From markus at openbsd.org Sat Jun 22 05:50:56 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 21 Jun 2002 21:50:56 +0200 Subject: [openssh-unix-announce] OpenSSH 3.3 released Message-ID: <20020621195056.GA2600@folly> OpenSSH 3.3 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. Changes since OpenSSH 3.2.3: ============================ Security Changes: ================= - improved support for privilege separation: privilege separation is now enabled by default See UsePrivilegeSeparation in sshd_config(5) and http://www.citi.umich.edu/u/provos/ssh/privsep.html for more information. - ssh no longer needs to be installed setuid root for protocol version 2 hostbased authentication, see ssh-keysign(8). protocol version 1 rhosts-rsa authentication still requires privileges and is not recommended. Other Changes: ============== - documentation for the client and server configuration options have been moved to ssh_config(5) and sshd_config(5). - the server now supports the Compression option, see sshd_config(5). - the client options RhostsRSAAuthentication and RhostsAuthentication now default to no, see ssh_config(5). - the client options FallBackToRsh and UseRsh are deprecated. - ssh-agent now supports locking and timeouts for keys, see ssh-add(1). - ssh-agent can now bind to unix-domain sockets given on the command line, see ssh-agent(1). - fixes problems with valid RSA signatures from putty clients. Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom. From markus at openbsd.org Tue Jun 25 07:06:31 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 24 Jun 2002 23:06:31 +0200 Subject: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability In-Reply-To: <200206242100.g5OL0BLL019128@cvs.openbsd.org> References: <200206242100.g5OL0BLL019128@cvs.openbsd.org> Message-ID: <20020624210631.GF24956@faui02> On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote: > Date: Mon, 24 Jun 2002 15:00:10 -0600 > From: Theo de Raadt > Subject: Upcoming OpenSSH vulnerability > To: bugtraq at securityfocus.com > Cc: announce at openbsd.org > Cc: dsi at iss.net > Cc: misc at openbsd.org > > There is an upcoming OpenSSH vulnerability that we're working on with > ISS. Details will be published early next week. > > However, I can say that when OpenSSH's sshd(8) is running with priv > seperation, the bug cannot be exploited. > > OpenSSH 3.3p was released a few days ago, with various improvements > but in particular, it significantly improves the Linux and Solaris > support for priv sep. However, it is not yet perfect. Compression is > disabled on some systems, and the many varieties of PAM are causing > major headaches. > > However, everyone should update to OpenSSH 3.3 immediately, and enable > priv seperation in their ssh daemons, by setting this in your > /etc/ssh/sshd_config file: > > UsePrivilegeSeparation yes > > Depending on what your system is, privsep may break some ssh > functionality. However, with privsep turned on, you are immune from > at least one remote hole. Understand? > > 3.3 does not contain a fix for this upcoming bug. > > If priv seperation does not work on your operating system, you need to > work with your vendor so that we get patches to make it work on your > system. Our developers are swamped enough without trying to support > the myriad of PAM and other issues which exist in various systems. > You must call on your vendors to help us. > > Basically, OpenSSH sshd(8) is something like 27000 lines of code. A > lot of that runs as root. But when UsePrivilegeSeparation is enabled, > the daemon splits into two parts. A part containing about 2500 lines > of code remains as root, and the rest of the code is shoved into a > chroot-jail without any privs. This makes the daemon less vulnerable > to attack. > > We've been trying to warn vendors about 3.3 and the need for privsep, > but they really have not heeded our call for assistance. They have > basically ignored us. Some, like Alan Cox, even went further stating > that privsep was not being worked on because "Nobody provided any info > which proves the problem, and many people dont trust you theo" and > suggested I "might be feeding everyone a trojan" (I think I'll publish > that letter -- it is just so funny). HP's representative was > downright rude, but that is OK because Compaq is retiring him. Except > for Solar Designer, I think none of them has helped the OpenSSH > portable developers make privsep work better on their systems. > Apparently Solar Designer is the only person who understands the need > for this stuff. > > So, if vendors would JUMP and get it working better, and send us > patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday > which supports these systems better. So send patches by Thursday > night please. Then on Tuesday or Wednesday the complete bug report > with patches (and exploits soon after I am sure) will hit BUGTRAQ. > > Let me repeat: even if the bug exists in a privsep'd sshd, it is not > exploitable. Clearly we cannot yet publish what the bug is, or > provide anyone with the real patch, but we can try to get maximum > deployement of privsep, and therefore make it hurt less when the > problem is published. > > So please push your vendor to get us maximally working privsep patches > as soon as possible! > > We've given most vendors since Friday last week until Thursday to get > privsep working well for you so that when the announcement comes out > next week their customers are immunized. That is nearly a full week > (but they have already wasted a weekend and a Monday). Really I think > this is the best we can hope to do (this thing will eventually leak, > at which point the details will be published). > > Customers can judge their vendors by how they respond to this issue. > > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. > On OpenBSD privsep works flawlessly, and I have reports that is also > true on NetBSD. All other systems appear to have minor or major > weaknesses when this code is running. > > (securityfocus postmaster; please post this through immediately, since > i have bcc'd over 30 other places..) From markus at openbsd.org Thu Jun 27 00:42:09 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 26 Jun 2002 16:42:09 +0200 Subject: [openssh-unix-announce] OpenSSH Security Advisory (adv.iss) Message-ID: <20020626144209.GA15021@folly> 1. Versions affected: All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 and later are not affected. OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config. OpenSSH 3.3 enables UsePrivilegeSeparation by default. Although OpenSSH 2.9 and earlier are not affected upgrading to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds checks for a class of potential bugs. 2. Impact: This bug can be exploited remotely if ChallengeResponseAuthentication is enabled in sshd_config. Affected are at least systems supporting s/key over SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD as well as other systems supporting s/key with SSH). Exploitablitly of systems using PAM in combination has not been verified. 3. Short-Term Solution: Disable ChallengeResponseAuthentication in sshd_config. or Enable UsePrivilegeSeparation in sshd_config. 4. Solution: Upgrade to OpenSSH 3.4 or apply the following patches. 5. Credits: ISS. Appendix: A: Index: auth2-chall.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18 +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000 @@ -256,6 +256,8 @@ authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp > 100) + fatal("input_userauth_info_response: nresp too big %u", nresp); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) B: Index: auth2-pam.c =================================================================== RCS file: /var/cvs/openssh/auth2-pam.c,v retrieving revision 1.12 diff -u -r1.12 auth2-pam.c --- auth2-pam.c 22 Jan 2002 12:43:13 -0000 1.12 +++ auth2-pam.c 26 Jun 2002 10:12:31 -0000 @@ -140,6 +140,15 @@ nresp = packet_get_int(); /* Number of responses. */ debug("got %d responses", nresp); + + if (nresp != context_pam2.num_expected) + fatal("%s: Received incorrect number of responses " + "(expected %u, received %u)", __func__, nresp, + context_pam2.num_expected); + + if (nresp > 100) + fatal("%s: too many replies", __func__); + for (i = 0; i < nresp; i++) { int j = context_pam2.prompts[i]; From Markus_Friedl at genua.de Thu Jun 27 00:40:30 2002 From: Markus_Friedl at genua.de (Markus Friedl) Date: Wed, 26 Jun 2002 16:40:30 +0200 Subject: [openssh-unix-announce] OpenSSH 3.4 released Message-ID: <20020626144030.GA16468@skaidan> OpenSSH 3.4 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. Changes since OpenSSH 3.3: ============================ Security Changes: ================= All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 fixes this bug. In addition, OpenSSH 3.4 adds many checks to detect invalid input and mitigate resource exhaustion attacks. OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config. OpenSSH 3.3 enables UsePrivilegeSeparation by default. Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom. From markus at openbsd.org Thu Jun 27 05:08:28 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 26 Jun 2002 21:08:28 +0200 Subject: [openssh-unix-announce] Revised OpenSSH Security Advisory (adv.iss) Message-ID: <20020626190828.GA6640@folly> This is the 2nd revision of the Advisory. 1. Versions affected: Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. All versions between 2.3.1 and 3.3 contain a bug in the PAMAuthenticationViaKbdInt code. All versions between 2.9.9 and 3.3 contain a bug in the ChallengeResponseAuthentication code. OpenSSH 3.4 and later are not affected. OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config. OpenSSH 3.3 enables UsePrivilegeSeparation by default. Although some earlier versions are not affected upgrading to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds checks for a class of potential bugs. 2. Impact: This bug can be exploited remotely if ChallengeResponseAuthentication is enabled in sshd_config. Affected are at least systems supporting s/key over SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD as well as other systems supporting s/key with SSH). Exploitablitly of systems using PAMAuthenticationViaKbdInt has not been verified. 3. Short-Term Solution: Disable ChallengeResponseAuthentication in sshd_config. and Disable PAMAuthenticationViaKbdInt in sshd_config. Alternatively you can prevent privilege escalation if you enable UsePrivilegeSeparation in sshd_config. 4. Solution: Upgrade to OpenSSH 3.4 or apply the following patches. 5. Credits: ISS. Appendix: A: Index: auth2-chall.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18 +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000 @@ -256,6 +256,8 @@ authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp > 100) + fatal("input_userauth_info_response: nresp too big %u", nresp); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) B: Index: auth2-pam.c =================================================================== RCS file: /var/cvs/openssh/auth2-pam.c,v retrieving revision 1.12 diff -u -r1.12 auth2-pam.c --- auth2-pam.c 22 Jan 2002 12:43:13 -0000 1.12 +++ auth2-pam.c 26 Jun 2002 10:12:31 -0000 @@ -140,6 +140,15 @@ nresp = packet_get_int(); /* Number of responses. */ debug("got %d responses", nresp); + + if (nresp != context_pam2.num_expected) + fatal("%s: Received incorrect number of responses " + "(expected %u, received %u)", __func__, nresp, + context_pam2.num_expected); + + if (nresp > 100) + fatal("%s: too many replies", __func__); + for (i = 0; i < nresp; i++) { int j = context_pam2.prompts[i];