From owner-freebsd-security Thu Nov 29 18:45:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id 0A64137B41A for ; Thu, 29 Nov 2001 18:45:22 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8550A66B27; Thu, 29 Nov 2001 18:45:21 -0800 (PST) Date: Thu, 29 Nov 2001 18:45:21 -0800 From: Kris Kennaway To: Brett Glass Cc: Kris Kennaway , "f.johan.beisser" , Mauro Dias , security@FreeBSD.ORG Subject: Lack of evidence for new SSH vulnerability Message-ID: <20011129184521.B66815@xor.obsecurity.org> References: <4.3.2.7.2.20011128225341.04672880@localhost> <4.3.2.7.2.20011128221259.04665720@localhost> <20011128214925.P16958-100000@localhost> <4.3.2.7.2.20011128225341.04672880@localhost> <20011128233947.C53604@xor.obsecurity.org> <4.3.2.7.2.20011129113349.04722900@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IrhDeMKUP4DT/M7F" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20011129113349.04722900@localhost>; from brett@lariat.org on Thu, Nov 29, 2001 at 11:46:50AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --IrhDeMKUP4DT/M7F Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 29, 2001 at 11:46:50AM -0700, Brett Glass wrote: > At 12:39 AM 11/29/2001, Kris Kennaway wrote: >=20 > >Not so much with the Flying Fists of Fud, please Brett. If you'd > >actually read the CERT advisory you'd see quite clearly that it was > >fixed over a year ago. >=20 > I've read the CERT advisory and also Dittrich's paper. The fact > that a vulnerability was fixed in recent versions of the software > does not mean that we should be unconcerned. Your email described how you upgraded to the latest version of OpenSSH because you weren't sure whether the version currently in FreeBSD was affected by the vulnerability described in the CERT and Dittrich reports. That indicates you had no clue what was going on since both documents quite clearly refer to versions of OpenSSH which were included in FreeBSD a year ago, the CERT advisory explicitly states when the problem was fixed (a year ago), and links to the FreeBSD advisory which also says clearly that we fixed it a year ago. > >Dittrich's analysis also says clearly at the top: > > > >On October 6, 2001, intruders originating from network blocks in the > >Netherlands used an exploit for the crc32 compensation attack detector > >vulnerability to remotely compromise a Red Hat Linux system on the UW > >network running OpenSSH 2.1.1. This vulnerability is described in > >CERT Vulnerability note VU#945216: > > > >i.e. old, old, boring, old. >=20 > In short, the vulnerability may be old, but it's not boring. The effects= =20 > of an automatic exploit could be devastating. If you're concerned that people can't read the advisories we release in a timely fashion, then a reasonable solution would be to send email saying: ----- Heads up! If you haven't upgraded your 4.2-RELEASE (or earlier) systems yet, you need to do so because people have started exploiting the version of SSH which was included in that. This vulnerability was announced by FreeBSD in February 2001 and is described in the advisory located at ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:24.ssh.asc If you've upgraded since then, you're fine. ----- There's a lot of hysteria floating around about a "new ssh exploit"; your message was feeding that hysteria because it contained incorrect statements about the known facts, and so I was trying to dispel it. The hysteria seems to be based on the following chain of events: 1) Dave Dittrich writes about how an OpenSSH 2.1.1 box was exploited using the vulnerability published and fixed a year ago 2) CERT update their advisory for the vulnerability published and fixed a year ago (I don't know what; probably additional details from Dittrich, or maybe in response to #3) 3) An exploit for the vulnerability published and fixed a year ago is circulated. The exploit only mentions working against versions vulnerable to the old problem (2.2.0p1 and earlier), but many people assume it is effective against current versions since it's only making the rounds now. This is compounded by the fact that the exploit is being circulated in a poorly documented, encrypted, binary-only form, which makes its function and scope mysterious. 4) People send emails suggesting that 2.9 is still vulnerable to the 2.2.0p1 bug, based on misunderstanding of 1), 2) and 3) 5) Kris gets annoyed > What's more, we do not know whether the binary exploit that's now being= =20 > distributed across the Net is for this or some other vulnerability. > As Security Officer, have you run the exploit against 4.4-RELEASE to > see how it behaves and if 4.4-RELEASE is immune? The only details I've received about this "new" exploit fall into three classes: a) Rumours that 2.9 is vulnerable to a root exploit, with no substantiating evidence. See #4 above for probable explanation. b) Copies of the exploit for 2.2.0p1 (I've received 5 so far mostly from people who think it's a 2.9 exploit). See #3 above for probable explanation. c) Evidence that people are actively trying to exploit the 2.2.0p1 (CRC) vulnerability. Evidence of failure against newer versions which are believed to be not vulnerable to it anyway. I have not been able to get this exploit to anything against the current FreeBSD version of OpenSSH (2.9), consistent with the hypothesis that it is, in fact, an exploit for the 2.2.0p1 bug fixed a year ago. > This is important, since without a disassembly we do not know > whether the exploit attacks this vulnerability or a different > (possibly related?) one. We also do not know if the claimed fix was > fully effective against all possible exploits. Those who reviewed the fix believe it to be effective. There's no evidence to the contrary. I've seen no evidence of an OpenSSH 2.9 vulnerability; if anyone can provide some, please forward it to security-officer@FreeBSD.org. If you're paranoid, disable your SSH daemons or take whatever other action you feel to be appropriate; if you're not, we'll tell you as soon as we know of any actual security problem in FreeBSD. That's all I have to say about this matter until then. Kris --IrhDeMKUP4DT/M7F Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8BvLAWry0BWjoQKURAiGjAKDy4ibW3eu7mN5uWdu3mroEiRWQKwCg0k7z PyZ/vmiMPtABNEs9dkxcCRQ= =nW69 -----END PGP SIGNATURE----- --IrhDeMKUP4DT/M7F-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message