From owner-freebsd-announce Mon Feb 12 16:50:59 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 4E3B337B4EC; Mon, 12 Feb 2001 16:50:46 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f1D0okB80896; Mon, 12 Feb 2001 16:50:46 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 12 Feb 2001 16:50:46 -0800 (PST) Message-Id: <200102130050.f1D0okB80896@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:24 Security Advisory FreeBSD, Inc. Topic: SSH1 implementations may allow remote system, data compromise Category: core/ports Module: openssh, ssh Announced: 2001-02-12 Credits: Michal Zalewski (Vulnerability 1) Core-SDI (http://www.core-sdi.com) (Vulnerability 2) Affects: FreeBSD 4.x, 4.2-STABLE prior to the correction date Ports collection prior to the correction date. Corrected: OpenSSH [FreeBSD 4.x base system]: 2000-12-05 (Vulnerability 1) 2001-02-11 (Vulnerability 2) OpenSSH [ports]: 2001-02-09 (Vulnerability 1) 2001-02-11 (Vulnerability 2) ssh [ports]: 2001-02-09 (Vulnerability 1) 2001-02-09 (Vulnerability 2) Vendor status: Patches released. FreeBSD only: NO I. Background OpenSSH is an implementation of the SSH1 and SSH2 secure shell protocols for providing encrypted and authenticated network access, which is available free for unrestricted use. An SSH1 client/server (ssh) from ssh.com is included in the ports collection. This software is not available free of charge for all uses, and the FreeBSD Security Officer does not recommend its use. II. Problem Description There are two flaws in the SSH1 protocol as implemented by OpenSSH and ssh. Vulnerability 1: An integer overflow may allow arbitrary remote users to obtain root permissions on the server running sshd. This is due to a coding mistake in code intended to work around a protocol flaw in the SSH1 protocol. This vulnerability was corrected in OpenSSH 2.3.0, which was committed to FreeBSD 4.2-STABLE on 2000-12-05. Vulnerability 2; Remote attackers who can observe the encrypted contents of a user's SSH1 session, and who have the ability to mount large numbers of connections fo the SSH1 server may be able to break the transient server key used by the server to negotiate encryption parameters for the session, and from there can decrypt the entire contents of the snooped connection. The transient key has a lifetime of only one hour by default, but all snooped SSH1 sessions captured within this timeframe may be broken if the attack is successful. This attack is mitigated by the requirement to initiate large numbers of SSH1 protocol connections to the server during the lifetime of the key. On average a sustained connection rate of around 400 connections and SSH1 protocol handshakes must be carried out per second to have a high chance of succeeding within the 1 hour lifetime of the server key. OpenSSH contains rate-limiting code which will limit the number of outstanding connections to a fraction of this number in the default configuration, and computational and network limitations may reduce this number still further. Therefore, though the potential impact of this flaw is great, it is made very difficult to exploit in practice. However, note that even though the chances of success are reduced, the vulnerability is not eliminated. OpenSSH is installed if you chose to install the 'crypto' distribution at install-time or when compiling from source, and is installed and enabled by default as of FreeBSD 4.1.1-RELEASE. By default SSH1 protocol support is enabled. If SSH1 protocol support has been disabled in OpenSSH, it is not vulnerable to these attacks. They do not affect implementations of the SSH2 protocol, such as OpenSSH run in SSH2-only mode. Versions of the OpenSSH port prior to openssh-2.2.0_2, and versions of the ssh port prior to ssh-1.2.27_3 are vulnerable to these attacks. III. Impact Arbitrary remote users may be able to execute arbitrary code as root on an SSH1 server accepting connections via the SSH1 protocol. Remote users who can snoop the encrypted contents of SSH1 sessions belonging to other users, and who can mount a very high rate of connections to the server may be able to mount an attack leading to the ability to decrypt these sessions. This attack may disclose account password details as well as other sensitive data. IV. Workaround If you are running sshd, disable the use of the SSH1 protocol in OpenSSH. SSH1 contains inherent protocol deficiencies and is not recommended for use in high-security environments. Note that some third-party SSH clients are not capable of using the SSH2 protocol, however the OpenSSH client (version 2.1 and later) included in FreeBSD is SSH2-capable. To disable SSH1, add the following line to the /etc/ssh/sshd_config file (/usr/local/etc/sshd_config for the OpenSSH port): Protocol 2 and remove any other "Protocol" directives from that file. Execute the following command as root: # kill -HUP `cat /var/run/sshd.pid` This will cause the parent process to reread its configuration file, and should not interfere with existing SSH sessions. V. Solution - --[OpenSSH - base system]----- One of the following: 1) Upgrade to FreeBSD 4.2-STABLE after the correction date. Note that these versions of FreeBSD contain a newer version of OpenSSH (version 2.3.0) than was in 4.2-RELEASE (version 2.2.0). 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.2-RELEASE. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-release.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-release.patch.asc The folllowing patch applies to FreeBSD 4.2-STABLE which is running OpenSSH 2.3.0 (4.2-STABLE dated after 2000-12-05) # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-stable.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-stable.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src/crypto/openssh # patch -p < /path/to/patch # cd /usr/src/secure/lib/libssh # make all # cd /usr/src/secure/usr.bin/ssh-agent # make all install # cd /usr/src/secure/usr.sbin/sshd # make all install Finally, if sshd is already running then kill and restart the sshd daemon: perform the following command as root: # kill -KILL `cat /var/run/sshd.pid` && /usr/sbin/sshd This will not affect sessions in progress. - --[OpenSSH - port]----- Use one of the following options to upgrade the OpenSSH software, then kill and restart the sshd daemon if it is already running. This will not affect sessions in progress. To kill and restart the sshd daemon, perform the following command as root: # kill -KILL `cat /var/run/sshd.pid` && /usr/local/sbin/sshd 1) Upgrade your entire ports collection and rebuild the OpenSSH port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/openssh-2.2.0_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-2.2.0_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-2.2.0_2.tgz NOTE: It may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the OpenSSH port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz - --[ssh - port]----- Use one of the following options to upgrade the ssh software, then kill and restart the sshd daemon if it is already running. This will not affect sessions in progress. To kill and restart the sshd daemon, perform the following command as root: # kill -KILL `cat /var/run/sshd.pid` && /usr/local/sbin/sshd 1) Upgrade your entire ports collection and rebuild the ssh port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/ssh-1.2.27_3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ssh-1.2.27_3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/ssh-1.2.27_3.tgz NOTE: It may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the OpenSSH port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoiAylUuHi5z0oilAQEoVgP/Qc5UXjRnR3byHZfQyM4VyuwCWAWeAaD7 HPjlhLTiOb0HUqsVhiraIX5Mgi5ReySj2wREd4EKW9pEKiXfcXCWItivG8PrV/P8 NHEo5B393r1G8ovtkt3fu0bQ7RhOrxOeHRn5mxbmk8pIrRg7oxeZ02ygJiCV8LqT hoOxMmU4FYQ= =REEI -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Wed Feb 14 9:26:52 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 3A75537B503; Wed, 14 Feb 2001 09:26:39 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f1EHQdl35048; Wed, 14 Feb 2001 09:26:39 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 14 Feb 2001 09:26:39 -0800 (PST) Message-Id: <200102141726.f1EHQdl35048@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:25.kerberosIV Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:25 Security Advisory FreeBSD, Inc. Topic: Local and remote vulnerabilities in Kerberos IV Category: core Module: libkrb, telnetd Announced: 2001-02-14 Credits: Jouko Pynnönen Affects: FreeBSD 4.2-STABLE and 3.5-STABLE prior to the correction dates. Corrected: 2000-12-13 (FreeBSD 4.2-STABLE) 2000-12-15 (FreeBSD 3.5-STABLE) FreeBSD only: NO I. Background telnetd is the server for the telnet remote login protocol, which is available with optional support for the Kerberos authentication protocol. libkrb is the library used for Kerberised applications (including telnetd and login). FreeBSD includes the KTH Kerberos implementation, which is externally maintained, contributed software, as an optional part of the base system. II. Problem Description The advisory describes three vulnerabilities: first, an overflow in the libkrb KerberosIV authentication library, second, improper filtering of environmental variables by the KerberosIV-adapted telnet daemon, and finally, a temporary file vulnerability in the KerberosIV ticket management code. A buffer overflow exists in the libkrb Kerberos authentication library, which may be exploitable by malicious remote authentication servers. This vulnerability exists in the kdc_reply_cipher() call. An attacker may be able to overflow this buffer during an authentication exchange, allowing the attacker to execute arbitrary code with the privileges of the caller of kdc_reply_cipher(). The telnet protocol allows for UNIX environmental variables to be passed from the client to the user login session on the server. The base system telnet daemon, telnetd, goes the great lengths to limit the variables passed so as to prevent them from improperly influencing the login and authentication mechanisms. The telnet daemon used with KerberosIV relied on an incomplete list of improper environment variables to remove from the environment before executing the login program. This is a similar vulnerability to that described in Security Advisory 00:69. Two environment variables have been identified that place users of Kerberos at risk. The first allows the remote user to change the Kerberos server used for authentication requests, increasing the opportunity for an attacker to exploit the buffer overflow. The second allows the configuration directory for Kerberos to be modified, allowing an attacker with the right to modify the local file system to cause Kerberos to autheticate using an improper configuration (including Kerberos realm and server configuration, as well as srvtab). These vulnerabilities may be used to leverage root access. A race condition exists in the handling of ticket files in /tmp; this vulnerability may be exploited by a local user to gain ownership of arbitrary files in the file system. This vulnerability can be leveraged to gain root access. These vulnerabilities only exist on systems which have installed the optional Kerberos IV distribution (whether or not it is configured), which is not installed by default. III. Impact If your system has the KerberosIV distribution installed, remote and local users may be able to obtain root privileges on the local system. IV. Workaround To prevent remote root compromise via the telnet service, disable the telnet service, which is usually run out of inetd: comment out the following lines in /etc/inetd.conf, if present. telnet stream tcp nowait root /usr/libexec/telnetd telnetd telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd The local root compromise cannot be easily worked around. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.2-STABLE or 3.5-STABLE after the respective correction dates. 2) Apply the relevant patch from below and recompile the affected files: Download the relevant patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. [FreeBSD 4.2] ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.4.2.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.4.2.patch.asc [FreeBSD 3.5.1] ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.3.5.1.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.3.5.1.patch.asc NOTE: This patch assumes you have already applied the patch in security advisory SA-00:69. Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/kerberosIV # make depend && make all install # cd /usr/src/libexec/telnetd # make depend && make all install -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOopfGFUuHi5z0oilAQGIZwP+OTdYs+CQQ0oZegWsQRNkf6CJCCCu/ban XWs5wIwEFESq8rCdtg4c6y2RKdF+oySU05nXRYG3gl2Il+71zjhTUnsXi2mM5WHi on6m8GOB9EGurb2xszuqNBREa61wGoYZTptzm/NKW7meaDVDlCwe1Mq+orz7ai3m WrEZuR94UFU= =TyCm -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Thu Feb 15 0:17:16 2001 Delivered-To: freebsd-announce@freebsd.org Received: from vnode.vmunix.com (vnode.vmunix.com [209.112.4.20]) by hub.freebsd.org (Postfix) with ESMTP id B98B537B401 for ; Wed, 14 Feb 2001 23:03:11 -0800 (PST) Received: by vnode.vmunix.com (Postfix, from userid 1005) id 077D2E; Thu, 15 Feb 2001 02:03:11 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by vnode.vmunix.com (Postfix) with ESMTP id F303349A13 for ; Thu, 15 Feb 2001 02:03:10 -0500 (EST) Date: Thu, 15 Feb 2001 02:03:10 -0500 (EST) From: Chris Coleman To: announce@freebsd.org Subject: Apple to include BSD in WWDC Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Apple has just announced their annual World Wide Developer Conference to be held May 21 - 25, 2001 http://www.apple.com/developer/wwdc2001/daemonnews.html If you find yourself wondering why you should attend, let me see if I can help. In addition to the regular Mac OS application development, this year Apple has added conference tracks for BSD UNIX and Darwin. Apple's acknowledgement and use of BSD in their core operating system is a big boost to the growing BSD userbase. In return, we need to show Apple our support as a BSD developer community. So, visit the Conference website and register. If you can't make it to the conference, be sure to check out what they are offering and give feedback to show your support and interest. Let's show Apple that they have chosen the best technology to base their future on. -Chris Coleman Daemon News http://www.apple.com/developer/wwdc2001/daemonnews.html I have listed the conference tracks for BSD and Darwin: BSD UNIX The kernel architecture of Mac OS X includes operating system services derived from FreeBSD (Berkeley Software Distribution, a version of 4.4BSD that offers advanced networking, performance, security, and compatibility features. In addition, new technologies, such as the I/O Kit and Network Kernel Extensions (NKEs), have been designed and engineered by Apple to take advantage of advanced capabilities such as those provided by an object-oriented programming model. WWDC 2001 will include sessions that cover the following related topics Utilizing BSD within Mac OS X Mac OS X kernel extensions The I/O Kit: file system, storage drivers, and networking hardware Darwin The stability of Mac OS X begins with Darwin, the open source core of the Mac OS X. Darwin integrates a number of technologies, including the Mach 3.0 kernel, operating system services based on BSD UNIX, high-performance networking facilities, and support for multiple integrated file systems. Darwin's modular design provides the flexibility that allows developers to provide additional system functionality along with support for new and innovative hardware products. WWDC 2001 will include sessions that cover the following related topics: Darwin, the open source foundation of Mac OS X Open Source at Apple ----- End forwarded message ----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message