| 1 |
Heads up. |
| 2 |
|
| 3 |
-----Forwarded Message----- |
| 4 |
From: Richard Johnson <thief@×××××××.org> |
| 5 |
To: full-disclosure@××××××××××××.com, bugtraq@×××××××××××××.com, vuln-dev@×××××××××××××.com, vulnwatch@×××××××××.org, misc@×××××××.org |
| 6 |
Subject: [Full-Disclosure] iDEFENSE: Upcoming OpenSSH Security Advisory Announcement |
| 7 |
Date: Mon, 03 May 2004 11:51:12 -0400 |
| 8 |
|
| 9 |
|
| 10 |
iDEFENSE Security Advisory 05.03.04: |
| 11 |
http://www.idefense.com/advisory/05.03.04.txt |
| 12 |
Upcoming OpenSSH Preauthentication Vulnerability Announcement |
| 13 |
May 3, 2004 |
| 14 |
|
| 15 |
There is an upcoming OpenSSH vulnerability that we're working on with |
| 16 |
the OpenBSD Crew. Details will be published early next week. |
| 17 |
|
| 18 |
However, I can say that when OpenSSH's sshd(8) is running with priv |
| 19 |
seperation, the bug cannot be exploited for immediate root access. |
| 20 |
|
| 21 |
OpenSSH 3.3p was released a few years ago, with various improvements |
| 22 |
but in particular, it significantly improves the Linux and Solaris |
| 23 |
support for priv sep. However, it is not yet perfect. Compression is |
| 24 |
disabled on some systems, and the many varieties of PAM are causing |
| 25 |
major headaches. |
| 26 |
|
| 27 |
However, everyone should update to OpenSSH 3.8 immediately, and enable |
| 28 |
priv seperation in their ssh daemons, by setting this in your |
| 29 |
/etc/ssh/sshd_config file: |
| 30 |
|
| 31 |
UsePrivilegeSeparation yes |
| 32 |
|
| 33 |
Depending on what your system is, privsep may break some ssh |
| 34 |
functionality. However, with privsep turned on, you are immune from |
| 35 |
at least one remote hole. Understand? Being immune from at least one |
| 36 |
remote bug is worth broken functionality, especially when the software |
| 37 |
suffers from additional remote bugs. |
| 38 |
|
| 39 |
3.8 does not contain a fix for this upcoming bug. |
| 40 |
|
| 41 |
If priv seperation does not work on your operating system, you need to |
| 42 |
work with your vendor so that we get patches to make it work on your |
| 43 |
system. OpenSSH developers are swamped enough without trying to |
| 44 |
support the myriad of PAM and other issues which exist in various |
| 45 |
systems. For more information regarding the OpenBSD Crew's struggle |
| 46 |
with PAM issues, please read: |
| 47 |
http://www.openssh.com/txt/sshpam.adv |
| 48 |
|
| 49 |
Basically, OpenSSH sshd(8) is something like 27000 lines of code. A |
| 50 |
lot of that runs as root. But when UsePrivilegeSeparation is enabled, |
| 51 |
the daemon splits into two parts. A part containing about 2500 lines |
| 52 |
of code remains as root, and the rest of the code is shoved into a |
| 53 |
chroot-jail without any privs. This makes the daemon less vulnerable |
| 54 |
to attack. Less vulnerable is better than more vulnerable, and we |
| 55 |
hope that someday the OpenBSD team can make things not vulnerable. |
| 56 |
|
| 57 |
Threat elimination is more important than threat reduction, after all. |
| 58 |
|
| 59 |
Apparently the OpenBSD Crew has been trying to warn vendors about 3.8 |
| 60 |
and the need for privs sep to be in use. Since priv sep has existed |
| 61 |
for many years, and still is not used in 100% of deployed OpenSSH |
| 62 |
installations, the world is doing this marvelous team of cryptography |
| 63 |
experts and emerging mediocre programmers a world of discredit. Some |
| 64 |
developers, like Alan Cox, have reprotedly gone even further stating |
| 65 |
that privsep was not being worked on because "Nobody provided any info |
| 66 |
which proves the problem, and many people dont trust you theo" and |
| 67 |
suggested that Theo "might be feeding everyone a trojan". The official |
| 68 |
OpenBSD Crew's response to this allegation can be seen here: |
| 69 |
http://www.openssh.com/txt/sshpam.adv |
| 70 |
|
| 71 |
HP's representative has thusfar been downright rude, and we anticipate |
| 72 |
that he will be removed from his position at the company in the near |
| 73 |
future for the negative attention that he is bringing to the company, |
| 74 |
and the lack of lucrative security PRODUCT and RESEARCH to the market. |
| 75 |
|
| 76 |
Only the Solar Designer seems to think priv sep is a good idea, since |
| 77 |
historically he has been fond of developing security solutions |
| 78 |
following known flawed models in the hopes of making exploitation of |
| 79 |
security issues harder but not impossible, putting security back into |
| 80 |
the hands of hackers and out of the hands of scriptkids and security |
| 81 |
consultants. |
| 82 |
|
| 83 |
iDEFENSE recommends either using OpenBSD, Openwall Linux (Owl), or |
| 84 |
Microsoft Windows. All other operating systems are insecure. |
| 85 |
|
| 86 |
So, if vendors would JUMP and get it working better, and send the |
| 87 |
OpenBSD Crew patches IMMEDIATELY, we can perhaps make a better 3.9 |
| 88 |
release on Friday which supports all systems better. So please send |
| 89 |
patches to them IMMEDIATELY so progress can be made. Then on Tuesday |
| 90 |
or Friday the complete bug report with patches (and year old exploits, |
| 91 |
we are sure) will hit BUGTRAQ(tm). |
| 92 |
|
| 93 |
Let me repeat: even if the bug exists in a privsep'd sshd, it is not |
| 94 |
exploitable. Clearly we cannot yet publish what the bug is, or |
| 95 |
provide anyone with the real patch, but we can try to get maximum |
| 96 |
deployement of privsep, and therefore make it hurt less when the |
| 97 |
problem is published. |
| 98 |
|
| 99 |
If you doubt the sincerity of this claim, please review the following |
| 100 |
case study and included references to the security of a privilage |
| 101 |
separation enabled open secure shell daemon's unbreakable status. |
| 102 |
http://www.phrack.org/phrack/60/p60-0x06.txt |
| 103 |
|
| 104 |
|
| 105 |
So please push your vendor to get us maximally working privsep patches |
| 106 |
as soon as possible!!!! |
| 107 |
|
| 108 |
We've given most vendors since Friday last week until Thursday to get |
| 109 |
privsep working well for you so that when the announcement comes out |
| 110 |
next week their customers are immunized. That is nearly a full week |
| 111 |
(but they have already wasted a weekend and a Monday). Really I think |
| 112 |
this is the best we can hope to do (this thing will eventually leak, |
| 113 |
at which point the details will be published). |
| 114 |
|
| 115 |
Customers can judge their vendors by how they respond to this issue. |
| 116 |
|
| 117 |
OpenBSD and NetBSD users should also update to OpenSSH 3.8 right away. |
| 118 |
On OpenBSD privsep works flawlessly, and I have reports that is also |
| 119 |
true on NetBSD. All other systems appear to have minor or major |
| 120 |
weaknesses when this code is running. |
| 121 |
|
| 122 |
We would urge the OpenBSD Crew to remake the OpenSSH Security page |
| 123 |
( http://www.openssh.com/security.html ) to make it less confusing. |
| 124 |
It would serve the public interest much better if the page listed |
| 125 |
specifically what versions are affected by which bugs, making it clear |
| 126 |
which versions bugs were introduced in, and which versions said bugs |
| 127 |
have been fixed in. The current listing is too difficult to process, |
| 128 |
and listing what versions are no longer vulnerable to a particular |
| 129 |
known issue seems silly, since one would hope that the most recent |
| 130 |
available version of a security PRODUCT would not suffer from any |
| 131 |
published and widely known security problems. |
| 132 |
|
| 133 |
If you or your organization would like to purchase advanced details |
| 134 |
of this vulnerability, please contact sales@××××××××.com with your |
| 135 |
inquiry. |
| 136 |
|
| 137 |
We at iDEFENSE would like to thank Kurt Seifried, consultant and |
| 138 |
"OUTSIDE_INTEL" operative/analyst (and SECURITY EXPERT) for all his |
| 139 |
hard and profound work for us. Also we would like to applaud him for |
| 140 |
his brilliant work on translating the English translations of the CORE |
| 141 |
Impact documentation to better English; a most impressive addition to |
| 142 |
any resume is being able to brag of being a contractor for multiple |
| 143 |
goverment contractors, because frankly - he is just that damn good. |
| 144 |
|
| 145 |
______________________________________ |
| 146 |
< Work for iDEFENSE and become famous! > |
| 147 |
-------------------------------------- |
| 148 |
\ _ |
| 149 |
\ (_) |
| 150 |
\ ^__^ / \ |
| 151 |
\ (oo)\_____/_\ \ |
| 152 |
(__)\ ) / |
| 153 |
||----w (( |
| 154 |
|| ||>> |
| 155 |
|
| 156 |
iDEFENSE is a global security intelligence company that proactively |
| 157 |
monitors sources throughout the world from technical vulnerabilities |
| 158 |
and hacker profiling to the global spread of viruses and other *yawn* |
| 159 |
delicious code. Our security intelligence services provide decision |
| 160 |
makers, frontline security professionals and network administrators |
| 161 |
with timely access to actionable intelligence and decision support on |
| 162 |
cyber-related threats. For more information, visit our flash enabled |
| 163 |
interweb portal at http://www.idefense.com. |
| 164 |
-- |
| 165 |
Paul Cassell |
| 166 |
|
| 167 |
|
| 168 |
-- |
| 169 |
gentoo-security@g.o mailing list |
Archives