Re: Upcoming OpenSSH vulnerability

From: Solar Designer (solar@private)
Date: Tue Jun 25 2002 - 11:53:04 PDT


On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote:
> There is an upcoming OpenSSH vulnerability that we're working on with
> ISS.  Details will be published early next week.
> 
> However, I can say that when OpenSSH's sshd(8) is running with priv
> seperation, the bug cannot be exploited.
> 
> OpenSSH 3.3p was released a few days ago, with various improvements
> but in particular, it significantly improves the Linux and Solaris
> support for priv sep.  However, it is not yet perfect.  Compression is
> disabled on some systems, and the many varieties of PAM are causing
> major headaches.
> 
> However, everyone should update to OpenSSH 3.3 immediately, and enable
> priv seperation in their ssh daemons, by setting this in your
> /etc/ssh/sshd_config file:
> 
> 	UsePrivilegeSeparation yes

Owl-current has been updated to include OpenSSH 3.3p1 with privilege
separation enabled (and a patch to make that work on Linux 2.2 kernels
which we continue to support).  The updated source tree and packages
went to the FTP mirrors by Monday.

This stuff is, however, still being hacked on because of certain
minor functionality problems that remain in this rushed release.
Expect further updates in the following days and next week.

It is strongly recommended that Openwall GNU/*/Linux (Owl) users
update first to these 3.3p1-based privilege separated update packages
and then to ones based on the upcoming OpenSSH releases.

The details of the changes we apply will be documented in change logs
for the OpenSSH package as well as in the system-wide change logs
under Owl/doc/CHANGES in the native tree, also available via the web:

	http://www.openwall.com/Owl/CHANGES.shtml

The SSH server used to be the only Internet service provided with Owl
that didn't utilize privilege separation approaches.  Now, thanks to
the excellent work by Niels Provos, we are able to provide a system
where all the Internet services are provided with privilege-separated
implementations.  That includes FTP, SMTP, POP3, Telnet, and now SSH.

Those curious of how this all works may see our diagrams of the FTP,
POP3, and Telnet servers in our CanSecWest/core02 / NordU2002 slides:

	http://www.openwall.com/presentations/core02-owl-html+images/

The FTP server is Chris Evans' vsftpd.  The POP3 is popa3d.  And the
Telnet is a port from OpenBSD with privilege separation introduced in
a way similar to what Chris Evans did in his patches to NetKit's (but
the code is different).  In all cases, the processes which talk to the
remote client are running as a dedicated pseudo-user (different for
each service) and chroot'ed to an empty directory (/var/empty).

For the privilege-separated OpenSSH sshd, please refer to Niels Provos'
web page on the topic:

	http://www.citi.umich.edu/u/provos/ssh/privsep.html

The SMTP server is Postfix, with many of its components running in a
chroot jail:

	http://www.postfix.org/security.html
	http://www.postfix.org/big-picture.html

In fact, the checking of file accesses performed by Postfix that we
did as a part of maintenance of the package on Owl has contributed
to making Postfix's privilege separation more solid (starting with the
20011217 snapshot).

-- 
/sd



This archive was generated by hypermail 2.1.3 : Sun Jan 15 2006 - 13:43:16 PST