Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 30 Nov 2001 01:30:57 -0600 (CST)
From:      <bsd-sec@boneyard.lawrence.ks.us>
To:        freebsd-security@freebsd.org
Subject:   Re: sshd exploit
Message-ID:  <Pine.BSF.4.10.10111300105070.99377-100000@madeline.boneyard.lawrence.ks.us>
In-Reply-To: <20011129012235.U6446-100000@achilles.silby.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 29 Nov 2001, Mike Silbersack wrote:

> 
> The CRC bug was fixed in 2.3.0, which was merged into -stable before the
> release of freebsd 4.3.  If 3.0.1's giving you any enhanced immunity, it's
> to a bug which has not yet been announced.
> 
> If there _is_ a new bug, and it follows the decription in the url posted
> earlier in the thread, it's probably also SSHv1 related, and can be
 [...]

Perhaps so.  However, at the univeristy department where I work, RH Linux lab 
machines running both 2.5.x and 2.9.x versions of OpenSSH were indeed 
compromised while running ssh version 1.  The only other services with 
externally available ports were portmap and syslogd.  As a precautionary 
measure, SSHv1 has been disabled.  Fortunately, for our situation, the ssh.com
folks offer free site licenses for their Win32 client, so we are not suffering
from the a lack of a v2 client.  Though I appreciate the innocent-until-proven-
broken angle, I believe that my experiences, as well as those of other admins
that do not have the time/knowledge resources for catching, identifying and 
describing such an attack, should not be discounted as paranoid delusions.

As the SSH suite of protocols are the main-stay of many systems that are
forced to exist in an "open" (flat/broadcast) environment, it is worthwhile
to err on the side of caution and encourage others in the same situation
to do the same.   

Our FreeBSD/alpha servers were not compromised; however, I am certain that 
more credit can be given to the architecture of the hardware than to bug-free
code at this point.  I have had this sort of discussion with a few other 
departmental *NIX administrators on campus.  I would dearly love to be able 
to provide irrefutable evidence of my claim.  All I can offer is that I am 
not so in love with my job as to spend 3 of my 4 days of Thanksgiving break
up at the university recovering workstations unneccesarily.

$3.50

There ya go.  Take it or leave it.

Regards,
Stephen

Stephen Spencer | 
                |  "Come down off the cross. 
                |    We can use the wood..." 
                |                                T. Waits 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10111300105070.99377-100000>