Date: 25 June 2002
References: ESB-2003.0036 ESB-2002.303 ESB-2002.306 ESB-2002.307 ESB-2002.308 ESB-2002.312 ESB-2002.313 ESB-2002.314 ESB-2002.321 ESB-2002.329
ESB-2002.331 ESB-2002.390
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2002.05 -- AUSCERT ALERT
Vulnerability in OpenSSH
25 June 2002
===========================================================================
PROBLEM:
A message posted publicly by Theo de Raadt (of OpenBSD and OpenSSH)
has warned of a potentially serious vulnerability in what may be
all versions of the sshd(8), up to and including the current
release, OpenSSH 3.3. Excerpts from the original message are
included in this alert.
At this stage, AusCERT is not aware of a new vulnerability being
actively exploited in Australia or elsewhere, nor has explicit
detail of the vulnerability emerged. However, given that there
is now public knowledge of a vulnerability and a mitigating action
is available, this alert is relevant to sites using OpenSSH on
their networks. Members should evaluate the included message with
respect to their situation, and remain aware that implementing
its recommendations may have unintended consequences.
PLATFORM:
Multiple vendors are likely to be affected.
IMPACT:
Unknown at this time.
MITIGATION:
Update to OpenSSH 3.3 or better immediately and enable privilege
separation by editing /etc/ssh/sshd_config:
UsePrivilegeSeparation yes
Update to a patched release of OpenSSH when it becomes available
for your platform.
AusCERT is currently monitoring this problem. AusCERT will provide
updates on this issue as information becomes available.
- --------------------------BEGIN INCLUDED TEXT--------------------
------- Blind-Carbon-Copy
To: bugtraq@securityfocus.com
cc: dsi@iss.net
cc: announce@openbsd.org
cc: misc@openbsd.org
Subject: Upcoming OpenSSH vulnerability
Date: Mon, 24 Jun 2002 15:00:10 -0600
From: Theo de Raadt <deraadt@cvs.openbsd.org>
There is an upcoming OpenSSH vulnerability that we're working on with
ISS. Details will be published early next week.
However, I can say that when OpenSSH's sshd(8) is running with priv
seperation, the bug cannot be exploited.
OpenSSH 3.3p was released a few days ago, with various improvements
but in particular, it significantly improves the Linux and Solaris
support for priv sep. However, it is not yet perfect. Compression is
disabled on some systems, and the many varieties of PAM are causing
major headaches.
However, everyone should update to OpenSSH 3.3 immediately, and enable
priv seperation in their ssh daemons, by setting this in your
/etc/ssh/sshd_config file:
UsePrivilegeSeparation yes
Depending on what your system is, privsep may break some ssh
functionality. However, with privsep turned on, you are immune from
at least one remote hole. Understand?
3.3 does not contain a fix for this upcoming bug.
[ ... ]
Basically, OpenSSH sshd(8) is something like 27000 lines of code. A
lot of that runs as root. But when UsePrivilegeSeparation is enabled,
the daemon splits into two parts. A part containing about 2500 lines
of code remains as root, and the rest of the code is shoved into a
chroot-jail without any privs. This makes the daemon less vulnerable
to attack.
[ ... ]
Let me repeat: even if the bug exists in a privsep'd sshd, it is not
exploitable. Clearly we cannot yet publish what the bug is, or
provide anyone with the real patch, but we can try to get maximum
deployement of privsep, and therefore make it hurt less when the
problem is published.
[ ... ]
OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away.
On OpenBSD privsep works flawlessly, and I have reports that is also
true on NetBSD. All other systems appear to have minor or major
weaknesses when this code is running.
------- End of Blind-Carbon-Copy
- --------------------------END INCLUDED TEXT--------------------
- ----------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT
and AusCERT Advisories, and other computer security information.
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call
after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPRinCyh9+71yA2DNAQFAEwP8DkSw+o9l3tva/2+hYFV3mI/e4cHxhoPg
UAvnfUi5gGjuXCw+SDscIImycoFH3n2sssZo2uvm59Q3IFmuN2EKAjCVhvzGgV5z
4ZBUtsfAPKeNBUMjx3yvnF/ULJ2t8gHudccuNceKpLe3qGtNQ4jtoa6XhE/jxjzc
mNso5FbKhpc=
=FgZm
-----END PGP SIGNATURE-----
|