Subject: Upcoming OpenSSH vulnerability
Date: Mon, 24 Jun 2002 15:00:10 -0600
From: Theo de Raadt <deraadtcvs.openbsd.org>

There is an upcoming OpenSSH vulnerability that we're working on with ISS.
Details will be published early next week.

However, I can say that when OpenSSH's sshd(8) is running with priv
seperation, the bug cannot be exploited.

OpenSSH 3.3p was released a few days ago, with various improvements but in
particular, it significantly improves the Linux and Solaris support for
priv sep. However, it is not yet perfect. Compression is disabled on some
systems, and the many varieties of PAM are causing major headaches.

However, everyone should update to OpenSSH 3.3 immediately, and enable priv
seperation in their ssh daemons, by setting this in your
/etc/ssh/sshd_config file:

 UsePrivilegeSeparation yes

Depending on what your system is, privsep may break some ssh functionality.
However, with privsep turned on, you are immune from at least one remote
hole. Understand?

3.3 does not contain a fix for this upcoming bug.

If priv seperation does not work on your operating system, you need to work
with your vendor so that we get patches to make it work on your system.
Our developers are swamped enough without trying to support the myriad of
PAM and other issues which exist in various systems. You must call on your
vendors to help us.

Basically, OpenSSH sshd(8) is something like 27000 lines of code. A lot of
that runs as root. But when UsePrivilegeSeparation is enabled, the daemon
splits into two parts. A part containing about 2500 lines of code remains
as root, and the rest of the code is shoved into a chroot-jail without any
privs. This makes the daemon less vulnerable to attack.

We've been trying to warn vendors about 3.3 and the need for privsep, but
they really have not heeded our call for assistance. They have basically
ignored us. Some, like Alan Cox, even went further stating that privsep
was not being worked on because "Nobody provided any info which proves the
problem, and many people dont trust you theo" and suggested I "might be
feeding everyone a trojan" (I think I'll publish that letter -- it is just
so funny). HP's representative was downright rude, but that is OK because
Compaq is retiring him. Except for Solar Designer, I think none of them
has helped the OpenSSH portable developers make privsep work better on
their systems. Apparently Solar Designer is the only person who understands
the need for this stuff.

So, if vendors would JUMP and get it working better, and send us patches
IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday which supports
these systems better. So send patches by Thursday night please. Then on
Tuesday or Wednesday the complete bug report with patches (and exploits
soon after I am sure) will hit BUGTRAQ.

Let me repeat: even if the bug exists in a privsep'd sshd, it is not
exploitable. Clearly we cannot yet publish what the bug is, or provide
anyone with the real patch, but we can try to get maximum deployement of
privsep, and therefore make it hurt less when the problem is published.

So please push your vendor to get us maximally working privsep patches as
soon as possible!

We've given most vendors since Friday last week until Thursday to get
privsep working well for you so that when the announcement comes out next
week their customers are immunized. That is nearly a full week (but they
have already wasted a weekend and a Monday). Really I think this is the
best we can hope to do (this thing will eventually leak, at which point the
details will be published).

Customers can judge their vendors by how they respond to this issue.

OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. On
OpenBSD privsep works flawlessly, and I have reports that is also true on
NetBSD. All other systems appear to have minor or major weaknesses when
this code is running.

(securityfocus postmaster; please post this through immediately, since i
have bcc'd over 30 other places..)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]