Gentoo Archives: gentoo-security

From: Paul Cassell <pmcassel@××××.edu>
To: gentoo-security@l.g.o
Subject: [gentoo-security] [Fwd: [Full-Disclosure] iDEFENSE: Upcoming OpenSSH Security Advisory Announcement]
Date: Mon, 03 May 2004 17:11:38
Message-Id: 1083604463.21717.59.camel@epiphany
1 Heads up.
3 -----Forwarded Message-----
4 From: Richard Johnson <thief@×××××××.org>
5 To: full-disclosure@××××××××××××.com, bugtraq@×××××××××××××.com, vuln-dev@×××××××××××××.com, vulnwatch@×××××××××.org, misc@×××××××.org
6 Subject: [Full-Disclosure] iDEFENSE: Upcoming OpenSSH Security Advisory Announcement
7 Date: Mon, 03 May 2004 11:51:12 -0400
10 iDEFENSE Security Advisory 05.03.04:
12 Upcoming OpenSSH Preauthentication Vulnerability Announcement
13 May 3, 2004
15 There is an upcoming OpenSSH vulnerability that we're working on with
16 the OpenBSD Crew. Details will be published early next week.
18 However, I can say that when OpenSSH's sshd(8) is running with priv
19 seperation, the bug cannot be exploited for immediate root access.
21 OpenSSH 3.3p was released a few years ago, with various improvements
22 but in particular, it significantly improves the Linux and Solaris
23 support for priv sep. However, it is not yet perfect. Compression is
24 disabled on some systems, and the many varieties of PAM are causing
25 major headaches.
27 However, everyone should update to OpenSSH 3.8 immediately, and enable
28 priv seperation in their ssh daemons, by setting this in your
29 /etc/ssh/sshd_config file:
31 UsePrivilegeSeparation yes
33 Depending on what your system is, privsep may break some ssh
34 functionality. However, with privsep turned on, you are immune from
35 at least one remote hole. Understand? Being immune from at least one
36 remote bug is worth broken functionality, especially when the software
37 suffers from additional remote bugs.
39 3.8 does not contain a fix for this upcoming bug.
41 If priv seperation does not work on your operating system, you need to
42 work with your vendor so that we get patches to make it work on your
43 system. OpenSSH developers are swamped enough without trying to
44 support the myriad of PAM and other issues which exist in various
45 systems. For more information regarding the OpenBSD Crew's struggle
46 with PAM issues, please read:
49 Basically, OpenSSH sshd(8) is something like 27000 lines of code. A
50 lot of that runs as root. But when UsePrivilegeSeparation is enabled,
51 the daemon splits into two parts. A part containing about 2500 lines
52 of code remains as root, and the rest of the code is shoved into a
53 chroot-jail without any privs. This makes the daemon less vulnerable
54 to attack. Less vulnerable is better than more vulnerable, and we
55 hope that someday the OpenBSD team can make things not vulnerable.
57 Threat elimination is more important than threat reduction, after all.
59 Apparently the OpenBSD Crew has been trying to warn vendors about 3.8
60 and the need for privs sep to be in use. Since priv sep has existed
61 for many years, and still is not used in 100% of deployed OpenSSH
62 installations, the world is doing this marvelous team of cryptography
63 experts and emerging mediocre programmers a world of discredit. Some
64 developers, like Alan Cox, have reprotedly gone even further stating
65 that privsep was not being worked on because "Nobody provided any info
66 which proves the problem, and many people dont trust you theo" and
67 suggested that Theo "might be feeding everyone a trojan". The official
68 OpenBSD Crew's response to this allegation can be seen here:
71 HP's representative has thusfar been downright rude, and we anticipate
72 that he will be removed from his position at the company in the near
73 future for the negative attention that he is bringing to the company,
74 and the lack of lucrative security PRODUCT and RESEARCH to the market.
76 Only the Solar Designer seems to think priv sep is a good idea, since
77 historically he has been fond of developing security solutions
78 following known flawed models in the hopes of making exploitation of
79 security issues harder but not impossible, putting security back into
80 the hands of hackers and out of the hands of scriptkids and security
81 consultants.
83 iDEFENSE recommends either using OpenBSD, Openwall Linux (Owl), or
84 Microsoft Windows. All other operating systems are insecure.
86 So, if vendors would JUMP and get it working better, and send the
87 OpenBSD Crew patches IMMEDIATELY, we can perhaps make a better 3.9
88 release on Friday which supports all systems better. So please send
89 patches to them IMMEDIATELY so progress can be made. Then on Tuesday
90 or Friday the complete bug report with patches (and year old exploits,
91 we are sure) will hit BUGTRAQ(tm).
93 Let me repeat: even if the bug exists in a privsep'd sshd, it is not
94 exploitable. Clearly we cannot yet publish what the bug is, or
95 provide anyone with the real patch, but we can try to get maximum
96 deployement of privsep, and therefore make it hurt less when the
97 problem is published.
99 If you doubt the sincerity of this claim, please review the following
100 case study and included references to the security of a privilage
101 separation enabled open secure shell daemon's unbreakable status.
105 So please push your vendor to get us maximally working privsep patches
106 as soon as possible!!!!
108 We've given most vendors since Friday last week until Thursday to get
109 privsep working well for you so that when the announcement comes out
110 next week their customers are immunized. That is nearly a full week
111 (but they have already wasted a weekend and a Monday). Really I think
112 this is the best we can hope to do (this thing will eventually leak,
113 at which point the details will be published).
115 Customers can judge their vendors by how they respond to this issue.
117 OpenBSD and NetBSD users should also update to OpenSSH 3.8 right away.
118 On OpenBSD privsep works flawlessly, and I have reports that is also
119 true on NetBSD. All other systems appear to have minor or major
120 weaknesses when this code is running.
122 We would urge the OpenBSD Crew to remake the OpenSSH Security page
123 ( ) to make it less confusing.
124 It would serve the public interest much better if the page listed
125 specifically what versions are affected by which bugs, making it clear
126 which versions bugs were introduced in, and which versions said bugs
127 have been fixed in. The current listing is too difficult to process,
128 and listing what versions are no longer vulnerable to a particular
129 known issue seems silly, since one would hope that the most recent
130 available version of a security PRODUCT would not suffer from any
131 published and widely known security problems.
133 If you or your organization would like to purchase advanced details
134 of this vulnerability, please contact sales@××××××××.com with your
135 inquiry.
137 We at iDEFENSE would like to thank Kurt Seifried, consultant and
138 "OUTSIDE_INTEL" operative/analyst (and SECURITY EXPERT) for all his
139 hard and profound work for us. Also we would like to applaud him for
140 his brilliant work on translating the English translations of the CORE
141 Impact documentation to better English; a most impressive addition to
142 any resume is being able to brag of being a contractor for multiple
143 goverment contractors, because frankly - he is just that damn good.
145 ______________________________________
146 < Work for iDEFENSE and become famous! >
147 --------------------------------------
148 \ _
149 \ (_)
150 \ ^__^ / \
151 \ (oo)\_____/_\ \
152 (__)\ ) /
153 ||----w ((
154 || ||>>
156 iDEFENSE is a global security intelligence company that proactively
157 monitors sources throughout the world from technical vulnerabilities
158 and hacker profiling to the global spread of viruses and other *yawn*
159 delicious code. Our security intelligence services provide decision
160 makers, frontline security professionals and network administrators
161 with timely access to actionable intelligence and decision support on
162 cyber-related threats. For more information, visit our flash enabled
163 interweb portal at
164 --
165 Paul Cassell
168 --
169 gentoo-security@g.o mailing list