Forgot your password?
typodupeerror
Security Programming IT Technology

New Vulnerabilities in Portable OpenSSH 324

Posted by michael
from the will-get-it-right-eventually dept.
An anonymous reader writes "The OpenSSH team has uncovered multiple exploitable vulnerabilities in the days-old portable release of OpenSSH. That's right folks: time to patch *again*. 3.7.1p2 is now available. Instructions and mirror list here. Please note that this vulnerability only affects *portable* OpenSSH--so if you are running OpenBSD, you're safe. This vulnerability apparently has to do with PAM, so you can use the 'UsePam no' option in your config file. Info on the advisory here and here."
This discussion has been archived. No new comments can be posted.

New Vulnerabilities in Portable OpenSSH

Comments Filter:
  • by grub (11606) <slashdot@grub.net> on Tuesday September 23, 2003 @03:02PM (#7036881) Homepage Journal

    From the article: At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled)

    Priviledge Separation saves the day again. I think this is a testament to the forward thinking of the OpenBSD and OpenSSH people: they know that human error introduces potentially exploitable bugs, hence the work that went into PrivSep to minimize the risk.

    "The lengths some people will goto to try and damage Theo's pride" [slashdot.org] Most moronic submitter comment ever.
    • Yes, but what happens when PrivSep is exploited? It too is just like any other code: human written, and potentially weak. It's another layer of security that would have to be bypassed, but it's by no means the end of exploits in other code.
      • by Frymaster (171343) on Tuesday September 23, 2003 @03:10PM (#7036985) Homepage Journal
        writers looking for a typewriter-with-memory would be better served by Notepad or the Mac equivalent.

        your belt may fail
        your suspenders may fail

        if you're really serious about keeping your pants up, use both!

        this is the theory of theo-n-the-openbsd-cats. you used priv sep plus all the other security goodies.

        you don't say that doing nightly backups is a "weak" practice because the backups could fail at the same time as your main drive. do you?

        • i just have a bigger belly now than when i bought my pants, works excellently.

          sure my ass might flash sometime but we all know how easy it is to disable annoying flash ads.
        • "if you're really serious about keeping your pants up, use both!"

          But if you're really, really serious you'll take care that your hips don't disappear.

          Hard for some hackers, I know, but worth it in the pants security field.

          If you're a kilt sort of guy all bets are off though, seeing as they lack any sort of basic security to begin with.

          KFG
      • by grub (11606) <slashdot@grub.net> on Tuesday September 23, 2003 @03:16PM (#7037058) Homepage Journal

        Having a small amount of the sshd code running as root with the 'sshd' user handling the rest helps make it harder for other exploits. I don't think anyone would suggest that PrivSep makes an exploit impossible, but it is another great layer on the security-onion.
    • Unfortunately, privilege separation does not work with with OPIE, the one-time password system.

      So either you run privsep, or you run OTP.

      Without OTP, you'd be crazy to log on to your ssh box from anything but a trusted terminal (e.g. your office workstation or your personal laptop). Without OTP, you cannot log on from a net cafe or anything like that, if you're just slightly security concious.

      So I'm stuck with privsep and no OTP on some machines, and OTP without privsep on another (which I need to be abl
  • hmm (Score:5, Funny)

    by tedtimmons (97599) * on Tuesday September 23, 2003 @03:03PM (#7036885) Homepage
    Who is pam, and what did she have to do with openssh?

    -ted
  • A solution? (Score:5, Funny)

    by gpinzone (531794) on Tuesday September 23, 2003 @03:04PM (#7036911) Homepage Journal
    This vulnerability apparently has to do with PAM, so you can use the 'UsePam no' option in your config file.

    Wouldn't that prevent anyone from loging-in? I guess that's a solution. Why not disconnect the network cable, too?
  • by Anonymous Coward on Tuesday September 23, 2003 @03:06PM (#7036921)
    Maybe the OSS community needs a Trustworthy Computing initiative =]
    • OpenSSH... A Microsoft product, right? Oppss... Forgot, one can not criticize open source on the same standards we hold "M$" to...
      • by ninewands (105734) on Tuesday September 23, 2003 @03:36PM (#7037285)
        OpenSSH... A Microsoft product, right? Oppss... Forgot, one can not criticize open source on the same standards we hold "M$"

        Well, yes, we should hold them both to the same standard ... so when Microsoft starts announcing it's own self-discovered vulnerabilities and releasing Day-Zero patches to fix them I will be just as critical of OpenSSH security as I am of Windows *cough*security*cough*.
        • Actually, I thought they did. In all the big press cases in the last couple of years a patch has always been available for quite some time before the exploit became public. Think Code Red, Slammer, Blaster, etc. Microsoft does keep it's code pretty solid and secure. Unfortunately there are a lot of paper MCSEs and other unqualified people proclaiming to be administrators out there who wouldn't know how to secure a system if BillG was standing in the room with them telling them how to do it. Microsoft gets a
        • Bravo! I'm glad someone is paying attention to this. Just because we happen to have a community that expects the patch to be available 20 seconds before the first person finds it is no reason to measure Linux and Windows on different yard-sticks. If the OpenSSH team can get a patch to vendors and vendors release a fix within a day or two, then that's what we should expect from Windows. And when Windows doesn't keep to that standard, we should all wonder why.
        • when Microsoft starts announcing it's own self-discovered vulnerabilities and releasing Day-Zero patches to fix them

          They will once the OSS community start providing 0-day enterprise quality patches that actually get regression tested before being installed on mission critical servers. MS may have a few poorly tested patches in its relatively distant history, but MS still puts its patches through far more testing than most OSS patches are put through when released. Testing takes time, period.
  • by Anonymous Coward on Tuesday September 23, 2003 @03:08PM (#7036964)
    Before we all panic, note that PAM is not in the default build.

    It's also not in slackware builds (thanks Patrick).

    • It's also not in slackware builds

      ...like everything else?
  • JEBUS (Score:2, Insightful)

    by tempest303 (259600)
    This is getting ridiculous. Maybe it's time for OpenSSH development to completely halt for the moment, and do some serious auditing? This is just plain sad... I know people have been joking about switching to lsh, but at a current "score" of 3 to 1, I'm starting to consider it, at least for the time being... :-/
    • Re:JEBUS (Score:5, Insightful)

      by Kalzus (86795) on Tuesday September 23, 2003 @03:17PM (#7037065)
      Arguably, this announcement *is* the result of an increase in code vetting on the part of the portable OpenSSH team. Just a thought.
      • Possibly. Perhaps I'm ignorant on the topic, but with auditing, shouldn't they put the vulnerability reports on hold for a short time, especially when there's so many in a row, and just do a sort of "service pack" upgrade?

        Maybe there is no answer, I don't know. At least they get the patches out quickly.
        • Re:JEBUS (Score:3, Informative)

          by Ed Avis (5917)
          One of the principles behind OpenBSD (and therefore OpenSSH) is full disclosure of security vulnerability. They don't want to lie about how secure the software is or try to conceal things from you. Therefore the vulnerability reports (and fixes) are published as soon as possible. In practice, I think they do wait to have a patched version before announcing the bug.
      • Re:JEBUS (Score:4, Insightful)

        by Corgha (60478) on Tuesday September 23, 2003 @03:40PM (#7037330)
        On the contrary, arguably, this announcement is the result of 3.7p1 and 3.7.1p1 being rushed out the door with new, unvetted PAM code.

        That's why it doesn't affect earlier versions.
      • Re:JEBUS (Score:3, Insightful)

        by JoeBuck (7947)

        No, the vulnerabilities are due to new code in 3.7; the Red Hat and Debian people who backported only the security fixes to older OpenSSH versions are safe. They are not old vulnerabilities that were discovered by an increase in code vetting.

    • by pmz (462998)
      This is getting ridiculous.

      Why? Do you know of a tool that provides more milage than OpenSSH while providing pretty darn good security?

      Pretty darn good is all we should ask for, anyway, because near-perfect security requires network isolation and those MAC things people bitch about so much.
    • So... you would rather they NOT annouce that they have found another *possible* exploit and just let it sit there until regular users find them and call for their blood after being exploited? I'd rather have them do the smaller releases like this because it is quicker to examin and see what is being changed, which means Redhat (my distro) will have updated rpm on up2date in about 10 minutes.
  • by avij (105924) * on Tuesday September 23, 2003 @03:15PM (#7037045) Homepage
    The RH-supplied latest OpenSSH (3.5p1-11) doesn't seem to accept the "UsePam no" directive that was suggested as a workaround, so if you go ahead and add that line to your /etc/ssh/sshd_config and say "service sshd restart", SSH will complain about an invalid configuration option and refuse to start. Just for your information..
  • by menscher (597856) <menscher+slashdot&uiuc,edu> on Tuesday September 23, 2003 @03:19PM (#7037075) Homepage Journal
    Just to alleviate some of the panic, RedHat boxes are safe [redhat.com].
    • by Jhon (241832)
      Is that accurate? I read that as saying "With the version shipped with RH and RH Enterprise" -- which is an OLDER version. Doesn't that mean that if an RH user has updated SSH to a newer version, they are vulnerable?
      • Yes, if you have compiled and installed your own and you have the vulnerable version (3.7.1p1 is it?), you will be vulnerable. I think what redhat is trying to say is that any systems that are using their RPMs to keep updated are safe, since they are using an older version of OpenSSH, with backported fixes.
    • by MSG (12810) on Tuesday September 23, 2003 @03:37PM (#7037302)
      Please don't post links to bugzilla. Bugzilla is a database driven application, an linking to it directly from slashdot will certainly swamp that system. The information in the bugzill entry is:

      Opened by mjc@redhat.com (Mark J Cox, Security Response Team Lead) on 2003-09-23 11:16

      http://www.openssh.com/txt/sshpam.adv came out on Sep23 with two new
      vulnerabilities that affect OpenSSH.

      Both these issues only affect OpenSSH 3.7 and 3.7.1. Red Hat Linux and Red Hat
      Enterprise Linux are not vulnerable to these issues as we ship with earlier
      versions (with the addition of backported security fixes for other issues).

      Keeping this bug open for a few days to enable users searching bugzilla to find
      out that they are not vulnerable.
  • by Dr. Bent (533421) <ben AT int DOT com> on Tuesday September 23, 2003 @03:19PM (#7037078) Homepage
    This vulnerability apparently has to do with PAM

    When will people learn that non-stick cooking spray causes more harm than good? Unneeded fat, calories and remote root exploits are just some of the problems caused by these unsavory products. For god's sake, people...there are better ways to dissipate heat and prevent sticking and burning. For one, turn that CPU clock speed down! Just because you can fry an egg on your motherboard, doesn't mean you should! That's what the CD-ROM drive is for!
  • OSS should compete with features and security not number of exploits and patches.

    On second thought, maybe more patches will make IT managers think that OSS=MS in quality and will begin to use OSS more because it is as good as MS.

    NarratorDan
  • Apple just came out with Mac OS X update 10.2.8 which fixed the last OpenSSH exploit. Does anyone know if that updates also covers the new exploit mentioned here? Or should I expect 10.2.9 in a few days?
    • Re:Apple affected? (Score:3, Insightful)

      by bnenning (58349)
      The vulnerability apparently only affects OpenSSH version 3.7, and Mac OS X uses 3.4, so we should be ok.
      • Not so fast! (Score:4, Interesting)

        by MarcQuadra (129430) * on Tuesday September 23, 2003 @03:47PM (#7037419)
        Not so fast!

        The LAST vulnerabilities were for 3.6 and 3.7 as well, but 3.4 COULD be vulnerable as it's now 'off the beaten path' and these vulnerabilities seem to have been discovered in a code audit triggered by the recent attention given to OpenSSH. Apple had to patch their 3.4 version, and I'd expect another minor software update package from Apple in the next few days to address this.

        Anybody out there know if it's easy to build current versions (3.7.1p2, etc.) of OpenSSH on OS X with the developer tools installed, or is there some very compelling reason Apple is sticking to 3.4 and just adding to it?
  • by TheCRE (710241) on Tuesday September 23, 2003 @03:26PM (#7037175)
    In light of the recent CERT/CC advisories regarding security vulnerabilities in the Sendmail and OpenSSH programs (even before the problems with new release of portable Open SSH) the Center for Regulatory Effectiveness' WatchDog Watch discussed the need for open source watchdogs. Please see, www.thecre.com/wdw/20030922_open_source.html Winston Security Director, WatchDog Watch
  • I'm using pretty much the default config file, and I've never intentionally enabled PAM. Here's what the PAM part looks like:

    # Set this to 'yes' to enable PAM authentication (via challenge-response)
    # and session processing. Depending on your PAM configuration, this may
    # bypass the setting of 'PasswordAuthentication'
    #UsePAM yes

    If you have to uncomment out that line to enable PAM authentication, then *not* uncommenting it is equivalent to setting it to "no" (like the advisory says to do) yes? The advisory
  • New Motto (Score:5, Funny)

    by Greyfox (87712) on Tuesday September 23, 2003 @03:28PM (#7037199) Homepage Journal
    15^H^H10 minutes without a remote root exploit!
    • Inefficient! (Score:2, Offtopic)

      by Akardam (186995)
      You backspaced twice, but you only needed to replace the 5 with 0, thus only needing to erase one of the characters. Hence:

      15^H0 minutes without a remote root exploit!

      ... oh, wait. You were doing that for illustratory purposes...

      I reeealy need to get a life...
  • Yippee! (Score:5, Funny)

    by mrpuffypants (444598) * <[moc.liamg] [ta] [stnapyffuprm]> on Tuesday September 23, 2003 @03:32PM (#7037244)
    oooh! Patching every other day is fun!

    This is just like being a MCSE! Now I can hang out with the NT guys and chat about patching!
    • oooh! Patching every other day is fun!

      Fun?

      # apt-get upgrade
      # exit

      Boring. The way it should be.
      • Wait. Shouldn't this be:

        # apt-get update
        # apt-get upgrade
        # exit

        Without the update step, apt wouldn't know about the new packages.

        Although, I suppose you could have the apt-get update step in a cron job.

  • fact of life (Score:4, Insightful)

    by NumLk (709027) on Tuesday September 23, 2003 @03:36PM (#7037288)
    I'm not trying to be a tool here, but seriously, does anyone ever expect any piece of software to be 100% foolproof? Software is complex, and in its complexity lies opportunity for problems to arise. Sometimes they are simple coding mistakes, sometimes they are problems that arise when the software isn't used as its developers envisioned.

    As users of software though, it is irresponsible to assume that just because it is commercial, open source, MS, non-MS, or whoever is the messiah of the day's product that it will never have unexpected problems. Admittedly, some companies software appears to be worse than others, but that is the gamble we take when we build complex systems.

  • Are we sure Microsoft aren't involved in this project in some way?
  • Anyone else running into problems building openssh 3.7.1p2?

    I got p1 to work ok on Mandrake 8.1 system.

    The new version apparently will not allow for keyboard-int authorization. I configured --with-pam and I don't have PAM off in my /etc/ssh/sshd_conf

    I could not even get 3.7.1p1 to compile on an older mandrake box.. Doh. gotta upgrade.

  • The first time I read that I thought I saw SPAM. I blame SPAM for most of my problems now anyway (diet, junk email, etc), so I wasn't too surprised to be adding network security to the list.

    Matt Fahrenbacher
  • I created these a little earlier today:

    http://projects.standblue.net/rpms/openssh/3.7.1p2 / [standblue.net]

    Enjoy.

    • by Anonymous Coward
      Erm, those OSes aren't vulnerable. See the RH Bugzilla page on it -- they're too old to be vulnerable to this.

      Appreciate the work, but there's no need :)

  • More fixes than PAM (Score:4, Informative)

    by Soft (266615) on Tuesday September 23, 2003 @03:59PM (#7037561)
    According to the Changelog:
    - markus@cvs.openbsd.org 2003/09/18 08:49:45
    [deattack.c misc.c session.c ssh-agent.c]
    more buffer allocation fixes; from Solar Designer; CAN-2003-0682;
    it would seem that in addition to the PAM patch, there are more buffer management-related fixes which didn't find their way into 3.7.1p1 but prompted Debian to make a third update [debian.org] to ssh. One may want to update even on OpenBSD or with PAM disabled.
  • by psyconaut (228947) on Tuesday September 23, 2003 @04:02PM (#7037593)
    The poster seems to insinuate that patching again is a chore...security is, by very nature, a moving target. I'm *glad* they find vulnerabilities and post regular patches...proves to me, at least, that somebody is on-the-ball.

    Heck, just be thankful they don't belong to the Microsoft school of security and fixes ;-)

    -psy
  • by Tet (2721) *
    if you are running OpenBSD, you're safe.

    I've heard statements like these again and again, and every time I thank the decision I made to use OpenBSD on our firewalls. Their focus on security really does pay dividends. Yes, they still get it wrong from time to time. But they're far ahead of the rest of the field.

  • Is it actually on any mirror site yet? I tried five, none of them had the new version.
  • Use real ssh. (Score:2, Insightful)

    by Anonymous Coward
    I stopped using OpenSSH last year, These problems were hinted in the massive flaws from last year. Sure everything has flaws, but this is like everyday, for something that we're supposed to trust FOR security. Hell, at this rate, running telnetd is more secure. Its less likely you'll be sniffed then get hit by some passing worm within 5 mins of putting a box online.

    ssh from ssh.fi is more secure out of the box (no ssh1), requires alot less depedencies on other programs, and is more configurable. Not to men
  • 24 hours after release...

    damn.

    At least we know a patch will come about quick.
  • Sorry to say that again, but this is only tip of the iceberg, I guess.

    OpenSSH has grown a little too big to be maintained properly.

    Okay, mod me down again...

  • Hmm... (Score:3, Interesting)

    by Dr Rick (588459) * on Tuesday September 23, 2003 @07:02PM (#7039101)
    Doesn't it seem strange that the finding of multiple bugs in the same piece of open source software in a short period of time is stated as a strength of open source while the same thing in Microsoft software is stated as a weakness... Yes, in the open source case they were found by code inspection and in the case of Microsoft they were found by exploit, but a patch a day is still a patch a day. It's not always a good idea to rush patches out as soon as a potential hole is found...

"Well, social relevance is a schtick, like mysteries, social relevance, science fiction..." -- Art Spiegelman

Working...