Date: Mon, 24 Jun 2002 15:00:10 -0600
From: Theo de Raadt <deraadt@cvs.openbsd.org.>
To: [email protected]Subject: Upcoming OpenSSH vulnerability
Cc: [email protected], [email protected], [email protected]
There is an upcoming OpenSSH vulnerability that we're working on with
ISS. Details will be published early next week.
However, I can say that when OpenSSH's sshd(8) is running with priv
seperation, the bug cannot be exploited.
OpenSSH 3.3p was released a few days ago, with various improvements
but in particular, it significantly improves the Linux and Solaris
support for priv sep. However, it is not yet perfect. Compression is
disabled on some systems, and the many varieties of PAM are causing
major headaches.
However, everyone should update to OpenSSH 3.3 immediately, and enable
priv seperation in their ssh daemons, by setting this in your
/etc/ssh/sshd_config file:
UsePrivilegeSeparation yes
Depending on what your system is, privsep may break some ssh
functionality. However, with privsep turned on, you are immune from
at least one remote hole. Understand?
3.3 does not contain a fix for this upcoming bug.
If priv seperation does not work on your operating system, you need to
work with your vendor so that we get patches to make it work on your
system. Our developers are swamped enough without trying to support
the myriad of PAM and other issues which exist in various systems.
You must call on your vendors to help us.
Basically, OpenSSH sshd(8) is something like 27000 lines of code. A
lot of that runs as root. But when UsePrivilegeSeparation is enabled,
the daemon splits into two parts. A part containing about 2500 lines
of code remains as root, and the rest of the code is shoved into a
chroot-jail without any privs. This makes the daemon less vulnerable
to attack.
We've been trying to warn vendors about 3.3 and the need for privsep,
but they really have not heeded our call for assistance. They have
basically ignored us. Some, like Alan Cox, even went further stating
that privsep was not being worked on because "Nobody provided any info
which proves the problem, and many people dont trust you theo" and
suggested I "might be feeding everyone a trojan" (I think I'll publish
that letter -- it is just so funny). HP's representative was
downright rude, but that is OK because Compaq is retiring him. Except
for Solar Designer, I think none of them has helped the OpenSSH
portable developers make privsep work better on their systems.
Apparently Solar Designer is the only person who understands the need
for this stuff.
So, if vendors would JUMP and get it working better, and send us
patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday
which supports these systems better. So send patches by Thursday
night please. Then on Tuesday or Wednesday the complete bug report
with patches (and exploits soon after I am sure) will hit BUGTRAQ.
Let me repeat: even if the bug exists in a privsep'd sshd, it is not
exploitable. Clearly we cannot yet publish what the bug is, or
provide anyone with the real patch, but we can try to get maximum
deployement of privsep, and therefore make it hurt less when the
problem is published.
So please push your vendor to get us maximally working privsep patches
as soon as possible!
We've given most vendors since Friday last week until Thursday to get
privsep working well for you so that when the announcement comes out
next week their customers are immunized. That is nearly a full week
(but they have already wasted a weekend and a Monday). Really I think
this is the best we can hope to do (this thing will eventually leak,
at which point the details will be published).
Customers can judge their vendors by how they respond to this issue.
OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away.
On OpenBSD privsep works flawlessly, and I have reports that is also
true on NetBSD. All other systems appear to have minor or major
weaknesses when this code is running.
(securityfocus postmaster; please post this through immediately, since
i have bcc'd over 30 other places..)