Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 29 Nov 2001 18:45:21 -0800
From:      Kris Kennaway <kris@obsecurity.org>
To:        Brett Glass <brett@lariat.org>
Cc:        Kris Kennaway <kris@obsecurity.org>, "f.johan.beisser" <jan@caustic.org>, Mauro Dias <localhost@dsgx.org>, security@FreeBSD.ORG
Subject:   Lack of evidence for new SSH vulnerability
Message-ID:  <20011129184521.B66815@xor.obsecurity.org>
In-Reply-To: <4.3.2.7.2.20011129113349.04722900@localhost>; from brett@lariat.org on Thu, Nov 29, 2001 at 11:46:50AM -0700
References:  <4.3.2.7.2.20011128225341.04672880@localhost> <4.3.2.7.2.20011128221259.04665720@localhost> <20011128214925.P16958-100000@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> <20011128233947.C53604@xor.obsecurity.org> <4.3.2.7.2.20011129113349.04722900@localhost>

next in thread | previous in thread | raw e-mail | index | archive | help

--IrhDeMKUP4DT/M7F
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Nov 29, 2001 at 11:46:50AM -0700, Brett Glass wrote:
> At 12:39 AM 11/29/2001, Kris Kennaway wrote:
>=20
> >Not so much with the Flying Fists of Fud, please Brett.  If you'd
> >actually read the CERT advisory you'd see quite clearly that it was
> >fixed over a year ago.
>=20
> I've read the CERT advisory and also Dittrich's paper. The fact
> that a vulnerability was fixed in recent versions of the software
> does not mean that we should be unconcerned.

Your email described how you upgraded to the latest version of OpenSSH
because you weren't sure whether the version currently in FreeBSD was
affected by the vulnerability described in the CERT and Dittrich
reports.  That indicates you had no clue what was going on since both
documents quite clearly refer to versions of OpenSSH which were
included in FreeBSD a year ago, the CERT advisory explicitly
states when the problem was fixed (a year ago), and links to the
FreeBSD advisory which also says clearly that we fixed it a year ago.

> >Dittrich's analysis also says clearly at the top:
> >
> >On October 6, 2001, intruders originating from network blocks in the
> >Netherlands used an exploit for the crc32 compensation attack detector
> >vulnerability to remotely compromise a Red Hat Linux system on the UW
> >network running OpenSSH 2.1.1.  This vulnerability is described in
> >CERT Vulnerability note VU#945216:
> >
> >i.e. old, old, boring, old.
>=20
> In short, the vulnerability may be old, but it's not boring. The effects=
=20
> of an automatic exploit could be devastating.

If you're concerned that people can't read the advisories we release
in a timely fashion, then a reasonable solution would be to send email
saying:

-----
Heads up!  If you haven't upgraded your 4.2-RELEASE (or earlier)
systems yet, you need to do so because people have started exploiting
the version of SSH which was included in that.  This vulnerability was
announced by FreeBSD in February 2001 and is described in the advisory
located at

  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:24.ssh.asc

If you've upgraded since then, you're fine.
-----

There's a lot of hysteria floating around about a "new ssh exploit";
your message was feeding that hysteria because it contained incorrect
statements about the known facts, and so I was trying to dispel it.

The hysteria seems to be based on the following chain of events:

1) Dave Dittrich writes about how an OpenSSH 2.1.1 box was exploited
using the vulnerability published and fixed a year ago

2) CERT update their advisory for the vulnerability published and
fixed a year ago (I don't know what; probably additional details
from Dittrich, or maybe in response to #3)

3) An exploit for the vulnerability published and fixed a year ago is
circulated.  The exploit only mentions working against versions
vulnerable to the old problem (2.2.0p1 and earlier), but many people
assume it is effective against current versions since it's only making
the rounds now.  This is compounded by the fact that the exploit is
being circulated in a poorly documented, encrypted, binary-only form,
which makes its function and scope mysterious.

4) People send emails suggesting that 2.9 is still vulnerable to the
2.2.0p1 bug, based on misunderstanding of 1), 2) and 3)

5) Kris gets annoyed

> What's more, we do not know whether the binary exploit that's now being=
=20
> distributed across the Net is for this or some other vulnerability.
> As Security Officer, have you run the exploit against 4.4-RELEASE to
> see how it behaves and if 4.4-RELEASE is immune?

The only details I've received about this "new" exploit fall into
three classes:

a) Rumours that 2.9 is vulnerable to a root exploit, with no
substantiating evidence.  See #4 above for probable explanation.

b) Copies of the exploit for 2.2.0p1 (I've received 5 so far mostly
from people who think it's a 2.9 exploit).  See #3 above for probable
explanation.

c) Evidence that people are actively trying to exploit the 2.2.0p1
(CRC) vulnerability.  Evidence of failure against newer versions which
are believed to be not vulnerable to it anyway.

I have not been able to get this exploit to anything against the
current FreeBSD version of OpenSSH (2.9), consistent with the
hypothesis that it is, in fact, an exploit for the 2.2.0p1 bug fixed a
year ago.

> This is important, since without a disassembly we do not know
> whether the exploit attacks this vulnerability or a different
> (possibly related?) one. We also do not know if the claimed fix was
> fully effective against all possible exploits.

Those who reviewed the fix believe it to be effective.  There's no
evidence to the contrary.  I've seen no evidence of an OpenSSH 2.9
vulnerability; if anyone can provide some, please forward it to
security-officer@FreeBSD.org.  If you're paranoid, disable your SSH
daemons or take whatever other action you feel to be appropriate; if
you're not, we'll tell you as soon as we know of any actual security
problem in FreeBSD.

That's all I have to say about this matter until then.

Kris
--IrhDeMKUP4DT/M7F
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8BvLAWry0BWjoQKURAiGjAKDy4ibW3eu7mN5uWdu3mroEiRWQKwCg0k7z
PyZ/vmiMPtABNEs9dkxcCRQ=
=nW69
-----END PGP SIGNATURE-----

--IrhDeMKUP4DT/M7F--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011129184521.B66815>