Recent breakins / SSHD root hole?
nuuB
_nuub at yahoo.com
Tue Jun 5 03:08:21 EST 2001
>>
>> Basically what I'd like to know is: What version of the OpenSSH daemon
>> would I need to run in order NOT to be vulnerable to this "weakness"?
>
>Sounds like
>ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:30.openssh.asc
No, I don't think so. AFAIK that bug was fixed in 2.1.1, and apache.org
reportedly ran "OpenSSH 2.2". But doing a bit more digging I found
http://www.securityfocus.com/templates/advisory.html?id=3087
"Remote vulnerability in SSH daemon crc32 compensation attack detector"
This wasn't fixed until 2.3.0. This hole requires quite a lot of constants to
be correct, and having local access makes this easier. This could explain why
it wasn't exploited remotely on apache.org (though it could have been).
obOpenSSH:
Anyhow, the fact that I had missed this hole completely has given me a new
perspective. Normally I try to keep on top of all security holes in products I
use. But for the past 6 months I haven't been reading bugtraq (the main source
for such information). I find the SNR way to low these days. Its annoying to
see an advisory on product X, then like 10 advisories on the same subject from
a bunch of vendors (mostly Linux ones...) that ship product X.
So I left bugtraq and instead relied on my vendors (Redhat) ability to issue
proper updates (yeah I know, stupid, but I thought it better than doing
nothing). It appears they haven't issued a bulletin for this problem (even
though they ship OpenSSH 2.1.1 in RH 7.0). They did issue
http://www.redhat.com/support/errata/RHSA-2001-041.html
which fixes two other (much less serious) problems. It also happens to fix the
above CRC attack, but it isn't mentioned in redhats bulletin (and I doubt they
knew about it). I don't upgrade things unless there is a problem that affects
me (wise from previous updates where new problems of course snuck in with the
upgrade). The two minor things mentioned didn't affect me, so I didn't upgrade.
So here I am, 2 Jun, with a root hole that was announced on Feb 8. Almost 4
months with an open root hole. Gives me a real warm'n'fuzzy.... NOT. The only
thing making me feel better is that the exploitation is quite a far from ./hack
with the public exploit.
Ah well. I guess it's back to bugtraq, and more time wasted weeding through the
junk to find the good bits...
Sorry about the rant.
nuuB
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
More information about the openssh-unix-dev
mailing list