Date: Fri, 30 Nov 2001 01:30:57 -0600 (CST) From: <bsd-sec@boneyard.lawrence.ks.us> To: freebsd-security@freebsd.org Subject: Re: sshd exploit Message-ID: <Pine.BSF.4.10.10111300105070.99377-100000@madeline.boneyard.lawrence.ks.us> In-Reply-To: <20011129012235.U6446-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 29 Nov 2001, Mike Silbersack wrote:
>
> The CRC bug was fixed in 2.3.0, which was merged into -stable before the
> release of freebsd 4.3. If 3.0.1's giving you any enhanced immunity, it's
> to a bug which has not yet been announced.
>
> If there _is_ a new bug, and it follows the decription in the url posted
> earlier in the thread, it's probably also SSHv1 related, and can be
[...]
Perhaps so. However, at the univeristy department where I work, RH Linux lab
machines running both 2.5.x and 2.9.x versions of OpenSSH were indeed
compromised while running ssh version 1. The only other services with
externally available ports were portmap and syslogd. As a precautionary
measure, SSHv1 has been disabled. Fortunately, for our situation, the ssh.com
folks offer free site licenses for their Win32 client, so we are not suffering
from the a lack of a v2 client. Though I appreciate the innocent-until-proven-
broken angle, I believe that my experiences, as well as those of other admins
that do not have the time/knowledge resources for catching, identifying and
describing such an attack, should not be discounted as paranoid delusions.
As the SSH suite of protocols are the main-stay of many systems that are
forced to exist in an "open" (flat/broadcast) environment, it is worthwhile
to err on the side of caution and encourage others in the same situation
to do the same.
Our FreeBSD/alpha servers were not compromised; however, I am certain that
more credit can be given to the architecture of the hardware than to bug-free
code at this point. I have had this sort of discussion with a few other
departmental *NIX administrators on campus. I would dearly love to be able
to provide irrefutable evidence of my claim. All I can offer is that I am
not so in love with my job as to spend 3 of my 4 days of Thanksgiving break
up at the university recovering workstations unneccesarily.
$3.50
There ya go. Take it or leave it.
Regards,
Stephen
Stephen Spencer |
| "Come down off the cross.
| We can use the wood..."
| T. Waits
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10111300105070.99377-100000>