From owner-freebsd-security@freebsd.org Sun Sep 12 21:27:20 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8CE7166E252 for ; Sun, 12 Sep 2021 21:27:20 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H72kb3BYcz4hl1 for ; Sun, 12 Sep 2021 21:27:19 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-pf1-x432.google.com with SMTP id e16so6996167pfc.6 for ; Sun, 12 Sep 2021 14:27:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=uABA/R0eYBddfZx9MF/oeRYIPq0PTwyel6Yz/6K9v1o=; b=dyvNemH6J7HLueJA48+tRRFNBJfLlJjMY0jFb5WPSzjzVt8E4hSU+J/EXpf8hoIKis tq3i3qfDuxdqWyqDT/8FRT/lgn2PrXvPb8WMjv5a/CedK5hzbldBea4mVoFxXj1ikZgG GCumTCcZPZGvG1MBitNMVfFS3xE6BrmUfxIhkCFooy7VtvCFxZOgzZ35AWJTmnOHWysm vkP0EYlcJFjbvWMjQlZ8HC3VA9Euk9h+C9x/tEU+Ocu00PDsluf26XOAIDv9b38YgXgG noNmiKy0ocx2Ys5bRnkoZEvA8i1l/5wh5ZPNIcRpoqjWLrYU6dHuKTrwmzp0QRpJ+/Ww 35pA== X-Gm-Message-State: AOAM533zEecGhHgEgSo41JqdVDhrd8YdBoi2L+xgcDd8inc/3ouu82C9 89F8S26LPdKZfxk12QNdA/Wi9lIk7f1D X-Google-Smtp-Source: ABdhPJwXh5acxtRTEKUg2b1sf7fs7Nq9yVek6Ytgk6EQIyqw54aagCgjOQAS1crO9XlC17g8W2O2UQ== X-Received: by 2002:a63:8c1d:: with SMTP id m29mr8056475pgd.457.1631482038140; Sun, 12 Sep 2021 14:27:18 -0700 (PDT) Received: from smtpclient.apple (2603-8001-5e40-d300-196d-ea4a-7c26-49e7.res6.spectrum.com. [2603:8001:5e40:d300:196d:ea4a:7c26:49e7]) by smtp.gmail.com with ESMTPSA id m28sm5578213pgl.9.2021.09.12.14.27.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 12 Sep 2021 14:27:17 -0700 (PDT) From: Gordon Tetlow Message-Id: Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: Re: Important note for future FreeBSD base system OpenSSH update Date: Sun, 12 Sep 2021 14:27:16 -0700 In-Reply-To: <2bb56783-2727-9bea-7810-58969d91c00f@denninger.net> Cc: freebsd-security@freebsd.org To: Karl Denninger References: <8169A4A8-B8D1-4265-87C8-74ED4D34FBC8@fasel.at> <2bb56783-2727-9bea-7810-58969d91c00f@denninger.net> X-Mailer: Apple Mail (2.3654.120.0.1.13) X-Rspamd-Queue-Id: 4H72kb3BYcz4hl1 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=google]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[tetlows.org:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::432:from]; NEURAL_HAM_SHORT(-1.00)[-0.998]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Sep 2021 21:27:20 -0000 > On Sep 12, 2021, at 7:40 AM, Karl Denninger = wrote: >=20 > I have in the field a BUNCH of "smart" rack power strips that have = this problem; their management firmware does NOT support more-modern = cipher sets and SSL requirements. I get it, those older SSL versions = are insecure and we know it. But when the browser people all decided to = kill the ability to connect to such servers with no override (that is, = don't warn, DENY with no option to get around it) all of a sudden = logging into those strips to change (for example) the name of a socket, = the alarm limits and similar became literally impossible. Contacting = the manufacturer resulted in a middle finger back; "nope, we're not = releasing new firmware for that." I've seen the same thing with some = older OOB management interfaces on server boards; they won't take an = acceptably-long (by modern standards) HTTPS server key, and thus, same = problem and same answer from the manufacturer. These are = perfectly-serviceable devices in their application and quite-expensive = to replace when there's nothing wrong with them. On the server boards by = now they've all been retired as people decided the better power budget = and performance levels made changing them (and re-purchasing the RAM = that went on them, which for larger servers is a non-trivial part of the = total expense) a reasonable proposition. This of course is not true for = a smart power strip in the rack and makes both monitoring of energy and = remote-hard-power-cycle available without a physical site visit or = remote hands. Blaming the browser and other client providers (OpenSSH, etc) for a = problem that is 100% because the devices are now abandoned by the = manufacturer is the wrong place to focus your anger. We have an enormous = problem in the industry of crappy embedded devices (like the OOB = management plane) accruing technical security debt while the = manufacturers give "a middle finger back" as you say. The supportability = of the hardware needs to be baked into the purchasing decision. = Commitments from the manufacturers on supportability timeframes are = important to understand and budget into a hardware refresh cycle. > In the case of the power strips the "answer" was one of the = prepackaged, self-contained old "portable" versions of FireFox which = complains but the alert can be clicked through. I recognize that = exposing those devices to the Internet is unsafe but have never trusted = that anyway; they're behind a gateway box with no port hole punch and if = I'm VPN'd in then it's not possible for a random person to screw with = it. >=20 > It would be sad indeed if the only answer here is "load up a partition = with an older copy of FreeBSD on some device and use that." Can we = avoid that being the answer, as it became with the browser issues? You are already accepting the risk of continuing to run devices with = known bad configurations. What's the problem with keeping that old = FreeBSD host around as well, it's just one more risk acceptance for = issues that are pretty much the same as what you are already accepting? = Alternatively, compile and install an older OpenSSH version on = well-maintained host in a dedicated prefix which is only used for that = purpose. We do need to remove the code entirely as putting it behind a = compatibility or some other "scary things are here" flag will guarantee = that manufacturers don't try to update their codebases to work with = modern protocols; they will just provide instructions on how to enable = scary mode and move on. In the interest of protecting everyone, we need = to remove this code and put it into the dustbin of history. Best, Gordon=