From owner-freebsd-security@FreeBSD.ORG  Mon Oct  2 19:11:12 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 75A9216A412
	for <freebsd-security@freebsd.org>;
	Mon,  2 Oct 2006 19:11:12 +0000 (UTC)
	(envelope-from simon@zaphod.nitro.dk)
Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7E46743D6D
	for <freebsd-security@freebsd.org>;
	Mon,  2 Oct 2006 19:11:07 +0000 (GMT)
	(envelope-from simon@zaphod.nitro.dk)
Received: from zaphod.nitro.dk (unknown [192.168.3.39])
	by mx.nitro.dk (Postfix) with ESMTP id CE8972FF457;
	Mon,  2 Oct 2006 19:11:06 +0000 (UTC)
Received: by zaphod.nitro.dk (Postfix, from userid 3000)
	id A78CD11420; Mon,  2 Oct 2006 21:11:06 +0200 (CEST)
Date: Mon, 2 Oct 2006 21:11:06 +0200
From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: Pekka Savola <pekkas@netcore.fi>
Message-ID: <20061002191105.GB1034@zaphod.nitro.dk>
References: <200609302024.k8UKOjon073315@freefall.freebsd.org>
	<Pine.LNX.4.64.0610010004370.4488@netcore.fi>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.64.0610010004370.4488@netcore.fi>
User-Agent: Mutt/1.5.11
Cc: freebsd-security@freebsd.org
Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory
	FreeBSD-SA-06:22.openssh
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Oct 2006 19:11:12 -0000

On 2006.10.01 00:07:02 +0300, Pekka Savola wrote:
> On Sat, 30 Sep 2006, FreeBSD Security Advisories wrote:
> >III. Impact
> >
> >An attacker sending specially crafted packets to sshd(8) can cause a
> >Denial of Service by using 100% of CPU time until a connection timeout
> >occurs.  Since this attack can be performed over multiple connections
> >simultaneously, it is possible to cause up to MaxStartups (10 by default)
> >sshd processes to use all the CPU time they can obtain.  [CVE-2006-4924]
> >
> >The OpenSSH project believe that the race condition can lead to a Denial
> >of Service or potentially remote code execution, but the FreeBSD Security
> >Team has been unable to verify the exact impact.  [CVE-2006-5051]
> >
> >IV.  Workaround
> >
> >The attack against the CRC compensation attack detector can be avoided
> >by disabling SSH Protocol version 1 support in sshd_config(5).
> >
> >There is no workaround for the second issue.
> 
> Doesn't TCP wrappers restriction mitigate or work around this issue or 
> is it done too late ?

I'm not sure since I have never really used TCP wrappers, but I would
expect it to work.  I generally use firewalls to restrict which IP
addresses are allowed to access services when possible.

-- 
Simon L. Nielsen