[LON-CAPA-dev] Fwd: [suse-security-announce] OpenSSH Vulnerability

Martin Siegert lon-capa-dev@mail.lon-capa.org
Tue, 25 Jun 2002 12:14:30 -0700


currently not many details are known about this vulnerability.
No patches are available.
However, the severity is known: remote root exploit.

Also, as mentioned in SuSE's advisory openssh-3.3p1 does not
fix the bug. It just minimizes its effects. I am not sure what that means:
under the new version the "master" sshd daemon spawns a child that runs
under the uid of the user. Does that mean that instead of a remote
rott exploit the effect is now a remote exploit with the priviledges of
one of the users (not as bad, but still bad enough)?
In any case you must upgrade now to openssh-3.3p1 to avoid the remote
root exploit, and probably a few weeks later again to fix the bug.

The big problem is RedHat 6.2:
openssh-3.3p1 requires openssl-0.9.6 or later. RedHat 6.2 uses
openssl-0.9.5a. The only option I see right now is to upgrade openssl
(e.g., by recompiling a RedHat 7.x src rpm). However, openssl is used
by apache and others. Has anybody tried to run apache under RedHat 6.2
with openssl-0.9.6 or later? Does it break everything? Is there somewhere
a development/test LON-CAPA box running RH6.2 where this could be tested?


Martin Siegert
Academic Computing Services                        phone: (604) 291-4691
Simon Fraser University                            fax:   (604) 291-4242
Burnaby, British Columbia                          email: siegert@sfu.ca
Canada  V5A 1S6

On Tue, Jun 25, 2002 at 02:35:50PM -0400, Jan H. Meinke wrote:
> Hi,
> I received the message about a new openssh vulnerability this morning.
> Jan
> ----------  Forwarded Message  ----------
> Subject: [suse-security-announce] OpenSSH Vulnerability
> Date: Tue, 25 Jun 2002 10:39:34 +0200
> From: Olaf Kirch <okirOsuse.de>
> To: suse-security-announceOsuse.com
> There's a new vulnerabiltiy in the OpenSSH daemon. The OpenSSH/OpenBSD
> team does not release any details concerning this issue, except:
>  -      This bug still exists in the most recent version, 3.3
>  -      They are asking all users to upgrade to version 3.3 (sic),
>  	and enable the PrivilegeSeparation option.
> Setting PrivilegeSeparation to on causes large portions of the daemon
> to run in a so-called "chroot jail", i.e. in a very restricted environment.
> An attacker breaking this part of the SSH daemon will *not* obtain full
> root privilege (as he would if sshd runs without this option), but
> will find himself in an empty directory, inside a process running as
> a non privileged user (he can still do some harm this way, but it's
> a far cry from full root powers, of course).
> In a posting to bugtraq, Theo de Raadt says that using privilege
> separation, this new vulnerability cannot be exploited.
> The SuSE security team is working on creating OpenSSH updates with
> privilege separation enabled, and testing this functionality. We
> will release updated RPMs on FTP as they become available.
> In the meanwhile, we suggest that
>  -	if you do not need external access to your SSH daemons,
>  	turn off the SSH service on these machine completely,
> 	or block external access at the firewall.
>  -	if you do need extern access to your SSH daemons,
>  	make sure you restrict the hosts that it will talk to
> 	by setting appropriate firewall rules.
> 	If, for some reason, you cannot configure your firewall to
> 	block external SSH access, you can also restrict access through
> 	/etc/hosts.allow; the following will allow connections from
> 	hosts with IP addresses and while disallowing
> 	any other connections.
> 		sshd	:	: allow
> 		sshd	:	: allow
> 		sshd	: ALL		: deny
> 	It is not clear however whether this is really effective
> 	because we do not know anything about the vulnerability
> 	at all.
> Olaf Kirch
> Version: 2.6.3in
> Charset: noconv
> iQEVAwUBPRgpi3ey5gA9JdPZAQFOfgf9Gzfs7N++Q8DkbAiEc2cbvUwKZjuS7yr/
> GEaR3yRtBs/dyDVUB+EgEWgwwSDTwm4t6n0YfoyrnFdn5BZy+hDkFphJHabU7Vg8
> 39eN26AvvIgE0BxEg+Fq5kNYAApB+hvw/PLtQFFqSB3HHNfx227v03gzrC5xPuXN
> DFE9BMf4rTHj+YykkoLFt9rS6tPE3l0hm7ZUz0MfGNxIqcjw6TP8L7LF1LxepSlN
> QG0y//WoQafdbj9xY9ShbhdjloRMXg9XMMObcArNijASig4yw0sQ09clGPKtaYSA
> qX53NV29hrcfAYyH5Ejgfa4X/8UEG/onCnR7qUdZP26x0oZLRiRPpw==
> =IuTG
> --
> To unsubscribe, e-mail: suse-security-announce-unsubscribeOsuse.com
> For additional commands, e-mail: suse-security-announce-helpOsuse.com
> -------------------------------------------------------
> -- 
> pub  1024D/F0AD064E 2001-08-14 Jan H. Meinke <meinkeOpa.msu.edu>
>      Key fingerprint = C22B 57AE 4A5A 53AE 374F  B684 8404 A3DC F0AD 064E
> sub  1024g/46E53B97 2001-08-14
> Download my public key at http://www.pa.msu.edu/~meinke/publickey.gpg
> _______________________________________________
> LON-CAPA-dev mailing list
> LON-CAPA-devOmail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-dev