Date: Thu, 29 Nov 2001 01:28:01 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: Brett Glass <brett@lariat.org> Cc: "f.johan.beisser" <jan@caustic.org>, Mauro Dias <localhost@dsgx.org>, <security@FreeBSD.ORG> Subject: Re: sshd exploit Message-ID: <20011129012235.U6446-100000@achilles.silby.com> In-Reply-To: <4.3.2.7.2.20011128225341.04672880@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 28 Nov 2001, Brett Glass wrote: > At 10:52 PM 11/28/2001, f.johan.beisser wrote: > > >how long have you known of it? frankly, this is the first i've heard about > >it, let alone the exploit binary. > > I reposted a report by Dave Dittrich to this list about two weeks ago. CERT > has also had it on its Web page for a while now. To sum it up in a few > sentences: Old versions of SSH have been hacked through the SSHv1 protocol, > and the vulnerable code was adopted by OpenSSH, so older versions of that > are vulnerable too. > > My recommendation: compile and install OpenSSH 3.0.1p1. Or, if you need > some of the special integration that's been done in the Ports Collection, > use the latest version that's there (2.9.something the last time I looked). > FreeBSD 4.4-RELEASE shipped with OpenSSH 2.3.0, which may be OK (I'm not > sure just when they fixed the problem). > > --Brett The CRC bug was fixed in 2.3.0, which was merged into -stable before the release of freebsd 4.3. If 3.0.1's giving you any enhanced immunity, it's to a bug which has not yet been announced. If there _is_ a new bug, and it follows the decription in the url posted earlier in the thread, it's probably also SSHv1 related, and can be avoided by disabling protocol 1 support in sshd_config - I find it extremely unlikely that SSH.com and OpenSSH coders made the same mistake in independantly created sshv2 implementations. But, that's only if... I seem to doubt that there's a new bug, given the lack of proof. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011129012235.U6446-100000>