[LON-CAPA-dev] Fwd: [suse-security-announce] OpenSSH Vulnerability
Tue, 25 Jun 2002 12:14:30 -0700
currently not many details are known about this vulnerability.
No patches are available.
However, the severity is known: remote root exploit.
Also, as mentioned in SuSE's advisory openssh-3.3p1 does not
fix the bug. It just minimizes its effects. I am not sure what that means:
under the new version the "master" sshd daemon spawns a child that runs
under the uid of the user. Does that mean that instead of a remote
rott exploit the effect is now a remote exploit with the priviledges of
one of the users (not as bad, but still bad enough)?
In any case you must upgrade now to openssh-3.3p1 to avoid the remote
root exploit, and probably a few weeks later again to fix the bug.
The big problem is RedHat 6.2:
openssh-3.3p1 requires openssl-0.9.6 or later. RedHat 6.2 uses
openssl-0.9.5a. The only option I see right now is to upgrade openssl
(e.g., by recompiling a RedHat 7.x src rpm). However, openssl is used
by apache and others. Has anybody tried to run apache under RedHat 6.2
with openssl-0.9.6 or later? Does it break everything? Is there somewhere
a development/test LON-CAPA box running RH6.2 where this could be tested?
Academic Computing Services phone: (604) 291-4691
Simon Fraser University fax: (604) 291-4242
Burnaby, British Columbia email: firstname.lastname@example.org
Canada V5A 1S6
On Tue, Jun 25, 2002 at 02:35:50PM -0400, Jan H. Meinke wrote:
> I received the message about a new openssh vulnerability this morning.
> ---------- Forwarded Message ----------
> Subject: [suse-security-announce] OpenSSH Vulnerability
> Date: Tue, 25 Jun 2002 10:39:34 +0200
> From: Olaf Kirch <okirOsuse.de>
> To: suse-security-announceOsuse.com
> -----BEGIN PGP SIGNED MESSAGE-----
> There's a new vulnerabiltiy in the OpenSSH daemon. The OpenSSH/OpenBSD
> team does not release any details concerning this issue, except:
> - This bug still exists in the most recent version, 3.3
> - They are asking all users to upgrade to version 3.3 (sic),
> and enable the PrivilegeSeparation option.
> Setting PrivilegeSeparation to on causes large portions of the daemon
> to run in a so-called "chroot jail", i.e. in a very restricted environment.
> An attacker breaking this part of the SSH daemon will *not* obtain full
> root privilege (as he would if sshd runs without this option), but
> will find himself in an empty directory, inside a process running as
> a non privileged user (he can still do some harm this way, but it's
> a far cry from full root powers, of course).
> In a posting to bugtraq, Theo de Raadt says that using privilege
> separation, this new vulnerability cannot be exploited.
> The SuSE security team is working on creating OpenSSH updates with
> privilege separation enabled, and testing this functionality. We
> will release updated RPMs on FTP as they become available.
> In the meanwhile, we suggest that
> - if you do not need external access to your SSH daemons,
> turn off the SSH service on these machine completely,
> or block external access at the firewall.
> - if you do need extern access to your SSH daemons,
> make sure you restrict the hosts that it will talk to
> by setting appropriate firewall rules.
> If, for some reason, you cannot configure your firewall to
> block external SSH access, you can also restrict access through
> /etc/hosts.allow; the following will allow connections from
> hosts with IP addresses 22.214.171.124 and 126.96.36.199 while disallowing
> any other connections.
> sshd : 188.8.131.52 : allow
> sshd : 184.108.40.206 : allow
> sshd : ALL : deny
> It is not clear however whether this is really effective
> because we do not know anything about the vulnerability
> at all.
> Olaf Kirch
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3in
> Charset: noconv
> -----END PGP SIGNATURE-----
> To unsubscribe, e-mail: suse-security-announce-unsubscribeOsuse.com
> For additional commands, e-mail: suse-security-announce-helpOsuse.com
> pub 1024D/F0AD064E 2001-08-14 Jan H. Meinke <meinkeOpa.msu.edu>
> Key fingerprint = C22B 57AE 4A5A 53AE 374F B684 8404 A3DC F0AD 064E
> sub 1024g/46E53B97 2001-08-14
> Download my public key at http://www.pa.msu.edu/~meinke/publickey.gpg
> LON-CAPA-dev mailing list