From owner-freebsd-security Thu Nov 29 10:49: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 6524B37B405 for ; Thu, 29 Nov 2001 10:48:55 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA07577; Thu, 29 Nov 2001 11:48:32 -0700 (MST) Message-Id: <4.3.2.7.2.20011129113349.04722900@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 29 Nov 2001 11:46:50 -0700 To: Kris Kennaway From: Brett Glass Subject: Re: sshd exploit Cc: "f.johan.beisser" , Mauro Dias , security@FreeBSD.ORG In-Reply-To: <20011128233947.C53604@xor.obsecurity.org> References: <4.3.2.7.2.20011128225341.04672880@localhost> <4.3.2.7.2.20011128221259.04665720@localhost> <20011128214925.P16958-100000@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:39 AM 11/29/2001, Kris Kennaway wrote: >Not so much with the Flying Fists of Fud, please Brett. If you'd >actually read the CERT advisory you'd see quite clearly that it was >fixed over a year ago. I've read the CERT advisory and also Dittrich's paper. The fact that a vulnerability was fixed in recent versions of the software does not mean that we should be unconcerned. >Dittrich's analysis also says clearly at the top: > >On October 6, 2001, intruders originating from network blocks in the >Netherlands used an exploit for the crc32 compensation attack detector >vulnerability to remotely compromise a Red Hat Linux system on the UW >network running OpenSSH 2.1.1. This vulnerability is described in >CERT Vulnerability note VU#945216: > >i.e. old, old, boring, old. I've noticed that there's a tendency, among people who keep on the cutting edge, either to forget that there are likely to be a very large number of people running older and/or unpatched systems or to sneer at those people. We should not do that. One of the strengths of BSD UNIX is that it's appliance-like; you can install it and it JUST RUNS. We shouldn't mock people who take advantage of that strength and may not have heard that they have a need to install a patch or upgrade. In short, the vulnerability may be old, but it's not boring. The effects of an automatic exploit could be devastating. What's more, we do not know whether the binary exploit that's now being distributed across the Net is for this or some other vulnerability. As Security Officer, have you run the exploit against 4.4-RELEASE to see how it behaves and if 4.4-RELEASE is immune? This is important, since without a disassembly we do not know whether the exploit attacks this vulnerability or a different (possibly related?) one. We also do not know if the claimed fix was fully effective against all possible exploits. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message