[svlug] Re: OpenSSH vulnerability (Where's the beef?)

[Ira Abramov]

On Tue, 25 Jun 2002, J. Paul Reed wrote:

> Is it just me, or is anyone else... unimpressed with the way Theo De Raadt
> is handling this whole *supposed* OpenSSH "vulnerability"?

I can reply, but the Joe Bruin on slashdot summed it up nicely:

"there's a hole in sshd. we are working on a patch. if we release it
now, you are all f'd, because all your systems will be compromised
before you have time to patch them. we are giving you the next week to
update your sshd, so that you are no longer vulnerable when we publish
the bug+patch. yes, the new sshd has the bug, but is not vulnerable to
it.  if we fixed it now, the black hats will diff the results and be
able to develop a compromise, and you still won't have a patch. oh yeah,
we need your vendors' help so that you're all safe by next week."


> I know this is a Linux list, but I bring it up because I'm getting heat
> from the higher-ups at work to upgrade to OpenSSH 3.3. But I refuse to do
> so without some concrete information on what the vulnerability is and its
> scope, so *I* can assess the threat to *my* systems myself
> (thankyouverymuch Theo).

remote root exploit, full shell on the remote system in seconds, via any
version of OpenSSH since 0.0.

dangerous enough?

solutions - install ssl-telnet, lsh or commercial ssh till the patch
comes out. On potato it's as easy as "apt-get install ssh-nonfree",
making a few adjustments to sshd_config, running the sshd and logging in
again. suboptimal but works.

consider how lucky we are that the ssh is an open protocol and has
several different implementations to rely on in a time of need. consider
the fact the developers found the hole and are working hard on plugging
it before even a single break-in was announced. Theo did the right
thing, you bet.

> I use open source software specifically to limit my having to bend over.

in this case, it's your funural :)

-- 
Me love you long time
Ira Abramov

http://ira.abramov.org/email/ This post is encrypted twice with ROT-13.
Documenting or attempting to crack this encryption is illegal.