From markus at openbsd.org Tue Jul 2 02:30:48 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 1 Jul 2002 18:30:48 +0200 Subject: [openssh-unix-announce] Revised OpenSSH Security Advisory Message-ID: <20020701163048.GA13023@folly> This is the 4th revision of the Advisory. This document can be found at: http://www.openssh.com/txt/preauth.adv 1. Versions affected: Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. All versions between 2.3.1 and 3.3 contain a bug in the PAMAuthenticationViaKbdInt code. All versions between 2.9.9 and 3.3 contain a bug in the ChallengeResponseAuthentication code. OpenSSH 3.4 and later are not affected. OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config. OpenSSH 3.3 enables UsePrivilegeSeparation by default. Although some earlier versions are not affected upgrading to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds checks for a class of potential bugs. 2. Impact: This bug can be exploited remotely if ChallengeResponseAuthentication is enabled in sshd_config. This option is enabled by default on OpenBSD and other systems. Affected are at least systems supporting s/key over SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD as well as other systems supporting s/key with SSH). Exploitablitly of systems using PAMAuthenticationViaKbdInt has not been verified. 3. Short-Term Solution: Disable ChallengeResponseAuthentication in sshd_config. and Disable PAMAuthenticationViaKbdInt in sshd_config. Alternatively you can prevent privilege escalation if you enable UsePrivilegeSeparation in sshd_config. 4. Solution: Upgrade to OpenSSH 3.4 or apply the following patches. 5. Credits: ISS. 6. Release Process: Information release was handled in the following way: a. We alerted the community via a number of news sites and large public mailing lists that a major security issue was coming, and that they should upgrade to OpenSSH >= 3.2, and enable UsePrivilegeSeparation as soon as possible. We also released OpenSSH 3.3 at the same time, without a fix for this serious new issue. The goal was to place the community on a security stance. b. We could not alert the community that disabling ChallengeResponseAuthentication solved the problem, since this would highlight that the bug is in about 500 out of 27,000 lines of code. c. We could not alert the community that the bug was SSH2-only, and tell them to disable protocol 2, since would have focused the problem in about 5,000 out of 27,000 lines of code. (And we did not think of this possible solution until after ISS had released their advisory). d. We did not tell people which versions were vulnerable, since the 2.9 to 2.9.9 transition was largely a rewrite of the ChallengeResponseAuthentication subsystem. This would have highlighted that as the problem area. e. We believed very strongly that the issue was unknown in the Blackhat community at the time. We also made the decision based on the subtlety of the problem. Finally, we believe that the SSH protocol is a security infrastructure protocol (with DNS and BGP), and that issues of this scope require more gentle care. f. We did not alert vendor contacts with detailed vulnerability information, since the list of vendors who include OpenSSH numbers around 80+. We were sure that any disclosure would leak very quickly. Another vulnerability came to our attention at roughly the same time (BSD resolver) and started leaking within 5 hours of vendor notification, so we tried to be very careful. g. We did not have a complete list of vulnerable systems because ISS did not do very complete testing, and we did not have access to all the systems to test on. Even so, we would not have wanted to alert the vendors as to which are vulnerable, because they might have figured out their configuration options and leaked the information. h. Some vendors were initally upset by this policy of non-disclosure, largely because the UsePrivilegeSeparation code was only about 90% functional in OpenSSH 3.3: - old linux kernels needed Compression disabled - extended Linux PAM did not work (but that is where the ChallengeResponseAuthentication bug was) Over a 48 hour period, a few of these vendors rapidly helped us to get these problems resolved, and we were able to release OpenSSH 3.4 which solved these problems to 99% user satisfaction, on almost all systems. The most helpful vendors were OpenWall Linux and Debian. i. ISS suddenly insisted on an early release of their advisory, 4 days earlier than ISS and we had planned. Some of us were awake for 37 hours to get OpenSSH 3.4 out the door with the fix, at the same time as the ISS advisory. j. We contacted CERT, and they released their announcement of this issue in record time -- around 24 hours. Dealing with CERT and ISS took more than 5 hours of telephone time. k. We have received mail from many users, including large and significant organizations, who were able to take a security stance by following our instructions about UsePrivilegeSeparation, disabling OpenSSH, filtering port 22, guessing at functional reduction, or preparing themselves for a new release at any time. l. We have not heard of a single machine which was broken into as a result of our release announcement method. m. The first public attack program for the vulnerability was posted to BUGTRAQ within a day after OpenSSH 3.4 was released, apparently having been written based on the bug description. We feel that this method of releasing served the community best for a "contained" vulnerability of this kind. We do not suggest this is neccessarily the correct information release process for all problems, and as firm believers of full disclosure have never suggested that, though we believe that disclosure must be carefully handled. Appendix: A: Index: auth2-chall.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18 +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000 @@ -256,6 +256,8 @@ authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp > 100) + fatal("input_userauth_info_response: nresp too big %u", nresp); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) B: Index: auth2-pam.c =================================================================== RCS file: /var/cvs/openssh/auth2-pam.c,v retrieving revision 1.12 diff -u -r1.12 auth2-pam.c --- auth2-pam.c 22 Jan 2002 12:43:13 -0000 1.12 +++ auth2-pam.c 26 Jun 2002 10:12:31 -0000 @@ -140,6 +140,15 @@ nresp = packet_get_int(); /* Number of responses. */ debug("got %d responses", nresp); + + if (nresp != context_pam2.num_expected) + fatal("%s: Received incorrect number of responses " + "(received %u, expected %u)", __func__, nresp, + context_pam2.num_expected); + + if (nresp > 100) + fatal("%s: too many replies", __func__); + for (i = 0; i < nresp; i++) { int j = context_pam2.prompts[i]; From jozog at att.com Mon Jul 29 23:27:33 2002 From: jozog at att.com (Ozog, Jesse, MGSVC) Date: Mon, 29 Jul 2002 09:27:33 -0400 Subject: [openssh-unix-announce] subscribe openssh-unix-announce Message-ID: subscribe openssh-unix-announce -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-announce/attachments/20020729/a4f9d9a5/attachment.html From irilyth at infersys.com Tue Jul 30 00:43:40 2002 From: irilyth at infersys.com (Josh Smith) Date: Mon, 29 Jul 2002 07:43:40 -0700 Subject: [openssh-unix-announce] Moderation In-Reply-To: References: Message-ID: <15685.21660.125035.327085@azazel.infersys.com> Please tell us this list is (or will soon be) moderated... -Josh (irilyth at infersys.com) From jiml at mrtg.noc.adelphia.net Tue Jul 30 01:50:49 2002 From: jiml at mrtg.noc.adelphia.net (James W. Laferriere) Date: Mon, 29 Jul 2002 11:50:49 -0400 (EDT) Subject: [openssh-unix-announce] Moderation In-Reply-To: <15685.21660.125035.327085@azazel.infersys.com> Message-ID: Hello John , Moderation in my opinion is another word for censorship . While the present powers that be (on this list) are rather benevolent , the next may just well not be . Opinion: A vote for moderation is a vote for dictatorship . Jiml On Mon, 29 Jul 2002, Josh Smith wrote: >Please tell us this list is (or will soon be) moderated... > -Josh (irilyth at infersys.com) +-----------------------------------------------------+ | James W. Laferriere | Adelphia Cable Company | | Sr. Research Engineer | jiml at adelphiacom.net | +-----------------------------------------------------+ From irilyth at infersys.com Tue Jul 30 01:59:23 2002 From: irilyth at infersys.com (Josh Smith) Date: Mon, 29 Jul 2002 08:59:23 -0700 Subject: [openssh-unix-announce] Moderation In-Reply-To: References: <15685.21660.125035.327085@azazel.infersys.com> Message-ID: <15685.26203.9012.29460@azazel.infersys.com> JWL> Moderation in my opinion is another word for censorship . That's an interesting opinion, but this isn't the right place to discuss it, this is openssh-unix-announce, for "Announcements of portable OpenSSH releases". As http://www.mindrot.org/mailman/listinfo/openssh-unix-announce says, "This list is for announcements relating to the portable version of OpenSSH. This list is closed for posting and is very low-volume." I think it's a fine idea to have a list for open free-wheeling discussions about OpenSSH, and perhaps for the discussion of the finer points of the philosophical implications of moderated lists, but that's not what this list is for. -Josh (irilyth at infersys.com) From sekr99 at covad.net Tue Jul 30 02:00:19 2002 From: sekr99 at covad.net (Mike Miller) Date: Mon, 29 Jul 2002 12:00:19 -0400 Subject: [openssh-unix-announce] Moderation In-Reply-To: References: <15685.21660.125035.327085@azazel.infersys.com> Message-ID: <20020729115626.6E62.SEKR99@covad.net> Hello .... Isn't this just a notification list for new versions of OpenSSH? Why all this traffic? And how come we are able to post? Must be a side effect of the server crash. According to the list charter: http://www.mindrot.org/mailman/listinfo/openssh-unix-announce This list is for announcements relating to the portable version of OpenSSH. This list is closed for posting and is very low-volume. Sorry of being guilty of generating more senseless traffic, but will the list administration please close the posting. Thanks in advance. Brgds, Mike. From mehmet at suezen.org Tue Jul 30 02:10:52 2002 From: mehmet at suezen.org (Mehmet Suezen) Date: Mon, 29 Jul 2002 18:10:52 +0200 Subject: [openssh-unix-announce] Moderation In-Reply-To: <15685.26203.9012.29460@azazel.infersys.com> Message-ID: <3D3613940000A6E3@mta08.san.yahoo.com> I'm expection openssh-unix-announce related mail, nothing else. Not a personal clash between Josh and James. >-- Original Message -- >To: openssh-unix-announce at mindrot.org >Subject: Re: [openssh-unix-announce] Moderation >From: Josh Smith >Date: Mon, 29 Jul 2002 08:59:23 -0700 > > >JWL> Moderation in my opinion is another word for censorship . > >That's an interesting opinion, but this isn't the right place to discuss >it, this is openssh-unix-announce, for "Announcements of portable OpenSSH >releases". As http://www.mindrot.org/mailman/listinfo/openssh-unix-announce > >says, "This list is for announcements relating to the portable version of >OpenSSH. This list is closed for posting and is very low-volume." > >I think it's a fine idea to have a list for open free-wheeling discussions >about OpenSSH, and perhaps for the discussion of the finer points of the >philosophical implications of moderated lists, but that's not what this >list is for. > > -Josh (irilyth at infersys.com) >_______________________________________________ >openssh-unix-announce mailing list >openssh-unix-announce at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-announce ------------------------------------------------------ http://www.suzen.org From pauls at globaliqx.com Tue Jul 30 01:51:45 2002 From: pauls at globaliqx.com (Paul Slinski) Date: Mon, 29 Jul 2002 11:51:45 -0400 Subject: [openssh-unix-announce] Moderation In-Reply-To: References: Message-ID: <200207291151.45381@iqx-> You guys dont appear to be -announcing- anything. Please take your discussion to the users list as this is not the place for opinions on moderation. Thank you On July 29, 2002 11:50 am, James W. Laferriere wrote: > Hello John , Moderation in my opinion is another word for > censorship . While the present powers that be (on this list) From en_svettig_buske_ar_bra_att_ha at yahoo.se Tue Jul 30 02:28:23 2002 From: en_svettig_buske_ar_bra_att_ha at yahoo.se (=?iso-8859-1?q?Bus=20Ken?=) Date: Mon, 29 Jul 2002 18:28:23 +0200 (CEST) Subject: [openssh-unix-announce] Moderation Message-ID: <20020729162823.36056.qmail@web12904.mail.yahoo.com> > You guys dont appear to be -announcing- anything I totally agree! // _____________________________________________________ Gratis e-mail resten av livet p? www.yahoo.se/mail Busenkelt! From mark at luntzel.com Tue Jul 30 02:48:47 2002 From: mark at luntzel.com (Mark Luntzel) Date: Mon, 29 Jul 2002 09:48:47 -0700 Subject: [openssh-unix-announce] Moderation In-Reply-To: <20020729162823.36056.qmail@web12904.mail.yahoo.com> References: <20020729162823.36056.qmail@web12904.mail.yahoo.com> Message-ID: <20020729164847.GA29239@hunter.hating.com> How about all of you just shut up and let the list owner fix it > > You guys dont appear to be -announcing- anything > > I totally agree! > > // > > _____________________________________________________ > Gratis e-mail resten av livet p? www.yahoo.se/mail > Busenkelt! > _______________________________________________ > openssh-unix-announce mailing list > openssh-unix-announce at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-announce -- bash: rtfm: command not found From djm at mindrot.org Tue Jul 30 10:30:09 2002 From: djm at mindrot.org (Damien Miller) Date: 30 Jul 2002 10:30:09 +1000 Subject: [openssh-unix-announce] Closed list Message-ID: <1027989010.11481.53.camel@xenon.mel.my-fortress.com> My apologies for not closing the list when it was recreated. This oversight has now been fixed. Thanks to those who brought it to our attention. -d