[LON-CAPA-admin] Re: [LON-CAPA-dev] Fwd: [suse-security-announce] OpenSSH Vulnerability
Martin Siegert
siegert at sfu.ca
Tue Jun 25 15:14:30 EDT 2002
Hi,
currently not many details are known about this vulnerability.
No patches are available.
However, the severity is known: remote root exploit.
Also, as mentioned in SuSE's advisory openssh-3.3p1 does not
fix the bug. It just minimizes its effects. I am not sure what that means:
under the new version the "master" sshd daemon spawns a child that runs
under the uid of the user. Does that mean that instead of a remote
rott exploit the effect is now a remote exploit with the priviledges of
one of the users (not as bad, but still bad enough)?
In any case you must upgrade now to openssh-3.3p1 to avoid the remote
root exploit, and probably a few weeks later again to fix the bug.
The big problem is RedHat 6.2:
openssh-3.3p1 requires openssl-0.9.6 or later. RedHat 6.2 uses
openssl-0.9.5a. The only option I see right now is to upgrade openssl
(e.g., by recompiling a RedHat 7.x src rpm). However, openssl is used
by apache and others. Has anybody tried to run apache under RedHat 6.2
with openssl-0.9.6 or later? Does it break everything? Is there somewhere
a development/test LON-CAPA box running RH6.2 where this could be tested?
Cheers,
Martin
========================================================================
Martin Siegert
Academic Computing Services phone: (604) 291-4691
Simon Fraser University fax: (604) 291-4242
Burnaby, British Columbia email: siegert at sfu.ca
Canada V5A 1S6
========================================================================
On Tue, Jun 25, 2002 at 02:35:50PM -0400, Jan H. Meinke wrote:
> Hi,
>
> I received the message about a new openssh vulnerability this morning.
>
> Jan
>
> ---------- Forwarded Message ----------
>
> Subject: [suse-security-announce] OpenSSH Vulnerability
> Date: Tue, 25 Jun 2002 10:39:34 +0200
> From: Olaf Kirch <okirOsuse.de>
> To: suse-security-announceOsuse.com
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> There's a new vulnerabiltiy in the OpenSSH daemon. The OpenSSH/OpenBSD
> team does not release any details concerning this issue, except:
>
> - This bug still exists in the most recent version, 3.3
>
> - They are asking all users to upgrade to version 3.3 (sic),
> and enable the PrivilegeSeparation option.
>
> Setting PrivilegeSeparation to on causes large portions of the daemon
> to run in a so-called "chroot jail", i.e. in a very restricted environment.
> An attacker breaking this part of the SSH daemon will *not* obtain full
> root privilege (as he would if sshd runs without this option), but
> will find himself in an empty directory, inside a process running as
> a non privileged user (he can still do some harm this way, but it's
> a far cry from full root powers, of course).
>
> In a posting to bugtraq, Theo de Raadt says that using privilege
> separation, this new vulnerability cannot be exploited.
>
> The SuSE security team is working on creating OpenSSH updates with
> privilege separation enabled, and testing this functionality. We
> will release updated RPMs on FTP as they become available.
>
> In the meanwhile, we suggest that
>
> - if you do not need external access to your SSH daemons,
> turn off the SSH service on these machine completely,
> or block external access at the firewall.
>
> - if you do need extern access to your SSH daemons,
> make sure you restrict the hosts that it will talk to
> by setting appropriate firewall rules.
>
> If, for some reason, you cannot configure your firewall to
> block external SSH access, you can also restrict access through
> /etc/hosts.allow; the following will allow connections from
> hosts with IP addresses 1.2.3.4 and 5.6.7.8 while disallowing
> any other connections.
>
> sshd : 1.2.3.4 : allow
> sshd : 5.6.7.8 : allow
> sshd : ALL : deny
>
> It is not clear however whether this is really effective
> because we do not know anything about the vulnerability
> at all.
>
> Olaf Kirch
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3in
> Charset: noconv
>
> iQEVAwUBPRgpi3ey5gA9JdPZAQFOfgf9Gzfs7N++Q8DkbAiEc2cbvUwKZjuS7yr/
> GEaR3yRtBs/dyDVUB+EgEWgwwSDTwm4t6n0YfoyrnFdn5BZy+hDkFphJHabU7Vg8
> 39eN26AvvIgE0BxEg+Fq5kNYAApB+hvw/PLtQFFqSB3HHNfx227v03gzrC5xPuXN
> DFE9BMf4rTHj+YykkoLFt9rS6tPE3l0hm7ZUz0MfGNxIqcjw6TP8L7LF1LxepSlN
> QG0y//WoQafdbj9xY9ShbhdjloRMXg9XMMObcArNijASig4yw0sQ09clGPKtaYSA
> qX53NV29hrcfAYyH5Ejgfa4X/8UEG/onCnR7qUdZP26x0oZLRiRPpw==
> =IuTG
> -----END PGP SIGNATURE-----
>
> --
> To unsubscribe, e-mail: suse-security-announce-unsubscribeOsuse.com
> For additional commands, e-mail: suse-security-announce-helpOsuse.com
>
> -------------------------------------------------------
>
> --
> pub 1024D/F0AD064E 2001-08-14 Jan H. Meinke <meinkeOpa.msu.edu>
> Key fingerprint = C22B 57AE 4A5A 53AE 374F B684 8404 A3DC F0AD 064E
> sub 1024g/46E53B97 2001-08-14
> Download my public key at http://www.pa.msu.edu/~meinke/publickey.gpg
> _______________________________________________
> LON-CAPA-dev mailing list
> LON-CAPA-devOmail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-dev
More information about the LON-CAPA-admin
mailing list