Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)

From: Lachlan O'Dea (odela01@ca.com)
Date: 06/25/02 

Date: Tue, 25 Jun 2002 17:15:16 +1000
From: Lachlan O'Dea <odela01@ca.com>
To: Theo de Raadt <deraadt@cvs.openbsd.org>

Theo de Raadt wrote:

> Jason Stone wrote:
>
>>Release now and let the community help you fix the bug (since
>>apparently it's so complicated that you can't fix it right away on your
>>own...).
>
>
> It took about 3 minutes for the first rev.

So you are saying that you already have a patch that fixes the
vulnerability? If so, it seems to me that delaying the release does more
harm than good.

There is one disadvantage to publicly releasing either the patch or the
details of the vulnerability now: the black hats could use the
information to develop an exploit before people have a chance to protect
themselves.

However, there are a number of advantages to releasing all the
information now:

1) Many OpenSSH users (perhaps the majority) are not in a position to
upgrade to version 3.3. The UsePrivilegeSeparation feature is not
available to them.

2) For users, installing a patched version of their vendor's current
OpenSSH version is the most straightforward solution. Certainly quicker
and less painful than trying to jump to 3.3.

3) It is far easier for vendors to patch the version of OpenSSH they
currently ship than it is to rush out an upgrade to version 3.3 (at
least I think that is the case, I can't be sure since I don't know
anything about the vulnerability). As you noted in your announcement,
version 3.3 has problems on some platforms. It also sounds like vendors
must perform non-trivial work to get UsePrivilegeSeparation to work.

 From what you said above, it sounds like the fix for the vulnerability
is fairly simple. Perhaps the FreeBSD security team could have already
committed the fix if they knew what it was.

4) In your announcement, you did not indicate which versions of OpenSSH
are vulnerable. You seem to be saying that we should assume they are all
vulnerable. People may spend significant effort upgrading to version 3.3
and losing the features that don't work on their platorm, only to later
discover that they weren't vulnerable in the first place.

5) Everyone's situation is different. Individual administrators may be
able to protect their own systems through other means (perhaps quicker
and easier) than upgrading to version 3.3. However, without any
information about the vulnerability, they are helpless.

In my opinion, the advantages of immediate disclosure outweigh the
disadvantages. You have a different opinion, and yours is the one that
counts in this case. We are all entitled to our opinion, right?

If the fix is a relatively simple one, as I think you are indicating, it
seems that vendors could patch their shipping versions of OpenSSH faster
than an exploit could be developed. As things stand now, we have a whole
bunch of people unable to move to 3.3 who are in the dark and very worried.

> Apparently you have a comprehension difficulty. I urge you to go back
> and re-read what I posted to lots of lists. Perhaps some other people
> can help you.

Apparently I share Jason's comprehension difficulty.

Please note that I'm not complaining about a poor response from the
OpenSSH developers or anything like that. You all do great work. I'm
just saying that, in my opinion, you would do much more good than harm
if you released everything you know about this vulnerability now. 

-- 
Lachlan O'Dea <lodea@vet.com.au>          Computer Associates Pty Ltd
Webmaster                                   Vet - Anti-Virus Software
http://www.vet.com.au/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages