OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Brett Glass (brettlariat.org)
Date: Wed Jun 26 2002 - 11:23:14 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Mike:

    It is clear that Theo was attempting to have people apply the workaround
    which had the least chance of revealing the nature of the bug in advance,
    lest it be discovered by others and exploited.

    It's truly sad that ISS, which knew about Theo's advisory, released this
    information today, instead of next week as Theo asked them to. If Theo's
    roadmap for disclosure had been followed, more administrators could have
    been informed about the bug, and they would have had time to take
    preventive measures through the weekend before the skript kiddies began
    their race to exploit the bug. Now, the race has begun. In fact, the
    problem has been exacerbated because administrators who *could* have
    secured their systems thought they'd have time to do so over the weekend.

    Theo made a worthy attempt to minimize harm (which should be the goal of
    any security policy). It's a shame that ISS sought the spotlight instead
    of doing the same.

    --Brett Glass

    At 09:10 AM 6/26/2002, Mike Tancsa wrote:

    >Also, the ISS advisory states
    >
    >"Administrators can remove this vulnerability by disabling the
    >Challenge-Response authentication parameter within the OpenSSH daemon
    >configuration file. This filename and path is typically:
    >/etc/ssh/sshd_config. To disable this parameter, locate the
    >corresponding line and change it to the line below:
    >ChallengeResponseAuthentication no "
    >
    >This would imply there is a work around, but the talk before hand
    >
    >----quote from Message-Id: <200206242327.g5ONRBLI012690cvs.openbsd.org>---
    >
    >Bullshit.
    >
    >You have been told to move up to privsep so that you are immunized by
    >the time the bug is released.
    >
    >If you fail to immunize your users, then the best you can do is tell
    >them to disable OpenSSH until 3.4 is out early next week with the
    >bugfix in it. Of course, then the bug will be public.
    >----end-quote---

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message