Re: sshd exploit

From: bsd-sec@boneyard.lawrence.ks.us
Date: 11/30/01 

Date: Fri, 30 Nov 2001 01:30:57 -0600 (CST)
From: <bsd-sec@boneyard.lawrence.ks.us>
To: freebsd-security@freebsd.org

On Thu, 29 Nov 2001, Mike Silbersack wrote:

>
> The CRC bug was fixed in 2.3.0, which was merged into -stable before the
> release of freebsd 4.3. If 3.0.1's giving you any enhanced immunity, it's
> to a bug which has not yet been announced.
>
> If there _is_ a new bug, and it follows the decription in the url posted
> earlier in the thread, it's probably also SSHv1 related, and can be
 [...]

Perhaps so. However, at the univeristy department where I work, RH Linux lab
machines running both 2.5.x and 2.9.x versions of OpenSSH were indeed
compromised while running ssh version 1. The only other services with
externally available ports were portmap and syslogd. As a precautionary
measure, SSHv1 has been disabled. Fortunately, for our situation, the ssh.com
folks offer free site licenses for their Win32 client, so we are not suffering
from the a lack of a v2 client. Though I appreciate the innocent-until-proven-
broken angle, I believe that my experiences, as well as those of other admins
that do not have the time/knowledge resources for catching, identifying and
describing such an attack, should not be discounted as paranoid delusions.

As the SSH suite of protocols are the main-stay of many systems that are
forced to exist in an "open" (flat/broadcast) environment, it is worthwhile
to err on the side of caution and encourage others in the same situation
to do the same.

Our FreeBSD/alpha servers were not compromised; however, I am certain that
more credit can be given to the architecture of the hardware than to bug-free
code at this point. I have had this sort of discussion with a few other
departmental *NIX administrators on campus. I would dearly love to be able
to provide irrefutable evidence of my claim. All I can offer is that I am
not so in love with my job as to spend 3 of my 4 days of Thanksgiving break
up at the university recovering workstations unneccesarily.

$3.50

There ya go. Take it or leave it.

Regards,
Stephen

Stephen Spencer |
                | "Come down off the cross.
                | We can use the wood..."
                | T. Waits

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • RE: Anthonys drive issues.Re: ssh password delay
    ... The dmesg you sent indicated that the 2 disks were negotiating at ... > possible cause in the universe before blaming it on FreeBSD. ... to take the risk of it being hardware, ... believe is that it's a bug in the FreeBSD driver. ...
    (freebsd-questions)
  • Re: What do you dislike about OSX?
    ... is is when you claim that OS X is derivative of FreeBSD. ... about *other people* not needing to have all windows visible at all times. ... Most end users don't even know the bug exists. ... offer reasons for me to change my mind. ...
    (comp.sys.mac.advocacy)
  • Re: Support for 5.x (Was: Re: What about BIND 9.3.4 in FreeBSD in base system ?)
    ... Handling other people's send-pr bug input would be boring ... I've filed some send-pr diffs years back & not seen action, ... so if the FreeBSD Foundation ever has spare ...
    (FreeBSD-Security)
  • Re: Do we need this junk?
    ... I have an 1742A if any developer needs it for bug chasing. ... It's a full length card. ... To counter Nikolas' `stats' argument to abandon much hardware support: ... There's scanners with FreeBSD embedded inside: ...
    (freebsd-current)
  • cvs-src summary for November 8-15
    ... It is intended to help the FreeBSD community keep up with the fast-paced ... You can get old summaries, and an HTML version of this one, at ... sf driver gets polling and ALTQ support ... Xin Li committed a fix to pppd, the PPP daemon, to a bug ...
    (freebsd-current)