking about that one...

Re:Old version = old news

[Prof.Phreak]

RedHat Enterprise Linux 4.0 (it's company wide...)

Re:Old version = old news

[ToasterMonkey]

If you like doing that sort of thing, that's great. But don't try to tell me everyone has to act like yourself to be "secure". Security has always been about managing the risk, not about creating a perfect impenetrable system. All systems have flaws, it's the nature of the beast.

Well, you aren't going to mitigate risk by doing nothing, so what is your point? There will always be risk, so you should take it as-is? Sorry, no.
"Managing the risk" means measuring it, and doing something about it. That includes regular trips to US-CERT and CVE (or at least /.), and a proactive security policy.
The alternative is to just accept the risk, placing your full trust in others, and that isn't in any way called "security" in the computer sense, where the terrain is extremely not in your favor.

Maybe you're not worried about security, so good for you then. I grew up in a place we felt safe enough to never lock our front door. Then some kid stole my SNES, the little fuck. I think your perception of security might be like ours was, a big hockey stick from "nothing will happen" to "oh shit, it just did, do something about it." Accepting the risk requires trust, in this case trusting people with no legal, monetary, or other obligation to provide you with security. Your placing trust other people's self-pride. That's not good enough for everyone.

Re:Old version = old news

[AlterRNow]

You are aware the command-not-found is available in Debian too, right?

And what is the alternative to it? Can you pass aptitude/apt-get/dpkg an executable name and it respond with what packages supply it?

Re:Old version = old news

[donaldm]

I think it is all below 5.2 according to http://openssh.com/security.html.

From the url:

# OpenSSH prior to version 5.2 is vulnerable to the protocol weakness described in CPNI-957037 "Plaintext Recovery Attack Against SSH". However, based on the limited information available it appears that this described attack is infeasible in most circumstances. For more information please refer to the cbc.adv advisory and the OpenSSH 5.2 release notes.

# Portable OpenSSH 5.1 and newer are not vulnerable to the X11UseLocalhost=no hijacking attack on HP/UX (and possibly other systems) described in the OpenSSH 5.1 release notes.

# OpenSSH 5.0 and newer are not vulnerable to the X11 hijacking attack described in CVE-2008-1483 and the OpenSSH 5.0 release notes.

Not exactly that helpfull however when I check my machine:
$ rpm -q openssh
openssh-5.1p1-3.fc10.x86_64

So I should be ok - err maybe.

Re:Old version = old news

[kasperd]

The interesting part here is that more details have been released about what the flaw actually was.

But where did those details get released? They are not on the zdnet article in the link. Based on the vague description, I have a guess about what the problem probably is. You take cipher block you want to get decrypted and send it in the position in the stream where the length of a message would be. The server then decrypts it and finds the length. If the length is a 32 bit field but only lengths up to 2^14 are valid, then it would explain the numbers in the description. If the length is invalid, the receiver will immediately break the connection and all you know is, that the 32 bit value was larger than a valid length. If the length is valid, the attacker starts sending garbage one byte at a time to the recipient, until the recipient breaks the connection. Then the attacker knows the 32 bits.

This could be fixed by not breaking the connection immediately. A fix could work like this. First you find out after how many bytes the connection would be broken for the longest valid size of a packet. If you receive a message with invalid length or invalid checksum, you receive more bytes and throw them away until you have received the maximum number of bytes for a message. Only then you report the problem (and make sure not to tell the peer if it was invalid length or invalid checksum). If your peer interrupts the connection before you receive all the additional bytes, you behave exactly as if they had done so before you had enough bytes to verify the checksum.

Re:Old version = old news

[donaldm]

I just checked my Fedora 10 updates and can't find 5.2 (I already have 5.1). Still unless you are using OpenSSH in environments where there is a possibility of someone exploiting the SSH flaw you should be fairly safe especially if your machine is in your home.

Re:Old version = old news

Try apt-file.

Re:Old version = old news

[noundi]

I have OpenSSH running on my machine at home and frankly I'm more concerned of getting stabbed in the neck by Jesus himself than a man-in-the-middle attack with a success rate of one in 262,144. I wouldn't be if I was google.com, but then again I'm not so I think I'll sleep well tonight without even checking my OpenSSH version. Thanks.

Re:Old version = old news

Apples, peaches, pears and plums
Tell me why you bought a fucking fruit sallad instead of a PC

Re:Old version = old news

"After reviewing the upstream fix for this issue, Red Hat does not intent to
address this flaw at this time. A future update may address this issue."

From redhat bugzilla id 472068 .

So, one can alternatively explicitly list non-vulnerable Ciphers in his ssh configuration files.

Re:Old version = old news

Plus, if it was a design flaw in 4.7, it would be in all distros of *NIX that use this version.

Re:Old version = old news

[Hurricane78]

1. why would you wait *after* emerge finished?
2. 'bash: !": event not found' (Hint: "!" is history expansion nowadays.)
3. You can have more than one process at the same time. And emerge can have a cpu- and i/o-niceness of 19. You know that, do you?
4. Oh and do not forget ccache and distcc.
5. PROFIT! :D

Re:Old version = old news

[Vellmont]

Perhaps you should re-read the quoted text and my response. Then ignore everything you just said, since the it has nothing to do with what I said.

Re:Old version = old news

[X0563511]

I have never yet found a situation where I didn't have a binary installed but didn't know where to find it. Also, command-not-found isn't installed by default as of Lenny.

Sometimes I forget the exact name of a package, but 'apt-cache search' helps me remember.

Re:Old version = old news

[tensop]

O_o -- Microsoft Windows [Version 6.0.6001] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\Users\Administrator>ssh -v 'ssh' is not recognized as an internal or external command, operable program or batch file. -- Whew, ssh is not installed. I remain 100% secure and unhackable!

Re:Old version = old news

[sciurus0]

Do you mean Ubuntu 8.04? 9.04 includes openssh 5.1

Good Thing

[neoform]

Whew. Glad I use Telnet.

Re:Good Thing

Whew. Glad I use Telnet.

hahaha XD

Re:Good Thing

[timeOday]

But telnet transmits your credentials unencrypted! To be super-secure I simply avoid transmitting them in the first place...

root@host# nc -l -p 1999 -c bash

user@otherhost: nc otherhost 1999
whoami
rm -fR /

(PS don't actually do this)

Re:Good Thing

[mzs]

It may sound funny, but the MIT Kerberos sources contain an version of telnet and telnetd that support encryption. There has not been a vulnerablity in that for a while that I know of. There was a stupid vulnerability in logind on Solaris though which that telnet used. Also there is an encrypted version of rsh, rshd, and klogind in that source code. That has not been anything reported on that in a while either, though I think you only get 3DES if I recall correctly.

Re:Good Thing

THAT IS NOT FUNNY. Seriously. Telnet has encryption capabilities. Very few people use them, though. In a proper kerberos infrastructure, you can

    telnet -ax

and never provide a password. Go read your local man pages. (Some versions of telnet even make those options defaults.)

Re:Good Thing

Bah! Your "solution" is broken!

I tried it at home and for a while it seemed to work, but as soon as /bin/rm was deleted, it stopped. I ended up with most of the file system intact, but with no /bin/bash or /bin/rm to continue.

Re:Good Thing

[ais523]

Err, what sort of system are you using? First, most implementations of rm nowadays will refuse to delete / unless given special options; second, deleting the binary for rm doesn't get rid of running copies of the program itself (which in part, is why you can normally update a UNIX or Linux system without rebooting). The only thing I can think of that might act slightly like that would be Cygwin (where / is not really /, and which is based Windows where you can't delete running executables).

Re:Good Thing

[bogado]

This is probably because no one uses it or care for it. Encryption is not a matter of simply slapping an encrypted channel on top of something and that something is magically secure.

Just on the top of my head I could bet that this telnet is vulnerable to timing attacks that ssh were once vulnerable. you see, telnet usually sends keys as fast as it can, so when you're typing your password the timing between the keys-down events are reflected on the timing of packages that go trough the net, with those timings you can narrow down the brute force password search.

SSH is more smart then telnet, so first it has a initial handshake that is not part of the session, so the first password, the login password, is sent in a single packet. But even for other password prompts that are asked during the session, openssh notice that the no-echo mode is activated and uses a timeout to join together more then one key on a single packet, since there is no echo this does not compromise the responsiveness of the session.

Re:Good Thing

[fuckface]

nc: connect to otherhost port 1999 (tcp) failed: Connection refused

You opened the port on host and then told otherhost to connect back to itself. Douche.

Not much of a threat...

[WED+Fan]

...as we know, it's only a threat if people use the OS in question.

Re:Not much of a threat...

[.sig]

Anyone else remember when Unix was the usual target, and MS/DOS the "safe" OS?

Re:Not much of a threat...

[characterZer0]

Did you read the article?

It indicates that it effects SSH in general, not only one particular implementation.

Re:Not much of a threat...

Remember when slashdot wasn't full of old fogies?

Re:Not much of a threat...

[cptnapalm]

No.

Re:Not much of a threat...

Get off my lawn!

Re:Not much of a threat...

[DamageLabs]

Anyone else remember when VMS was the usual target, and Unix the "safe" OS?

Re:Not much of a threat...

[cptnapalm]

This is not your lawn. The property line clearly indicates...

wait a minute...

you are on MY LAWN!

Re:Not much of a threat...

[.sig]

Anyone else remember when stone tablets were the usual target, and cave drawings considered "safe"?

Re:Not much of a threat...

Anyone else remember when stone tablets were the usual target, and cave drawings considered "safe"?

Guess you never met a cave bear face to face.

Re:Not much of a threat...

[morgan_greywolf]

Yes. That's why we now have replaced telnet/rsh/rcp and authenticated FTP with ssh and scp, NIS with LDAP+Kerberos, /etc/shadow, authentication in NFS, support for other filesystems like CIFS, etc.

Microsoft, for their part, haven't changed all that much.

Re:Not much of a threat...

[bondjamesbond]

<--- who you calling old?

Re:Not much of a threat...

[xouumalperxe]

Article? Even the summary would've sufficed.

Re:Not much of a threat...

Well of course it was, and still is, a "safe" OS! Any non-networked computer is safe from remote attacks.

Re:Not much of a threat...

[lgw]

Yes. That's why we now have replaced telnet/rsh/rcp and authenticated FTP with ssh and scp, NIS with LDAP+Kerberos, /etc/shadow, authentication in NFS, support for other filesystems like CIFS, etc.

Microsoft, for their part, haven't changed all that much.

You're talking about changes since the tools developed in the 1980s. Microsoft completely replaced their consumer OS, moving from the Win95-based platform to the infinitely more secure NT-based platform, moved to AD, replaced an unsecure method of storing passwords with a secure one, invented CIFS, moved to a filesystem where all actions can be audited, etc.

The non-Linux Unixes, for their part, are mostly the same as they were in 1985 (that Oracle OS, Sol-something or other, being the one exception).

Re:Not much of a threat...

Oh, we used to DREAM about having stone tablets!

Re:Not much of a threat...

It indicates that it effects SSH in general

You mean "affects".

Re:Not much of a threat...

[lysdexia]

Mammaw wants help getting the push-mower started again.

All you boys ever do is fish.

Get your dogs out of my four-o`clocks!

Re:Not much of a threat...

replaced an unsecure method of storing passwords with a secure one

While that is true, the Microsoft default is to still have the old insecure methods enabled. You need to disable them with active directory policy or editing the registry.

That's NoLMHash = 1 and lmcompatibilitylevel = 5 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

I believe Microsoft finally changed the defaults in Vista.

Re:Not much of a threat...

> You're talking about changes since the tools developed in the 1980s. Microsoft completely replaced their consumer OS, moving from the Win95-based platform to the infinitely more secure NT-based platform, moved to AD, replaced an unsecure method of storing passwords with a secure one, invented CIFS, moved to a filesystem where all actions can be audited, etc.

Pity they didn't fix the flaw of ordinary users being encouraged to run as root until recently. And it took them until SP2 to figure out that you shouldn't have unnecessary services running. And they still haven't figured out how sudo is supposed to work, given the crappy and annoying UAC they invented...

In other words, they've done a lot, but they have always been playing catch-up.

Re:Not much of a threat...

[lgw]

In other words, they've done a lot, but they have always been playing catch-up.

Have you used AIX or HPUX or the like recently? Windows may be playing catch-up, but at least they're trying. Give me Windows any day over an OS stuck in the age where limiting a user name to 8 characters was acceptable, and even the most basic tools (i.e., SSH) are only avaliable as a third-party port.= with no formal vender support.

Re:Not much of a threat...

[morgan_greywolf]

I have. I'm a Unix systems engineer. HP-UX includes fully supported SSH in 11i and later. AIX has supported >8 usernames and passwords for since 4.2 and SSH is included in the box. Both have support for LDAP and Kerberos, again, out of the box, which allows for >8 character usernames and passwords.

Solaris, for it's part, has supported MD5 passwords since version 8 and 9 and 10 have it enabled by default.

Re:Not much of a threat...

[noundi]

I believe Microsoft finally changed the defaults in Vista.

It's Vista, your first conclusion should be "they broke it in Vista".

Re:Not much of a threat...

[noundi]

Summary? Common fucking sense would've sufficed.

SSH standard

[jgtg32a]

From the article it seems that it is more of a design flaw of SSH and not specifically OpenSSH

And in other news it also appears that the word "chink" is banned in the comments section.

Re:SSH standard

[buchner.johannes]

And in other news it also appears that the word "chink" is banned in the comments section.

Interesting. Someone should submit a story!

Re:SSH standard

what is a 'chink' and why would you ban it?

Re:SSH standard

[SoupGuru]

Also, dude, chink is not the preferred nomenclature. Asian-American, please.

Re:SSH standard

chink

Re:SSH standard

[FMZ]

Hmmm.... k. Seems there's an Asian-American in the armor of OpenSSH

Re:SSH standard

[The+Moof]

You know chink has other definitions, right? For example: "This flaw puts a chink in the armor of SSH."

Re:SSH standard

You do know that he is merely referencing a hilarious line from The Big Lebowski, right?

Re:SSH standard

Ahh, the only Asian people living outside of Asia are in America. I see now. ;P

Re:SSH standard

Is the armor a giant flying robot?

Re:SSH standard

Coming soon to FOX!

Re:SSH standard

chink isn't racist because its a type of food and a race of people.

Design flaw

[aaronfaby]

If the flaw is in the design of SSH, wouldn't all OS's be effected? Why does this only effect Debian?

Re:Design flaw

Damnit, it's affect.

Re:Design flaw

Debian packagers, in their infinite wisdom, compile with gcc -flots-of-spurious-warnings and comment out anything that they don't understand.

They have a history of fucking up packages (including openssh).

Re:Design flaw

[Culture20]

Why does this only effect Debian?

Damnit, it's affect.

Not if the openSSH flaw were causing Debian to exist. Then it would be effecting Debian.
http://crofsblogs.typepad.com/english/2005/08/effect_as_a_ver.html

Re:Design flaw

You need a whack with a cluebat, or stop thinking inside out. Even the site you linked to disagrees with the contents of your post.

affect / be affected by == interaction
effect / be effected by (rare) == causation

Re:Design flaw

Very true, but utterly off-topic as this is not the case.

Debian would exist without this flaw, if fact I am sure it would prefer to exist without it.

Re:Design flaw

[mzs]

And more seriously openssl which led to a lot of unlucky people having generated keys much weaker than they had expected.

Re:Design flaw

[shallot]

It actually doesn't seem to even be talking about a known Debian version, because the stable releases never shipped a 4.7. It looks like the the 2006-2008 RNG fuckup made security-minded people want to talk about Debian, apparently because that's when a lot of people listen up. Which is annoying because it reminds of Microsoft in similar context, but also a nice reminder of just how many users there are, which is much better than obscurity (heh).

Re:Design flaw

[shallot]

We are all impressed with your great generalization skills.

OKay

[JamesP]

The 2^-18 is _really_scary_

The 'first 4 bytes', not so much.

So, meh. Of course true hardcore cryptanalysts are sure to be already ditching OpenSSH or maybe piping it through GPG first.

Re:OKay

[characterZer0]

Being able to determine the first four bytes is what makes it 2^-18 instead of something much much smaller.

Re:OKay

[SanityInAnarchy]

Nah, we'll just be using an up-to-date OpenSSH. On my Ubuntu boxes, it's already 5.1, whereas the tested version was 4.7.

Re:OKay

The 2^-18 is _really_scary_

The 'first 4 bytes', not so much.

So, meh. Of course true hardcore cryptanalysts are sure to be already ditching OpenSSH or maybe piping it through GPG first.

Fuck gubfr onfgneqf, ebg13 vf tbbq rabhtu sbe nalbar.

captcha: rotator

Re:OKay

[Tubal-Cain]

On my Ubuntu boxes, it's already 5.1...

The fix is in 5.2

Re:OKay

[swillden]

The 2^-18 is _really_scary_

The 'first 4 bytes', not so much.

So, meh. Of course true hardcore cryptanalysts are sure to be already ditching OpenSSH or maybe piping it through GPG first.

Fuck gubfr onfgneqf, ebg13 vf tbbq rabhtu sbe nalbar.

Allow me to translate:

$ echo "Fuck gubfr onfgneqf, ebg13 vf tbbq rabhtu sbe nalbar." | caesar
Shpx those bastards, rot13 is good enough for anyone.

Re:OKay

[jonadab]

> rot13 is good enough for anyone.

I always do rot13 first, then xor it twice with my secret password, then a final pass of rot13 for good measure, just because, you know, you can't be too careful.

Wait, what?

[JSBiff]

". . .discovered a flaw in Version 4.7 of OpenSSH on Debian/GNU Linux."

"The attack relies on flaws in the RFC (Request for Comments) internet standards that define SSH"

So which is it, is it an implementation specific bug, which is specific to OpenSSH on Linux specifically, OpenSSH on all O/Ses, or is it a flaw in the RFC, which should make it exploitable on *all* implementations of SSH, shouldn't it? How can a flaw in the standard only be exploitable in one version of one implementation of the standard on one specific target OS?

Re:Wait, what?

". . .discovered a flaw in Version 4.7 of OpenSSH on Debian/GNU Linux."

"The attack relies on flaws in the RFC (Request for Comments) internet standards that define SSH"

So which is it, is it an implementation specific bug, which is specific to OpenSSH on Linux specifically, OpenSSH on all O/Ses, or is it a flaw in the RFC, which should make it exploitable on *all* implementations of SSH, shouldn't it? How can a flaw in the standard only be exploitable in one version of one implementation of the standard on one specific target OS?

How can a flaw in the standard only be exploitable in one version of one implementation of the standard on one specific target OS?

Easy. Flawed standards only affect developers that follow standards. Maybe everyone else is doing something wrong.

Re:Wait, what?

[dave562]

Take a look at all of the uproar over Microsoft's interpretation of the ODF standard and it's pretty easy to see how different developers can take something that is "the same" and make it "different".

Re:Wait, what?

[Lord+Ender]

Standards don't necessarily define all behavior an application. Therefore, some versions will dance to the hackers tune when fed bad data, while others may not.

Re:Wait, what?

[Jonner]

This is not in the least insightful. If you read TFA, you'll see that since the flaw is in the standard specification, it does affect all implementations. The article doesn't say the flaw is only on Debian; it says that's where the flaw was found.

Re:Wait, what?

[JSBiff]

I agree with you there - but you generally wouldn't say that an undefined behavior which doesn't contradict the standard, but also isn't specified by the standard, is a problem with the standard itself. Since the security researcher said it was a problem with the standard itself, seems like that would mean that any *conforming* implementation of that standard would be affected by such a problem.

Re:Wait, what?

[JSBiff]

I *did* read the TFA, and it really wasn't clear in the article at all. Why even bother mentioning Debian and Linux, if the problem was an SSH problem, and not at all specific to Debian or Linux? Seems like it was just a somewhat poorly written article, adding confusion where there didn't have to be. People will take away from this that this is a Linux problem, and might not consider the possibility that, e.g. Mac OS X (which I believe includes some version of OpenSSH) may *possibly* be shipping an affected version of the software (I'm not saying it is, I'm just saying that the article author wrote the article in such a way that it appears the problem is strongly linked to Linux, when it sounds, upon further examination, like it isn't).

It's really not definitive from the article whether or not other implementations are or might be affected, despite your assertion.

Re:Wait, what?

[lgw]

All those hippie OSs look the same. Take a bath, cut your hair, and use a secure OS like WIndows.

Re:Wait, what?

[mzs]

They mention Debian and 4.7p1 since that is what the researchers targeted. It was not fixed until 5.2. For various reasons Debian will not go past 4.7 for a while yet.

The flaw is in the RFC since 4251 says that the server has to communicate the fact that there was an error. OpenSSH would communicate that as soon as it noticed. By the attacker replaying data slowly it could figure-out out bits in the plaintext. Now OpenSSH waits until it gets a lot of data before it responds. See not every implementation needs to be vulnerable by following the RFC, but they are if they follow it in the naive way.

In fact it could have been much worse. Measures could have been taken to reestablish the connection after the error. In the OpenSSH implementation the connection is dropped on the first such error. But there were (as yet undisclosed) implementation details in OpenSSH that improved the odds of success from the theoretical 2^-18 to 2^-14.

Re:Wait, what?

[RazzleDazzle]

How can a flaw in the standard only be exploitable in one version of one implementation of the standard on one specific target OS?

OpenSSH is the Highlander. There can be only one. Debian is now decapitated.

Re:Wait, what?

This is not in the least insightful. If you read TFA, you'll see that since the flaw is in the standard specification, it does affect all implementations.

Not MY implementations! Like Microsoft, I embrace & extend. By defining my OWN standard I avoid all these problems...

Re:Wait, what?

[dondelelcaro]

For various reasons Debian will not go past 4.7 for a while yet.

Debian isn't even distributing 4.7p1 anywhere, anymore (Packages of 5.1 were released on the 25th of July, 2008). 5.1p1-5 is in all of stable, testing and unstable, and etch (oldstable) is running 4.3p2-9etch3.

That said, these are presumably all vulnerable, and patches which change the prefered cypher to non-vulnerable ones, and apply countermeasures by continuing to read until the maximum packet length is reached as detailed in the 5.2 release notes. There currently isn't a bug filed about it, but presumably someone will do so soon.

Re:Wait, what?

[mzs]

Oops, I did screw-up on that sorry.

Re:Wait, what?

I did the first two, but after the third I'm just covered with blood and cuts and broken glass.

Re:Wait, what?

[admdrew]

my windows 3 box is ridiculously secure; no one's been able to turn it on for years :(

Re:Wait, what?

[Jonner]

The article mentions Debian because that's where the vulnerability was discovered and it doesn't say that the vulnerability only exists in Debian. Though TFA wasn't written as clearly as possible, you still fail at reading comprehension:

The attack relies on flaws in the RFC (Request for Comments) internet standards that define SSH, said Patterson.

"They've fixed [OpenSSH]; they've put countermeasures in place to stop our attack," said Patterson. "But the standard has not changed."

Patterson said that he did not believe this flaw had been exploited in the wild, and that to deduce a message of appreciable length could take days. In addition, proprietary SSH vendors had been informed of the issue in advance, and had put countermeasures in their code.

Patterson did confuse the issue a bit by saying "This is a design flaw in OpenSSH."

How vulnerable?

According to TFA, "OpenSSH version 5.2 contain[s] countermeasures". For Ubuntu users, note that Ubuntu 8.04 LTS (Hardy) is using the vulnerable version 4.7. Versions 8.10 (Intrepid) and above appear to use version 5.1.

Does anyone know whether 5.1 contains the flaw and/or the "countermeasures"?

Also, can any security gurus comment on the danger level here? It sounds like there is a low-probability to access a small amount of information... but the very existence of this vulnerability makes me uncomfortable. Also, why does it mention Debian specifically? Don't most distros use an OpenSSH package based on the exact same design? Shouldn't they all be vulnerable?

Re:How vulnerable?

[vadim_t]

That's the wrong way to check it.

Debian and Ubuntu are not going to upgrade to 5.2. They will take the security fix, backport it to 4.7, and release that as an update. If you check the version you'll get 4.7, even with the fix applied.

Re:How vulnerable?

[Lord+Ender]

And security scanners are going to misreport the systems with backported patches as being vulnerable :-/

Re:How vulnerable?

[VGPowerlord]

Debian and Ubuntu are not going to upgrade to 5.2. They will take the security fix, backport it to 4.7, and release that as an update. If you check the version you'll get 4.7, even with the fix applied.

I can understand why Ubuntu would do that since it's an LTS, but Debian stable (which is what Ubuntu would call an LTS) is already on 5.1p1.

Re:How vulnerable?

[mzs]

Basically only CBC is vulnerable, so they prefer others. Also they now read the maximum size before returning an error. There still is a very slight information leak from timing analysis but it would make the chances much much smaller, to the point that it is now an infeasible attack:

http://www.openssh.com/txt/release-5.2

Security:

  * This release changes the default cipher order to prefer the AES CTR
      modes and the revised "arcfour256" mode to CBC mode ciphers that are
      susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".

  * This release also adds countermeasures to mitigate CPNI-957037-style
      attacks against the SSH protocol's use of CBC-mode ciphers. Upon
      detection of an invalid packet length or Message Authentication
      Code, ssh/sshd will continue reading up to the maximum supported
      packet length rather than immediately terminating the connection.
      This eliminates most of the known differences in behaviour that
      leaked information about the plaintext of injected data which formed
      the basis of this attack. We believe that these attacks are rendered
      infeasible by these changes.

Re:How vulnerable?

[vadim_t]

Debian stable is stable. Once it gets released it doesn't upgrade software to new versions or get new features. It gets bug fixes and security updates and that's it.

If you want a newer version of anything on Debian stable, you have to switch to testing, use a mixed stable/testing system, wait for the next stable release, build it yourself, or use somebody else's packages.

There are distributions like Gentoo which don't follow this model and continously release new versions.

Re:How vulnerable?

[chrysalis]

If your security scanner reports a vulnerability based on banners instead of testing the real flaw, they are flawed.
Such security scanners feed the myth that changing/removing banners magically makes your network secure.

Re:How vulnerable?

[Lord+Ender]

Are you kidding? Security scanners can't go around overflowing buffers as part of a routine test. This could take down your entire network! Honestly...

Original advisory

[againjj]

http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt

Wait...

[FunPika]

Its in Debian? But a quick look at their repositories shows that oldstable has 4.3 and stable 5.1. Unless of course they compiled

Which is it?

[glwtta]

So is it a flaw in the design of SSH or in the Debian patched OpenSSH implementation? If it's the former (as the quote seems to imply), why does it matter what SSH implementation, OS they found it on? Shouldn't it affect everyone?

Some Additional Perspective FTA

[Fantom42]

FTA, this vulnerability is addressed in newer versions of OpenSSH, not by fixing the specification, but by employing some kind of workaround to make it impractical. I didn't know that from the summary, since I don't really keep current on where OpenSSH is with their releases.

It seems like this attack has an awfully small chance of success. I am wondering if there is that small chance of success to decode a message after many days, or if because of the small chance of success, it would take multiple days before you had anything.

If this is really something that has almost no chance of working at all--period, I'm not too worried. If it is something that makes the encryption breakable in a few days, that's a pretty big deal and am surprised that it didn't get outed sooner as a flaw.

Can/should the RFC be revised to close this hole? Are there other (perhaps more obvious) examples of weakness in the RFC that have implementation-specific fixes applied?

Why so much press on this?

[spinkham]

This flaw was published in Nov 2008 with simple configuration fix, and OpenSSH released a default fixed version in March 2009.
Also, this attack gives only 4 bytes of unencrypted output after crashing your session many thousands of times, which is sure to be noticed. If you were repeating the exact same network traffic in millions of SSH sessions, an attacker might get something interesting after weeks of crashing your sessions. It's just one of the lamest exploits I've seen, worth mitigating eventually, but not worth all the press it's getting, especially 6 months after release...
The fix is simple, just use CTR mode encryption instead of CBC, or upgrade to OpenSSH 5.2 or later.
For more details go to the OpenSSH security page.

Re:Why so much press on this?

[mr_mischief]

Noticed? A good firewall that is updated regularly by a traffic analyzer should have a rule set to drop or deny the retransmissions after the first few. I guess we could have a philosophical debate about whether running code "notices" something when it matches a pattern and crosses a threshold to trigger a rule. "Notice" to me usually connotes sentience, or at least animal consciousness.

To those wondering why they mention Debian

[cptnapalm]

It is because that happened to be the system that they found the vulnerability on.

Nothing more than that, really.

Re:To those wondering why they mention Debian

Still, it is another clear indication that Linux security is not all it is made out to be. For example OS X has a better security track record than any other operating system in the world, particularly Linux.

Re:To those wondering why they mention Debian

[Pretzalzz]

All current versions of Debian have 5.1p1-5 as the version of openssh[testing/unstable differences are just dependency rebuilds].

The changelog for this version includes:

* Backport from upstream CVS (Markus Friedl):

- packet_disconnect() on padding error, too. Should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18.

This implies that older versions are more vulnerable. Not sure if this is what people are referring to as 5.2's countermeasures.

Re:To those wondering why they mention Debian

Except for that whole "takes months to patch security vulnerabilities, even after they're discovered in the wild" bit. At least microsoft pushes out a patch as soon as possible, instead of rolling it up with every other patch they feel like putting out.

Time to break out the port knocking!

See, us weirdos who wrapped ssh inside an additional protection layer weren't being overly paranoid after all!

Re:Time to break out the port knocking!

How would port knocking help you if your are being MITM'd?

Re:I'd just like to interject for a moment.

[jgtg32a]

This is a technicality that no one cares about anymore I think even Stallman gave up on it.

Hmm.... four bytes...

[tliston]

Just enough to tell 'em what you think...

Re:Hmm.... four bytes...

FU!\0

Re:I'd just like to interject for a moment.

[woodchip]

Everybody knows this. Nobody cares, except for Richard Stallman.

Not specific to Debian !

[.tom.]

Obviously the flaw itself is (a) old, and (b) not specific to Debian.
The only point of (little) interest of the article is that it highlights that the SSH specifications - the RFC - has not been updated yet.

All versions from 4.7 to 5.2 are affected

[keeegan]

ftfa:
"The flaw, which lies in version 4.7 of OpenSSH on Debian/GNU Linux"
"Patterson said his group had worked with OpenSSH developers to mitigate the flaw, and that OpenSSH version 5.2 contained countermeasures."

They are unclear on whether or not it's only debian's repos that are affected, so I'd suggest upgrading to 5.2 or later.

Re:I'd just like to interject for a moment.

I prefer to call it Linux/X/Mozilla/Alsa/KDE/QT/BSD. Fuck GNU.

Re:I'd just like to interject for a moment.

Go back to /g/.

Re:I'd just like to interject for a moment.

Give it up, Stallman. Nobody cares.

Re:I'd just like to interject for a moment.

[TheSunborn]

Gnu/Linux is not an operating system either.

"Fedora core 11" is an operation system.

Re:I'd just like to interject for a moment.

It's a troll post from 4chan (page no longer exists -> google search link).

How to check SSH version

[kevink83]

Command to determine openSSH version: ssh -V Output: OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007 I assume if you get the same results as I did you are not affected because you are running version 5.1.

Re:How to check SSH version

[DeathCarrot]

FYI, 5.1 is affected. The countermeasure is in 5.2.

Gentoo seems to be up to date, both for arch and ~arch.

Re:How to check SSH version

[cdombroski]

Actually that version has the countermeasures too it appears: http://changelogs.ubuntu.com/changelogs/pool/main/o/openssh/openssh_5.1p1-5ubuntu1/changelog

Re:How to check SSH version

[supernova_hq]

Good lord, I'm actually canceling about 10 mod points to post this... "ssh -V" will give you the version of your CLIENT, not the server.

Re:How to check SSH version

[mzs]

Note though that that's only ubuntu that backported that into 5.1p1 not OpenSSH itself. Also it only implements one of the countermeasures. 5.2 also has the server prefer AES counter (instead of cbc) and arcfour256 before any CBC mode.

Re:How to check SSH version

Iassume Slashdot readers know how to check the ssh version. This ain't digg after all :)

Re:How to check SSH version

[laederkeps]

Two additions to this:
# sshd -V
will tell you the version of your server (which may or may not be the same as your client version, depending on the packaging habits of your distro maintainers etc.)

Furthermore, the fix for this vulnerability was included in Version 5.2 of OpenSSH, so the grandparent poster could still be vulnerable. The article's mention of version 4.7 is somewhat misleading in this respect.

Need to be worried?

[gmuslera]

Implies man-in-the-middle already, and the odds of figuring 32 bits of a particular packet are somewhat low. The worst case i could think about is when i pass my password or a very specific short data (cc number?). That particular data must be the decripted one, and in the 1/256k odds of happening, IF i have someone in the middle actively trying to get it. With that chances, the attacker well could expend his time playing lotto that have more chances to win.

Of course, those numbers are regarding a specific distribution/ssh version, could be different for other versions, but still, looks somewhat hard to happen ever.

Appreciable length?

[Chysn]

> Patterson said that he did not believe this flaw
> had been exploited in the wild, and that to
> deduce a message of appreciable length could take
> days.

Is my social security number a "message of appreciable length?"

Re:Appreciable length?

[profplump]

Is your social security number a secret?

I understand you don't want to have it flying around, because some people use it as a secret. But it's not a secret in the first place, and there are many more likely attack vectors for your SSN than hijacking an SSH session.

Re:Appreciable length?

[asdf7890]

> Patterson said that he did not believe this flaw > had been exploited in the wild, and that to > deduce a message of appreciable length could take > days.

Is my social security number a "message of appreciable length?"

Probably not on its own. Full packed it would take 33 bits, 11 bytes (88 bits, though if the attacker knew for sure that an SSN was being sent in those bytes the search space would not significantly greater than the 33 bits) if represented in pure ASCII text with separators.

As each attempt to read each 32 bits has a 11/2^18 chance of success, and assuming failure of one attempt does no extra clue as to which other patterns to try next, each 4 byte block is going to take on average 131,072 connections to infer from the server response so for the 11 byte ASCII string that is an average attack length of 393,216 connections.

While that isn't going to take long (at 4.5 connections per second you are looking at a day), any message being sent containing your SSN is going to be significatly longer than the SSN on its own so I wouldn't worry just yet.

We are still in "it would be a lot easier for the attacker to raid your bins, burgle your house, or steal records from your bank" territory here. Though there is the chance that someone improve the attack (or already has) so be vigilant and apply updated SSH packages as soon as practical once your distribution offers them.

Re:Appreciable length?

[crazybilly]

mod parent up.

The question for those of us unfamiliar w/ hacking in this story is what 'appreciable length' is. Thanks for giving some insight into it.

Re:Appreciable length?

[asdf7890]

Thanks for giving some insight into it.

No worries.

I'm hardly an expert (more a "knowledgeable amateur"), so don't take anything I say as 100% correct without getting some verification first!

Of the many typos in my previous message, the important one is "11/2^18", which should have been "1/2^18".

Another mitigating factor for this attack and others like it is that the attacker needs to have infiltrated a machine somewhere on the route between you and the server, or some other "nearby" machine if they can poison routing tables to draw your communication into a detour. It is not an attack that can be attempted directly from any connected PC. Again this (infiltrating a machine somewhere on the route) is far from impossible but, along with the likely time complexity of the attack itself, probably impractical in terms of the amount of effort required compared to the likelihood of useful gain in return for their time/hassle.

Ubuntu LTS?

Which version is "1:4.7p1-8ubuntu1.2" in Ubuntu's nomenclature?

Launchpad page says "Published on 2008-05-14" which doesn't give me warm fuzzies.
https://launchpad.net/ubuntu/hardy/+source/openssh/1:4.7p1-8ubuntu1.2

-1 WRONG

[SanityInAnarchy]

You've got to be fucking kidding me.

From the summary:

Researchers at the Royal Holloway, University of London have discovered a flaw in Version 4.7 of OpenSSH on Debian/GNU Linux.

I think that's an adequate description. It is the combination of Debian, and GNU, an Linux, and many other things. Try copy/paste trolling something relevant.

And of course, calling it a GNU system is unbelievably arrogant. Why should it be called GNU/Linux, and not Debian/GNU/X.org/Apache/BSD/Linux? Recall that the software in question is OpenSSH, a project from the BSD world, and most definitely not a GNU project.

Oh, by the way, the GNU system is useless without a kernel. However, a kernel can actually be useful without running any userspace software at all -- for instance, take Coreboot, formerly LinuxBIOS, which if I recall, ran entirely in kernel-space. It's also possible to make a Linux distribution that does not include GNU -- for instance, use a non-GNU libc, and Busybox, and you have a useful (if minimal) Linux operating system without GNU.

Here's a suggestion: Drop this pointless, semantic bickering, and talk about something that matters, that actually has an impact on the realities and future of Free Software. Something like DRM, or Verified Voting, or open document standards, or Web standards, or better technology -- why are people still writing so much stuff (unnecessarily) in C? -- or free software in government, or network neutrality, or the need for marketing and business people in free software.

Because right now, it just looks embarrassing. Look at the Ubuntu homepage -- it doesn't even describe itself as Ubuntu Linux. It's just Ubuntu, and if you look at the details, you may find that it's a "Linux-based operating system". And notice the complete lack of complaints from anyone in the "Linux" community? It's only a few GNU people like you who are still bitter about the fact that Linus did in a few months what GNU took years to not do -- build a working kernel.

Re:-1 WRONG

[haroldpatterson]

It's only a few GNU people like you who are still bitter about the fact that Linus did in a few months what GNU took years to not do -- build a working kernel.

Hey that's not fair. They will have an alpha version of Hurd ready before 2012 and the world ends. They swear this time!

Re:-1 WRONG

[Jonner]

While I agree that using "GNU/Linux" instead of "Linux" is not of utmost importance, GNU is more important to modern Free operating systems than most other components, so "GNU/Linux" makes more sense than "GNU/X.org/Apache/BSD/Linux".

While some very small Linux-based systems use C libraries other than Glibc, can you name one that doesn't depend on GNU development tools? In fact, it's hard to find a non-Microsoft operating system in common use (Free or non-Free) that doesn't depend on GNU development tools.

Coreboot is irrelevant, as it's neither an operating system nor an operating system kernel. Coreboot initializes hardware, then loads a target. Originally, the target was always a Linux image, but now it can be a number of other things. Linux by itself can't do much useful. The only thing I can think of is routing, but that must be set up by userspace programs.

Clearly, Linux has been far more successful than the GNU kernel project. The GNU people are very happy for the success of Linux. However, Linux could not have become as successful as it is without the groundwork laid by the GNU project. So, while I don't think it's necessary to always mention GNU with Linux, I try to do so because it seems that GNU often isn't given enough credit.

Re:-1 WRONG

It's only a few GNU people like you who are still bitter about the fact that Linus did in a few months what GNU took years to not do -- build a working kernel

But... but... Project Hurd just needs a bit more polishing and it will be ready for the desktop...

Re:-1 WRONG

[david_thornley]

Don't complain about Debian GNU/Linux to us, complain to the Debian people. That's what they call their distro. Based on their web page, it would be equally correct to call it Debian, but the longer name gives more context for people who don't recognize several distro names on sight.

"Debian GNU/Linux" is a name. You can use it without arguing about the words and their implications, just like you can use the name "Microsoft Works".

Re:-1 WRONG

[dondelelcaro]

And of course, calling it a GNU system is unbelievably arrogant. Why should it be called GNU/Linux, and not Debian/GNU/X.org/Apache/BSD/Linux?

Because it describes a particular flavor of Debian; we use GNU libc+userland (well, now embedded GNU libc) and the Linux kernel. We also distribute GNU/kFreeBSD and GNU/Hurd variants as well. If someone actually wanted to, ports using a different libc and userland could also be made, and would have a different nomenclature.

In the end though, it is what the Debian project has decided to call its particular port, so if you want to reduce ambiguity, that's what you should call it to.

Re:-1 WRONG

[SanityInAnarchy]

GNU is more important to modern Free operating systems than most other components

I disagree.

I believe it's possible to deploy X.org without GCC. It is not, however, possible to create a reasonable desktop operating system without a GUI of some sort.

Linux could not have become as successful as it is without the groundwork laid by the GNU project.

Nor could the GNU project become as successful as it is without the groundwork laid by Unix. Nor could Linux have become as successful as it is without Apache.

Re:-1 WRONG

[SanityInAnarchy]

I'm not complaining about Debian GNU/Linux.

I'm complaining about someone bringing up the whole "It's not Linux, it's GNU/Linux" argument in a context where no one got it "wrong" anyway -- Debian already calls it GNU/Linux.

It's kind of like someone saying "Linux is a great OS", and someone responding, "OMG, you're so wrong, Linux is a great OS!" And then ranting for pages about why it's a great OS.

Re:-1 WRONG

[Jonner]

You can disagree all you want, but can you back up your opinion with any facts? Can you, for example, give an example of an operating system that uses Linux and Xorg, but not any GNU tools? While GNU was inspired by Unix, it contains no Unix code at all. Neither does Linux contain any Apache code. I'm not talking about simply being successful, but about one project depending on the other. I challenge you to give an example of a single operating system that uses Linux, but doesn't depend on GNU in any way.

For all operating systems that do depend on both Linux and GNU, I think it makes sense to call them GNU/Linux, though that's certainly not the only correct description. I use "Ubuntu." That one word is short and descriptive enough most of the time. Ubuntu is based on GNU/Linux, but it's necessary to beat people over the head with it.

Re:-1 WRONG

[SanityInAnarchy]

Can you, for example, give an example of an operating system that uses Linux and Xorg, but not any GNU tools?

Linux without GNU tools -- how about busybox + uclibc? Done and done.

Xorg without GNU tools -- I was making an assumption based on some very vague mentions in the documentation. The closest I can find are completely alternate X implementations -- at least one of which is proprietary, and runs natively under Windows, therefore I assume it uses no GNU.

Even in this case, it could be called X11/Linux, rather than Xorg/Linux.

I'm not talking about simply being successful, but about one project depending on the other.

Success is a dependency. Otherwise, development dies.

For all operating systems that do depend on both Linux and GNU, I think it makes sense to call them GNU/Linux, though that's certainly not the only correct description. I use "Ubuntu."

I'll agree with you there.

The main difference is, I have no problem shortening to "Linux" either. A kernel is still significant in which software is likely to work -- for instance, any given statically compiled program, GNU or not, could only have the kernel as an external dependency. Even if I'm ultimately using it to refer to a typical collection of GNU, Linux, and other software as a distribution -- for instance, talking about "Linux distributions" -- it's just cumbersome to say "GNU/Linux distributions" instead.

Anyway, I'll stop now. I don't really want to have this argument again. My main point (originally) was that someone posted this "It's GNU/Linux, not Linux" rant, in a context where the term "GNU/Linux" had been used "correctly" anyway.

Re:-1 WRONG

[Jonner]

You still haven't named an operating system that is based on Linux, but nothing from GNU. I'm very curious if such a beast exists. I think it makes a lot of sense to call an operating system based on Linux and GNU "GNU/Linux" and AFAIK, that includes all operating systems based on Linux. If you think it's possible to build a system on Linux, but not GNU, please give an example.

Re:-1 WRONG

[SanityInAnarchy]

You still haven't named an operating system that is based on Linux, but nothing from GNU. I'm very curious if such a beast exists.

Actually, I did:

Linux kernel + busybox + uclibc.

Maybe you don't have modutils. Fine, build a monolithic kernel, with everything compiled in.

Granted, it's possible this hasn't been put together. It's also possible this wouldn't make a very good operating system, but it would be an operating system.

I think it makes a lot of sense to call an operating system based on Linux and GNU "GNU/Linux"

The problem is, I see no reason GNU should get special status there. You could build a desktop OS based on GNU, Linux, but without X.org, and it would suck. Just like I can build a desktop OS based on Linux, but without GNU, and it sucks. Put them all together, why should it be called GNU/Linux, and not Xorg/GNU/Linux?

If it's a question of dependencies, GNU is as dependent on a kernel as a kernel is dependent on a userspace C library.

Re:I'd just like to interject for a moment.

No. They stopped calling it "Fedora Core" ages ago. "Fedora 11" is an operating system.

Chick

looks like ssh has a chink in its armor

Re:Chick

Oh and he probably knows Karate Fu.

Karate Fu + Armor = Owned

Observations by a Windows user

The replies are all dripping with attitude and arrogance. The most arrogant replies are centered in the first person point of view response. As a community, a more appropriate response would be how can we push out this information to the larger Linux business community, who does not spend their idle time on /., to get the patch rolling.

I don't even use Linux, however I will wager that had this been Windows and I replied, "meh, I'm patched, next", that I would be flamed up and down worse than Eric Estrada in Tora, Tora, Tora.

I wish people would try to understand CRYPTO hacks

[omb]

This was never a real threat, just another piece of Academic FUD. To be vulnerable as an interactive ssh user you would have to ignore 100,000 aborted sessions to expose 14 bits of plaintext, I think I would notice, and block the attacker.

There are a whole suite of cyphers, including AES aka Rijhndael are configurable, have you done yours?, and not vulnerable.

Finally the protocol is trivially fixed.

Now I for one, whilst I have the highest respect for the work done by people like Ross Anderson and Schnieer am fed up to the back teeth with alarmism from governments, NGOs and academics -- all of which add up to give us more money.

If you dont know these researchers were working for the UK equivalent of Homeland Security and failed to inform SSH of the details of the attack, doubtless quoting National Security.

These people who parade nonsense should be tarred an feathered and sent on the next rail.

Re:I'd just like to interject for a moment.

Fedora 11 is the distro and NOT the operating system! Fedora 11 includes an operating system that is based on the Linux kernel and includes GNU utilities. Fedora includes a great deal more then the OS

What's the bug number debian bug tracker?

[sakti]

I can't find a reference to it. Certainly they submitted a bug report. They mention they found it on debian, so it seems like they would have file one.

Re:What's the bug number debian bug tracker?

[FunPika]

I can't find a reference to it. Certainly they submitted a bug report. They mention they found it on debian, so it seems like they would have file one.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506115 is what you're looking for I believe.

Re:What's the bug number debian bug tracker?

I can't find a reference to it. Certainly they submitted a bug report. They mention they found it on debian, so it seems like they would have file one.

there is no such "Debian bug"
see above comment
28050293

Mod parent funny/underrated

This isn't a troll; the parent is clearly being humorous.

(PS don't actually do this)

Re:Mod parent funny/underrated

This isn't a troll; the parent is clearly being humorous.

Many /.-ers are retarded Windows retards. :(

Didn't packet_disconnect leak plaintext anyway?

[DamnStupidElf]

It passed the decrypted packet_length value back to the other end in an error message, according to the article. Shouldn't that have allowed arbitrary recovery of plaintext by just xoring the returned packet length with the previous ciphertext block used as the IV?

Telnet is great

[einhverfr]

Particularly when using Krb5 for session encryption ;-) Of course how many slashdotters know that you can use telnet with session encryption on an intranet? Slim to none?

Re:Telnet is great

[drinkypoo]

Any of them that have successfully set up IPSEC? I've used it to secure an application which screen-scrapes a telnet session and uses ftp to transfer files.

Re:Telnet is great

[einhverfr]

Well, the optimal way would be setting up with ipsec (shouldn;t be hard to do) and krb5 (harder, but doable). krb5 then allows you to do passwordless authentication and session encryption and you could use ipsec to provide an additional layer of (probably stronger) encrpytion the ip payload level.

Re:I wish people would try to understand CRYPTO ha

[Architect_sasyr]

you would have to ignore 100,000 aborted sessions

So DoS attacks are no longer real threats? I hate an alarmist as much as the next over worked admin, but I'd rather a penetration than a DoS. Users don't need to know when we get "hacked", they tend to notice DoS attacks.

countermeasures

The countermeasures aren't that complicated. Edit your sshd_config file to have the following line and do a reload/HUP:

Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc

By default the CBC modes are first, and this makes CTR (and RC4) the preferred cipher. This mitigates the attack as most recent clients support CTR so it will be chosen.

Really old clients may fall back to CBC mode and still be vulnerable. This is described in OpenSSH's original response the the report:

http://www.openssh.com/txt/cbc.adv

It's not that big of a deal.

I wish people would take CRYPTO flaws seriously

[KWTm]

To be vulnerable as an interactive ssh user you would have to ignore 100,000 aborted sessions to expose 14 bits of plaintext, I think I would notice, and block the attacker.

What you say is true.

However, who says SSH has to be interactive? What about rsync backups over SSH? Automated connections that use SSH? Basically, anything and everything is tunnelled through SSH, so this is huge. If the attacker has time and you have a network of, say, 100 machines that initiate 1000 SSH sessions a day, you could have a breach in a day. If the attacker has a few weeks to work undetected, you could have a huge breach and have no idea because you're basking in the false security of working in SSH. Think you'd notice that?

Re:I wish people would take CRYPTO flaws seriously

[Foodie]

Yep, and then expose 14 bits of information... and for rsync backups, I suppose they are already tar.gz, and if you're just getting 14 bits of a .gz file, good luck in trying to piece together that that is.

Re:I wish people would try to understand CRYPTO ha

Oh dear god.
Please tell me who your users are so I can avoid being one in the future.

I wish people would take Mathematics seriously

[omb]

I assume the parent failed every numerate course he ever took, and never took any kind of statistics for idiots course, and has not bothered to read and understand the attack.

An continues to spread FUD.

The attack requires a Man in the Middle scenario, if I ssh into a random machine the MiM is __VERY__ unlikely to work unless the NSA and my ISP are in cahoots and I dont notice that connection takes a nonsensically longer time (15min v 3s), ... then I have to tolerate 100000 failures/connection.

Now comes the idiot who talks about rsync, and scripted connections, which, for brevity I did not address and tries to use multipicative probability leveling to try to convince us we have a problem; sorry now you need 1000+ MiM attacks, and fail to notice that they are failing, so you also dont notice a net cable kicked out, or a cable cut by a backhoe.

Look guys, get real, if you want to use statistics or probability learn some and understand contingent probability which is essential to risk evaluation.

OpenSSH != Linux

[The+Cisco+Kid]

... Although OpenSSH is usually included along with the Linux kernel in complete distributions of an OS. In fact (calling attention to the 'Open') it was actually developed by the OpenBSD group.

Categorizing this story as 'Linux' is misleading. OpenSSH is used with a variety of platforms, of which Linux is only one.

yay

[toby]

Microsoft completely replaced their consumer OS, moving from the Win95-based platform to the infinitely more secure NT-based platform

Thank goodness. I'd hate to think they were shipping anything insecure to their well deserved 97% of the market...

(And are you including OpenBSD in your "non-Linux UNIXes" list, by any chance?)

Re:yay

[lgw]

Security (in a consumer desktop OS) was simply not a priority when Win95 was designed. It just didn't make sense at the time, and competed directly with what *was* important in Win95: backwards compatibility with 16-bit drivers.

It's strange: in 2003, MS seemed to understand well that security can't be added to an OS after the fact: you're limited to what was designed in. Yet with Vista they tried just that, adding security through a layer instead of starting from scratch. I guess the difference is simply the quality of developers at MS now vs then.

not news, not Debian

this is not "news" at all: Prof. Paterson et al had already announced it in Nov 08, see
http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt

Also, the article title is misleading, the original paper says that they discovered the flaw while working in a Debian GNU/Linux OS, not that the bug is specific to Debian.
Indeed the bug was addressed in upstream code in OpenSSH 5.2 (and Debian/lenny ships 5.1p1 that contains a backported patch).

Can you give any other examples of this?

[wall0159]

My understanding is that one packager screwed up one package (openssl), which (while a _big_ screw-up) would hardly amount to a "history of fucking up packages".
Can you cite any other examples that would indicate such a trend?

the paper is available online

http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf

TL;DR - mitigation here

[Gainax]

To mitigate on clients and servers: in /etc/ssh/sshd_config and /etc/ssh/ssh_config and/or any ssh clients you use, add:
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha1
To verify:
ssh -v host
look for the output:
debug1: kex: server->client aes128-ctr hmac-sha1 zlib@openssh.com
debug1: kex: client->server aes128-ctr hmac-sha1 zlib@openssh.com
You are particularly interested in the aesXXX-ctr segment. If that specifies a CBC mode, then you probably need to change that server's config. For the blowfish-using type, I'm uncertain of the attack's applicability to blowfish-cbc. YMMV. For server testing, you probably want to make sure your ssh client isn't forcing the CTR mode. To test that, do
ssh -v -o Ciphers=aes256-cbc,aes192-cbc,aes128-cbc,aes256-ctr,aes192-ctr,aes128-ctr
and look for similar debugging output as above.

Thank you

[JSBiff]

That now makes more sense. Thank you for the more detailed explanation which actually makes some kind of sense. So, in a way, this isn't *exactly* a flaw in the standard, but how the OpenSSH team decided to implement that particular clause of the standard (that is, how they interpreted the standard).

Re:I'd just like to interject for a moment.

It's not "Fedora Core" anymore. Just Fedora.

SSH technical paper online

The technical paper describing this attack is available here:

http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf

It answers a lot of the questions being posed on this thread.