From owner-freebsd-security Thu Nov 29 23:31: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from madeline.boneyard.lawrence.ks.us (madeline.boneyard.lawrence.ks.us [24.124.26.25]) by hub.freebsd.org (Postfix) with ESMTP id 500D437B419 for ; Thu, 29 Nov 2001 23:30:59 -0800 (PST) Received: from madeline.boneyard.lawrence.ks.us (madeline.boneyard.lawrence.ks.us [24.124.26.25]) by madeline.boneyard.lawrence.ks.us (8.11.1/8.11.1) with ESMTP id fAU7UwP99480 for ; Fri, 30 Nov 2001 01:30:58 -0600 (CST) (envelope-from bsd-sec@boneyard.lawrence.ks.us) Date: Fri, 30 Nov 2001 01:30:57 -0600 (CST) From: To: freebsd-security@freebsd.org Subject: Re: sshd exploit In-Reply-To: <20011129012235.U6446-100000@achilles.silby.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 29 Nov 2001, Mike Silbersack wrote: > > The CRC bug was fixed in 2.3.0, which was merged into -stable before the > release of freebsd 4.3. If 3.0.1's giving you any enhanced immunity, it's > to a bug which has not yet been announced. > > If there _is_ a new bug, and it follows the decription in the url posted > earlier in the thread, it's probably also SSHv1 related, and can be [...] Perhaps so. However, at the univeristy department where I work, RH Linux lab machines running both 2.5.x and 2.9.x versions of OpenSSH were indeed compromised while running ssh version 1. The only other services with externally available ports were portmap and syslogd. As a precautionary measure, SSHv1 has been disabled. Fortunately, for our situation, the ssh.com folks offer free site licenses for their Win32 client, so we are not suffering from the a lack of a v2 client. Though I appreciate the innocent-until-proven- broken angle, I believe that my experiences, as well as those of other admins that do not have the time/knowledge resources for catching, identifying and describing such an attack, should not be discounted as paranoid delusions. As the SSH suite of protocols are the main-stay of many systems that are forced to exist in an "open" (flat/broadcast) environment, it is worthwhile to err on the side of caution and encourage others in the same situation to do the same. Our FreeBSD/alpha servers were not compromised; however, I am certain that more credit can be given to the architecture of the hardware than to bug-free code at this point. I have had this sort of discussion with a few other departmental *NIX administrators on campus. I would dearly love to be able to provide irrefutable evidence of my claim. All I can offer is that I am not so in love with my job as to spend 3 of my 4 days of Thanksgiving break up at the university recovering workstations unneccesarily. $3.50 There ya go. Take it or leave it. Regards, Stephen Stephen Spencer | | "Come down off the cross. | We can use the wood..." | T. Waits To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message