From owner-freebsd-security Wed Nov 28 23:28: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 1C97C37B41E for ; Wed, 28 Nov 2001 23:28:03 -0800 (PST) Received: (qmail 6461 invoked by uid 1000); 29 Nov 2001 07:28:01 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Nov 2001 07:28:01 -0000 Date: Thu, 29 Nov 2001 01:28:01 -0600 (CST) From: Mike Silbersack To: Brett Glass Cc: "f.johan.beisser" , Mauro Dias , Subject: Re: sshd exploit In-Reply-To: <4.3.2.7.2.20011128225341.04672880@localhost> Message-ID: <20011129012235.U6446-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 28 Nov 2001, Brett Glass wrote: > At 10:52 PM 11/28/2001, f.johan.beisser wrote: > > >how long have you known of it? frankly, this is the first i've heard about > >it, let alone the exploit binary. > > I reposted a report by Dave Dittrich to this list about two weeks ago. CERT > has also had it on its Web page for a while now. To sum it up in a few > sentences: Old versions of SSH have been hacked through the SSHv1 protocol, > and the vulnerable code was adopted by OpenSSH, so older versions of that > are vulnerable too. > > My recommendation: compile and install OpenSSH 3.0.1p1. Or, if you need > some of the special integration that's been done in the Ports Collection, > use the latest version that's there (2.9.something the last time I looked). > FreeBSD 4.4-RELEASE shipped with OpenSSH 2.3.0, which may be OK (I'm not > sure just when they fixed the problem). > > --Brett The CRC bug was fixed in 2.3.0, which was merged into -stable before the release of freebsd 4.3. If 3.0.1's giving you any enhanced immunity, it's to a bug which has not yet been announced. If there _is_ a new bug, and it follows the decription in the url posted earlier in the thread, it's probably also SSHv1 related, and can be avoided by disabling protocol 1 support in sshd_config - I find it extremely unlikely that SSH.com and OpenSSH coders made the same mistake in independantly created sshv2 implementations. But, that's only if... I seem to doubt that there's a new bug, given the lack of proof. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message