[Security Announce] MDKSA-2002:040 - openssh update (fwd)

ME dugan at passwall.com
Mon Jun 24 22:28:01 PDT 2002 

You should perform your sshd upgrade and cnfig modification listed below
while you are physically at the box or else you risk not being able to
manually restart the sshd service.

Of course, after adding that line to your sshd_config for you copy of
openssh, you should stop and restart your sshd service.

THEN try to connect to your local machine with ssh. If you get errors like
I did on one box ("pipe" "socket" "no service" "disconnected"), make sure
you add yet another line to your sshd_config:

Compression no

Then restart your sshd service again to see if you can connect to it.

If you can, then you are all set. if you cant, perhaps your version of
openssh is not new enough. Try grabbing the lastest from openssh.org or
from your vendor.

-ME

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ 
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ !PGP
t at -(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html

On Mon, 24 Jun 2002, Dustin Mollo wrote:
> On Mon, Jun 24, 2002 at 08:10:44PM -0700, augie wrote:
> > below is a good description, and temporary fix for the new sshd exploit. i
> > am surprised there hasn't been anything on bugtraq yet.
> 
> Ask, and you shall receive.  For those that aren't on the OpenSSH announce
> list, or a number of other OpenBSD lists etc, here's the official
> pre-announcement.  FYI - it'll be announced to BugTraq next week.
> 
> -Dustin
> 
> -------- Original Message --------
> Subject: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability
> From: Markus Friedl <markus at openbsd.org>
> To: openssh-unix-announce at mindrot.org, openssh-unix-dev at mindrot.org
> 
> On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote:
> > Date: Mon, 24 Jun 2002 15:00:10 -0600
> > From: Theo de Raadt <deraadt at cvs.openbsd.org>
> > Subject: Upcoming OpenSSH vulnerability
> > To: bugtraq at securityfocus.com
> > Cc: announce at openbsd.org
> > Cc: dsi at iss.net
> > Cc: misc at openbsd.org
> >
> > There is an upcoming OpenSSH vulnerability that we're working on with
> > ISS.  Details will be published early next week.
> >
> > However, I can say that when OpenSSH's sshd(8) is running with priv
> > seperation, the bug cannot be exploited.
> >
> > OpenSSH 3.3p was released a few days ago, with various improvements but
> > in particular, it significantly improves the Linux and Solaris support
> > for priv sep.  However, it is not yet perfect.  Compression is disabled
> > on some systems, and the many varieties of PAM are causing major
> > headaches.
> >
> > However, everyone should update to OpenSSH 3.3 immediately, and enable
> > priv seperation in their ssh daemons, by setting this in your
> > /etc/ssh/sshd_config file:
> >
> > 	UsePrivilegeSeparation yes
> >
> > Depending on what your system is, privsep may break some ssh
> > functionality.  However, with privsep turned on, you are immune from at
> > least one remote hole.  Understand?
> >
> > 3.3 does not contain a fix for this upcoming bug.
> >
> > If priv seperation does not work on your operating system, you need to
> > work with your vendor so that we get patches to make it work on your
> > system.  Our developers are swamped enough without trying to support
> > the myriad of PAM and other issues which exist in various systems. You
> > must call on your vendors to help us.
> >
> > Basically, OpenSSH sshd(8) is something like 27000 lines of code.  A
> > lot of that runs as root.  But when UsePrivilegeSeparation is enabled,
> > the daemon splits into two parts.  A part containing about 2500 lines
> > of code remains as root, and the rest of the code is shoved into a
> > chroot-jail without any privs.  This makes the daemon less vulnerable
> > to attack.
> >
> > We've been trying to warn vendors about 3.3 and the need for privsep,
> > but they really have not heeded our call for assistance.  They have
> > basically ignored us.  Some, like Alan Cox, even went further stating
> > that privsep was not being worked on because "Nobody provided any info
> > which proves the problem, and many people dont trust you theo" and
> > suggested I "might be feeding everyone a trojan" (I think I'll publish
> > that letter -- it is just so funny).  HP's representative was
> > downright rude, but that is OK because Compaq is retiring him.  Except
> > for Solar Designer, I think none of them has helped the OpenSSH
> > portable developers make privsep work better on their systems.
> > Apparently Solar Designer is the only person who understands the need
> > for this stuff.
> >
> > So, if vendors would JUMP and get it working better, and send us
> > patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday
> > which supports these systems better.  So send patches by Thursday night
> > please.  Then on Tuesday or Wednesday the complete bug report with
> > patches (and exploits soon after I am sure) will hit BUGTRAQ.
> >
> > Let me repeat: even if the bug exists in a privsep'd sshd, it is not
> > exploitable.  Clearly we cannot yet publish what the bug is, or
> > provide anyone with the real patch, but we can try to get maximum
> > deployement of privsep, and therefore make it hurt less when the
> > problem is published.
> >
> > So please push your vendor to get us maximally working privsep patches
> > as soon as possible!
> >
> > We've given most vendors since Friday last week until Thursday to get
> > privsep working well for you so that when the announcement comes out
> > next week their customers are immunized.  That is nearly a full week
> > (but they have already wasted a weekend and a Monday).  Really I think
> > this is the best we can hope to do (this thing will eventually leak, at
> > which point the details will be published).
> >
> > Customers can judge their vendors by how they respond to this issue.
> >
> > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away.
> > On OpenBSD privsep works flawlessly, and I have reports that is also
> > true on NetBSD.  All other systems appear to have minor or major
> > weaknesses when this code is running.
> >
> > (securityfocus postmaster; please post this through immediately, since
> > i have bcc'd over 30 other places..)
> _______________________________________________
> openssh-unix-announce at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-announce
> 
> 
> -- 
> Founder & President Emeritus
> The North Bay Linux Users' Group
> http://www.nblug.org/
> dustin at nblug.org
> 
> 
> 
>

More information about the talk mailing list