1 |
Heads up. |
2 |
|
3 |
-----Forwarded Message----- |
4 |
From: Richard Johnson <thief@×××××××.org> |
5 |
To: full-disclosure@××××××××××××.com, bugtraq@×××××××××××××.com, vuln-dev@×××××××××××××.com, vulnwatch@×××××××××.org, misc@×××××××.org |
6 |
Subject: [Full-Disclosure] iDEFENSE: Upcoming OpenSSH Security Advisory Announcement |
7 |
Date: Mon, 03 May 2004 11:51:12 -0400 |
8 |
|
9 |
|
10 |
iDEFENSE Security Advisory 05.03.04: |
11 |
http://www.idefense.com/advisory/05.03.04.txt |
12 |
Upcoming OpenSSH Preauthentication Vulnerability Announcement |
13 |
May 3, 2004 |
14 |
|
15 |
There is an upcoming OpenSSH vulnerability that we're working on with |
16 |
the OpenBSD Crew. Details will be published early next week. |
17 |
|
18 |
However, I can say that when OpenSSH's sshd(8) is running with priv |
19 |
seperation, the bug cannot be exploited for immediate root access. |
20 |
|
21 |
OpenSSH 3.3p was released a few years ago, with various improvements |
22 |
but in particular, it significantly improves the Linux and Solaris |
23 |
support for priv sep. However, it is not yet perfect. Compression is |
24 |
disabled on some systems, and the many varieties of PAM are causing |
25 |
major headaches. |
26 |
|
27 |
However, everyone should update to OpenSSH 3.8 immediately, and enable |
28 |
priv seperation in their ssh daemons, by setting this in your |
29 |
/etc/ssh/sshd_config file: |
30 |
|
31 |
UsePrivilegeSeparation yes |
32 |
|
33 |
Depending on what your system is, privsep may break some ssh |
34 |
functionality. However, with privsep turned on, you are immune from |
35 |
at least one remote hole. Understand? Being immune from at least one |
36 |
remote bug is worth broken functionality, especially when the software |
37 |
suffers from additional remote bugs. |
38 |
|
39 |
3.8 does not contain a fix for this upcoming bug. |
40 |
|
41 |
If priv seperation does not work on your operating system, you need to |
42 |
work with your vendor so that we get patches to make it work on your |
43 |
system. OpenSSH developers are swamped enough without trying to |
44 |
support the myriad of PAM and other issues which exist in various |
45 |
systems. For more information regarding the OpenBSD Crew's struggle |
46 |
with PAM issues, please read: |
47 |
http://www.openssh.com/txt/sshpam.adv |
48 |
|
49 |
Basically, OpenSSH sshd(8) is something like 27000 lines of code. A |
50 |
lot of that runs as root. But when UsePrivilegeSeparation is enabled, |
51 |
the daemon splits into two parts. A part containing about 2500 lines |
52 |
of code remains as root, and the rest of the code is shoved into a |
53 |
chroot-jail without any privs. This makes the daemon less vulnerable |
54 |
to attack. Less vulnerable is better than more vulnerable, and we |
55 |
hope that someday the OpenBSD team can make things not vulnerable. |
56 |
|
57 |
Threat elimination is more important than threat reduction, after all. |
58 |
|
59 |
Apparently the OpenBSD Crew has been trying to warn vendors about 3.8 |
60 |
and the need for privs sep to be in use. Since priv sep has existed |
61 |
for many years, and still is not used in 100% of deployed OpenSSH |
62 |
installations, the world is doing this marvelous team of cryptography |
63 |
experts and emerging mediocre programmers a world of discredit. Some |
64 |
developers, like Alan Cox, have reprotedly gone even further stating |
65 |
that privsep was not being worked on because "Nobody provided any info |
66 |
which proves the problem, and many people dont trust you theo" and |
67 |
suggested that Theo "might be feeding everyone a trojan". The official |
68 |
OpenBSD Crew's response to this allegation can be seen here: |
69 |
http://www.openssh.com/txt/sshpam.adv |
70 |
|
71 |
HP's representative has thusfar been downright rude, and we anticipate |
72 |
that he will be removed from his position at the company in the near |
73 |
future for the negative attention that he is bringing to the company, |
74 |
and the lack of lucrative security PRODUCT and RESEARCH to the market. |
75 |
|
76 |
Only the Solar Designer seems to think priv sep is a good idea, since |
77 |
historically he has been fond of developing security solutions |
78 |
following known flawed models in the hopes of making exploitation of |
79 |
security issues harder but not impossible, putting security back into |
80 |
the hands of hackers and out of the hands of scriptkids and security |
81 |
consultants. |
82 |
|
83 |
iDEFENSE recommends either using OpenBSD, Openwall Linux (Owl), or |
84 |
Microsoft Windows. All other operating systems are insecure. |
85 |
|
86 |
So, if vendors would JUMP and get it working better, and send the |
87 |
OpenBSD Crew patches IMMEDIATELY, we can perhaps make a better 3.9 |
88 |
release on Friday which supports all systems better. So please send |
89 |
patches to them IMMEDIATELY so progress can be made. Then on Tuesday |
90 |
or Friday the complete bug report with patches (and year old exploits, |
91 |
we are sure) will hit BUGTRAQ(tm). |
92 |
|
93 |
Let me repeat: even if the bug exists in a privsep'd sshd, it is not |
94 |
exploitable. Clearly we cannot yet publish what the bug is, or |
95 |
provide anyone with the real patch, but we can try to get maximum |
96 |
deployement of privsep, and therefore make it hurt less when the |
97 |
problem is published. |
98 |
|
99 |
If you doubt the sincerity of this claim, please review the following |
100 |
case study and included references to the security of a privilage |
101 |
separation enabled open secure shell daemon's unbreakable status. |
102 |
http://www.phrack.org/phrack/60/p60-0x06.txt |
103 |
|
104 |
|
105 |
So please push your vendor to get us maximally working privsep patches |
106 |
as soon as possible!!!! |
107 |
|
108 |
We've given most vendors since Friday last week until Thursday to get |
109 |
privsep working well for you so that when the announcement comes out |
110 |
next week their customers are immunized. That is nearly a full week |
111 |
(but they have already wasted a weekend and a Monday). Really I think |
112 |
this is the best we can hope to do (this thing will eventually leak, |
113 |
at which point the details will be published). |
114 |
|
115 |
Customers can judge their vendors by how they respond to this issue. |
116 |
|
117 |
OpenBSD and NetBSD users should also update to OpenSSH 3.8 right away. |
118 |
On OpenBSD privsep works flawlessly, and I have reports that is also |
119 |
true on NetBSD. All other systems appear to have minor or major |
120 |
weaknesses when this code is running. |
121 |
|
122 |
We would urge the OpenBSD Crew to remake the OpenSSH Security page |
123 |
( http://www.openssh.com/security.html ) to make it less confusing. |
124 |
It would serve the public interest much better if the page listed |
125 |
specifically what versions are affected by which bugs, making it clear |
126 |
which versions bugs were introduced in, and which versions said bugs |
127 |
have been fixed in. The current listing is too difficult to process, |
128 |
and listing what versions are no longer vulnerable to a particular |
129 |
known issue seems silly, since one would hope that the most recent |
130 |
available version of a security PRODUCT would not suffer from any |
131 |
published and widely known security problems. |
132 |
|
133 |
If you or your organization would like to purchase advanced details |
134 |
of this vulnerability, please contact sales@××××××××.com with your |
135 |
inquiry. |
136 |
|
137 |
We at iDEFENSE would like to thank Kurt Seifried, consultant and |
138 |
"OUTSIDE_INTEL" operative/analyst (and SECURITY EXPERT) for all his |
139 |
hard and profound work for us. Also we would like to applaud him for |
140 |
his brilliant work on translating the English translations of the CORE |
141 |
Impact documentation to better English; a most impressive addition to |
142 |
any resume is being able to brag of being a contractor for multiple |
143 |
goverment contractors, because frankly - he is just that damn good. |
144 |
|
145 |
______________________________________ |
146 |
< Work for iDEFENSE and become famous! > |
147 |
-------------------------------------- |
148 |
\ _ |
149 |
\ (_) |
150 |
\ ^__^ / \ |
151 |
\ (oo)\_____/_\ \ |
152 |
(__)\ ) / |
153 |
||----w (( |
154 |
|| ||>> |
155 |
|
156 |
iDEFENSE is a global security intelligence company that proactively |
157 |
monitors sources throughout the world from technical vulnerabilities |
158 |
and hacker profiling to the global spread of viruses and other *yawn* |
159 |
delicious code. Our security intelligence services provide decision |
160 |
makers, frontline security professionals and network administrators |
161 |
with timely access to actionable intelligence and decision support on |
162 |
cyber-related threats. For more information, visit our flash enabled |
163 |
interweb portal at http://www.idefense.com. |
164 |
-- |
165 |
Paul Cassell |
166 |
|
167 |
|
168 |
-- |
169 |
gentoo-security@g.o mailing list |