Date: Tue, 16 Sep 2003 14:54:05 -0400 From: Don Bowman <don@sandvine.com> To: 'Josh Brooks' <user@mail.econolodgetulsa.com>, freebsd-hackers@freebsd.org Subject: RE: OpenSSH flaw #23515 - what is the workaround, and is there an exploit ? Message-ID: <FE045D4D9F7AED4CBFF1B3B813C85337035E3741@mail.sandvine.com>
next in thread | raw e-mail | index | archive | help
From: Josh Brooks [mailto:user@mail.econolodgetulsa.com] > > 1. What is the workaround for this issue ? Be creative. Not > everyone can > update their userland in a normal fashion - and no, I won't > sit here and > justify that statement. Think embedded systems. > > 2. Is there really an exploit in the wild ? Any comments appreciated. [from the yesterday posting to full-disclosure, which has been fixed in cvs as http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1. 1.1.6&r2=1.1.1.7&f=h] from the discussions on the exploit, it sounds like it needs to hit you fairly often. You can set sshd to only start so often [since they won't be able to authenticate presumably they won't login]. You can use e.g. ipfw, hosts.allow to restrict access to your subnets or whatever. if privilege separation is used perhaps this helps, the full disclosure list hadn't reached consensus on this yet. Use the 'AllowUsers' to specify which users can access. Not sure if this would help. Try using 'VerifyReverseMapping' on the hopes that an attacker wouldn't set this up?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FE045D4D9F7AED4CBFF1B3B813C85337035E3741>