From owner-freebsd-hackers@FreeBSD.ORG Tue Sep 16 11:54:13 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FF0D16A4B3 for ; Tue, 16 Sep 2003 11:54:13 -0700 (PDT) Received: from mail.sandvine.com (sandvine.com [199.243.201.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32B2D43F93 for ; Tue, 16 Sep 2003 11:54:12 -0700 (PDT) (envelope-from don@sandvine.com) Received: by mail.sandvine.com with Internet Mail Service (5.5.2653.19) id ; Tue, 16 Sep 2003 14:54:11 -0400 Message-ID: From: Don Bowman To: 'Josh Brooks' , freebsd-hackers@freebsd.org Date: Tue, 16 Sep 2003 14:54:05 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Subject: RE: OpenSSH flaw #23515 - what is the workaround, and is there an exploit ? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 18:54:13 -0000 From: Josh Brooks [mailto:user@mail.econolodgetulsa.com] > > 1. What is the workaround for this issue ? Be creative. Not > everyone can > update their userland in a normal fashion - and no, I won't > sit here and > justify that statement. Think embedded systems. > > 2. Is there really an exploit in the wild ? Any comments appreciated. [from the yesterday posting to full-disclosure, which has been fixed in cvs as http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1. 1.1.6&r2=1.1.1.7&f=h] from the discussions on the exploit, it sounds like it needs to hit you fairly often. You can set sshd to only start so often [since they won't be able to authenticate presumably they won't login]. You can use e.g. ipfw, hosts.allow to restrict access to your subnets or whatever. if privilege separation is used perhaps this helps, the full disclosure list hadn't reached consensus on this yet. Use the 'AllowUsers' to specify which users can access. Not sure if this would help. Try using 'VerifyReverseMapping' on the hopes that an attacker wouldn't set this up?