From owner-freebsd-security Mon Jun 24 14:36:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mighty.grot.org (mighty.grot.org [204.182.56.120]) by hub.freebsd.org (Postfix) with ESMTP id 2E7C537B405 for ; Mon, 24 Jun 2002 14:36:01 -0700 (PDT) Received: by mighty.grot.org (Postfix, from userid 515) id F2E515D1C; Mon, 24 Jun 2002 14:35:54 -0700 (PDT) Received: by mighty.grot.org (Postfix) id EA6825E4C; Mon, 24 Jun 2002 14:20:59 -0700 (PDT) Received: from helium.my-fortress.com (helium.my-fortress.com [202.14.182.252]) by mighty.grot.org (Postfix) with ESMTP id E60B05D1C for ; Mon, 24 Jun 2002 14:20:57 -0700 (PDT) Received: from shitei.mindrot.org (shitei.mindrot.org [203.36.198.97]) by helium.my-fortress.com (Postfix) with ESMTP id BC945131BC9; Tue, 25 Jun 2002 07:15:11 +1000 (EST) Received: from shitei.mindrot.org (localhost.mindrot.org [127.0.0.1]) by shitei.mindrot.org (Postfix) with ESMTP id 69AE0E906; Tue, 25 Jun 2002 07:07:43 +1000 (EST) Received: from faui02.informatik.uni-erlangen.de (faui02.informatik.uni-erlangen.de [131.188.30.102]) by shitei.mindrot.org (Postfix) with ESMTP id B4212E881; Tue, 25 Jun 2002 07:06:31 +1000 (EST) Received: (from msfriedl@localhost) by faui02.informatik.uni-erlangen.de (8.9.1/8.1.16-FAU) id XAA22647; Mon, 24 Jun 2002 23:06:32 +0200 (MEST) From: Markus Friedl To: openssh-unix-announce@mindrot.org, openssh-unix-dev@mindrot.org Message-ID: <20020624210631.GF24956@faui02> References: <200206242100.g5OL0BLL019128@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206242100.g5OL0BLL019128@cvs.openbsd.org> User-Agent: Mutt/1.4i Subject: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability X-BeenThere: openssh-unix-announce@mindrot.org X-Mailman-Version: 2.0.8 Reply-To: openssh@openssh.com List-Help: List-Post: List-Subscribe: , List-Id: Announcements of OpenSSH releases List-Unsubscribe: , List-Archive: Date: Mon, 24 Jun 2002 23:06:31 +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote: > Date: Mon, 24 Jun 2002 15:00:10 -0600 > From: Theo de Raadt > Subject: Upcoming OpenSSH vulnerability > To: bugtraq@securityfocus.com > Cc: announce@openbsd.org > Cc: dsi@iss.net > Cc: misc@openbsd.org > > There is an upcoming OpenSSH vulnerability that we're working on with > ISS. Details will be published early next week. > > However, I can say that when OpenSSH's sshd(8) is running with priv > seperation, the bug cannot be exploited. > > OpenSSH 3.3p was released a few days ago, with various improvements > but in particular, it significantly improves the Linux and Solaris > support for priv sep. However, it is not yet perfect. Compression is > disabled on some systems, and the many varieties of PAM are causing > major headaches. > > However, everyone should update to OpenSSH 3.3 immediately, and enable > priv seperation in their ssh daemons, by setting this in your > /etc/ssh/sshd_config file: > > UsePrivilegeSeparation yes > > Depending on what your system is, privsep may break some ssh > functionality. However, with privsep turned on, you are immune from > at least one remote hole. Understand? > > 3.3 does not contain a fix for this upcoming bug. > > If priv seperation does not work on your operating system, you need to > work with your vendor so that we get patches to make it work on your > system. Our developers are swamped enough without trying to support > the myriad of PAM and other issues which exist in various systems. > You must call on your vendors to help us. > > Basically, OpenSSH sshd(8) is something like 27000 lines of code. A > lot of that runs as root. But when UsePrivilegeSeparation is enabled, > the daemon splits into two parts. A part containing about 2500 lines > of code remains as root, and the rest of the code is shoved into a > chroot-jail without any privs. This makes the daemon less vulnerable > to attack. > > We've been trying to warn vendors about 3.3 and the need for privsep, > but they really have not heeded our call for assistance. They have > basically ignored us. Some, like Alan Cox, even went further stating > that privsep was not being worked on because "Nobody provided any info > which proves the problem, and many people dont trust you theo" and > suggested I "might be feeding everyone a trojan" (I think I'll publish > that letter -- it is just so funny). HP's representative was > downright rude, but that is OK because Compaq is retiring him. Except > for Solar Designer, I think none of them has helped the OpenSSH > portable developers make privsep work better on their systems. > Apparently Solar Designer is the only person who understands the need > for this stuff. > > So, if vendors would JUMP and get it working better, and send us > patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday > which supports these systems better. So send patches by Thursday > night please. Then on Tuesday or Wednesday the complete bug report > with patches (and exploits soon after I am sure) will hit BUGTRAQ. > > Let me repeat: even if the bug exists in a privsep'd sshd, it is not > exploitable. Clearly we cannot yet publish what the bug is, or > provide anyone with the real patch, but we can try to get maximum > deployement of privsep, and therefore make it hurt less when the > problem is published. > > So please push your vendor to get us maximally working privsep patches > as soon as possible! > > We've given most vendors since Friday last week until Thursday to get > privsep working well for you so that when the announcement comes out > next week their customers are immunized. That is nearly a full week > (but they have already wasted a weekend and a Monday). Really I think > this is the best we can hope to do (this thing will eventually leak, > at which point the details will be published). > > Customers can judge their vendors by how they respond to this issue. > > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. > On OpenBSD privsep works flawlessly, and I have reports that is also > true on NetBSD. All other systems appear to have minor or major > weaknesses when this code is running. > > (securityfocus postmaster; please post this through immediately, since > i have bcc'd over 30 other places..) _______________________________________________ openssh-unix-announce@mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-announce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message