From owner-freebsd-security Wed Jun 26 9:23:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id C3DCE37B401 for ; Wed, 26 Jun 2002 09:23:50 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA11484; Wed, 26 Jun 2002 10:23:30 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020626101626.02274c80@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 26 Jun 2002 10:23:14 -0600 To: Mike Tancsa , Darren Reed From: Brett Glass Subject: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> References: <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike: It is clear that Theo was attempting to have people apply the workaround which had the least chance of revealing the nature of the bug in advance, lest it be discovered by others and exploited. It's truly sad that ISS, which knew about Theo's advisory, released this information today, instead of next week as Theo asked them to. If Theo's roadmap for disclosure had been followed, more administrators could have been informed about the bug, and they would have had time to take preventive measures through the weekend before the skript kiddies began their race to exploit the bug. Now, the race has begun. In fact, the problem has been exacerbated because administrators who *could* have secured their systems thought they'd have time to do so over the weekend. Theo made a worthy attempt to minimize harm (which should be the goal of any security policy). It's a shame that ISS sought the spotlight instead of doing the same. --Brett Glass At 09:10 AM 6/26/2002, Mike Tancsa wrote: >Also, the ISS advisory states > >"Administrators can remove this vulnerability by disabling the >Challenge-Response authentication parameter within the OpenSSH daemon >configuration file. This filename and path is typically: >/etc/ssh/sshd_config. To disable this parameter, locate the >corresponding line and change it to the line below: >ChallengeResponseAuthentication no " > >This would imply there is a work around, but the talk before hand > >----quote from Message-Id: <200206242327.g5ONRBLI012690@cvs.openbsd.org>--- > >Bullshit. > >You have been told to move up to privsep so that you are immunized by >the time the bug is released. > >If you fail to immunize your users, then the best you can do is tell >them to disable OpenSSH until 3.4 is out early next week with the >bugfix in it. Of course, then the bug will be public. >----end-quote--- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message