Re: Upcoming OpenSSH vulnerability
From: Mark Rafn (dagon@dagon.net)Date: 06/25/02
- Next message: Peter Diesner: "Re: ssh forwarding produces "channel 2: open failed ""
- Previous message: Richard E. Silverman: "Re: what does ssh use instead of /bin/login?"
- In reply to: Steven Cardinal: "Re: Upcoming OpenSSH vulnerability"
- Next in thread: toylet: "Re: Upcoming OpenSSH vulnerability"
- Reply: toylet: "Re: Upcoming OpenSSH vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: dagon@dagon.net (Mark Rafn) Date: 25 Jun 2002 18:10:02 GMT
>> http://www.mindrot.org/pipermail/openssh-unix-dev/2002-June/013664.html
Steven Cardinal <nospam.scardinal@yahoo.com> wrote:
>Does anyone at least know if this 'flaw' is exploitable by someone who
>doesn't have a login?
Someone knows, but is apparently not talking. The clear implication
is that there is a remotely exploitable root hole in all installations of
openssh that do not have privelege seperation.
Unfortunately, Theo de Raadt completely missed the boat when publishing
this warning. There's not enough information in it to actually evaluate
the risk and know whether it's real or completely theoretical.
The information currently available is:
1) Theo de Raadt claims there is a potential remote root hole
in all versions of openssh, and that privelege seperation prevents it
being exploited.
2) Nobody has posted here, the openssh lists, or bugtraq any
confirmation of this.
3) the "warning" was oddly combined with a screed against
vendors/repackagers of openssh. To me, this reduces it's credibility.
My opinion and recommendation:
WAG: there is in fact a bug, but it's both very obscure and difficult
to exploit. I expect some installations are vulnerable, but most are
not.
Recommend: upgrade to 3.3p1 and use privelege seperation if you can,
wait for the real advisory if it's difficult. In any case, turn on
logging of port 22 in your firewall and watch for any unexplained
connections to sensitive machines.
>We use ssh on numerous systems with RSA keys. No passwords, no root logins,
>etc. Those of us with keys installed on the systems are trusted (we already
>know the root password so we can su to get things done). So I'm not worried
>about a local user getting greater access.
Based on the proposed workaround, I'd guess the flaw is in the
authentication phase (the part that privsep runs in the chroot). It
seems very likely that it would NOT require a valid login to exploit,
but I can't say for sure.
-- Mark Rafn dagon@dagon.net <http://www.dagon.net/>
- Next message: Peter Diesner: "Re: ssh forwarding produces "channel 2: open failed ""
- Previous message: Richard E. Silverman: "Re: what does ssh use instead of /bin/login?"
- In reply to: Steven Cardinal: "Re: Upcoming OpenSSH vulnerability"
- Next in thread: toylet: "Re: Upcoming OpenSSH vulnerability"
- Reply: toylet: "Re: Upcoming OpenSSH vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
