OpenSSH 3.7 has been released.
http://www.deadly.org/article.php3?sid=20030916093115

Also, there has been rumors on the security mailing lists that the previous version has an exploit in the wild for non-openbsd systems.

I saw a bunch of ssh atempts last night.. but it mostly looks like somebody lost their way.. anyhow thanks for the notice..

slashdot has a post about a possible hole now in ssh

So will this mean openbsd will loose their streak, will they have to change their page considering that ssh is enabled by default on their distribution?

Anyone have the exploit code? Would be nice to see it.

III. Impact

A remote attacker can cause OpenSSH to crash. The bug is not believed
to be exploitable for code execution on FreeBSD.

There may not be any working exploits for this. There's a lot of heat being generated on the lists, but not much light.

There may not be any working exploits for this. There's a lot of heat being generated on the lists, but not much light.

According to http://lists.netsys.com/pipermail/full-disclosure/2003-September/010116.html there is an exploit available for FreeBSD and some linux distros.

Ive received email from the Financial Services ISAC as well saying that it is exploitable. Basically they grabbed info from here:
http://isc.sans.org/diary.html?date=2003-09-16

But this is part of SAIC and Dept of Homeland Security, so they may know more.

well looking over a buddy of mines system to help him patch it i looked at the auth.log and saw this

[code:1:3474314f64]
Sep 4 04:22:35 XXXXXXXe sshd[45661]: scanned from XX.XXX.XX.XX with SSH-1.0-SSH_Version_Mapper. Don't panic.
Sep 4 04:22:35 XXXXXXX sshd[45660]: Did not receive identification string from XX.XX.XX.XX
Sep 5 09:10:18 XXXXXXX sshd[47716]: Did not receive identification string from XX.XX.XX.XX
Sep 7 22:49:41 XXXXXXX sshd[51017]: scanned from Xx.XX.XX.XX with SSH-1.0-SSH_Version_Mapper. Don't panic.
Sep 7 22:49:41 XXXXXXX sshd[51016]: Did not receive identification string from XX.XX.XX.XX
[/code:1:3474314f64]

Do you have a packet capture of it? :wink:

unfortunaly no.... i need to convince him to setup some sort of IDS

What is the preferred method of upgrading to the latest release of OpenSSH?

I noticed for OpenBSD, you can use a couple of options: ftp, cvs etc..

Anyone have a preference?

Tarballed

Whatver your most comfortable with. As long as it gets patched, its all good. :D

It's all kinda garbled right now so I'll just wait out and see what's going on, remote DoS, remote root, etc. Too much going on with no code to prove it, just wondering but I would've thought that by default ssh did not run as root (although that would cause problems for open files to see the password hash), and also, Not allowing Root log in probably doesn't help right?

EDIT: I looked at the code and nothing seemed askew, although, I can't program, and probably not securely either :)

And now 3.7.1 has been released. After a morning of patching for rev 1 of the advisory, my hopes for tonight are that i can get everything patched for rev 2 before last call at the closest bar.

http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2

If I may sound like a newbie, if im running 3.6 OpenSSH, I can run the patch correct?

Two questions:

1) is it better to apply the patch or just upgrade?

2) What is a safe way to upgrade OpenSSH remotely?

Im at home and want to update OpenSSH on my OpenBSD box at work...
Any suggestions or links would be great.

Tarballed

damm i just came here to post that.... you basterd you beat me too it..

[code:1:3713972bf3]
Security Changes:
=================

All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
management errors. It is uncertain whether these errors are
potentially exploitable, however, we prefer to see bugs
fixed proactively.

OpenSSH 3.7 fixed one of these bugs.

OpenSSH 3.7.1 fixes more similar bugs.

Changes since OpenSSH 3.6.1:
============================

* The entire OpenSSH code-base has undergone a license review. As
a result, all non-ssh1.x code is under a BSD-style license with no
advertising requirement. Please refer to README in the source
distribution for the exact license terms.

* Rhosts authentication has been removed in ssh(1) and sshd(8).
[/code:1:3713972bf3]

damm i just came here to post that.... you basterd you beat me too it..


I made it onto /. too! (update to the orig story)

According to http://lists.netsys.com/pipermail/full-disclosure/2003-September/010116.html there is an exploit available for FreeBSD and some linux distros.That source is not very credible.

Ive received email from the Financial Services ISAC as well saying that it is exploitable. Basically they grabbed info from here:
http://isc.sans.org/diary.html?date=2003-09-16Reasonably credible. But they use the word "rumours", and mention only that Linux may be exploitable.


So far, both OpenBSD and FreeBSD security officers state "no known exploit exists". Obviously it is prudent to either disable SSH egress to your net or patch & update. But to state that there's an exploit in the wild at this point is a stretch. At most, there might be a DoS.

and this was thought to be a rumor and unexploitable as well :wink:

http://www.immunitysec.com/GOBBLES/exploits/apache-scalp.c

i thought the comments he put in the shutup_theo ssh one were kinda funny.

There's a lot of talk about it being the real deal on freenode in the BSD related channels. Several people that I know are knowledgable have said that they have tested it on their own boxes and it is working in some setups. I've heard that it is working in OpenBSD, FreeBSD and Linux for sure right now. I haven't heard anybody claim to get uid0 yet but they have said that you can get nobody access and create a denial of service.

There's some rumors of 3.7.1 not being totally secure yet and the only link I've found for that is http://www.openpkg.org/security/OpenPKG-SA-2003.040-openssh.html

Whether or not you think any of these reports are credible, you still should take steps to secure your network from the potential risk. Make sure root can't log in, check privsep settings, block external access or only allow to specific addresses, vpn in and ssh from there, etc.

Mail to misc@ about the Solar Designer patches. Haven't seen them applied yet.

http://marc.theaimsgroup.com/?l=openbsd-bugs&m=106381378820034&w=2

http://www.anzwers.org/free/m0nkeyhack/0d/

hmm, binary only, that sux... Dont think ill run it till I check it out :P

Bah, looks like it's just someone taking advantage of the "is it exploitable?" question.
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106393420627698&w=2

http://www.securityfocus.com/archive/1/338038/2003-09-16/2003-09-22/0

hmmm, can we expect 3.7.2 or perhaps 3.8 sometime soon and will that finally be secure?!?

I was just starting to trust ssh again. Now this and apparently from what I've read these problems have been around for a *WHILE*, I read somewhere that these issues date back to the original port of the code base. Can anyone confirm this?

Really bad for OpenSSH and for that matter the OpenBSD group. If in fact the problems have been around for a while then what does that say about the Open groups auditing process. Don;t get me wrong here, I use OpenBSD for almost everything so I'm not trying to bash here. Merely asking the logical question.

http://www.securityfocus.com/archive/1/338038/2003-09-16/2003-09-22/0

hmmm, can we expect 3.7.2 or perhaps 3.8 sometime soon and will that finally be secure?!?


These are the aforementioned Solar Designer patches. They've been added to -current:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/misc.c?rev=1.22&content-type=text/x-cvsweb-markup

Someone wrote on misc@ that they are just cleanups, not exploitable bugs, so i guess that's why there hasn't been another official release.



I was just starting to trust ssh again. Now this and apparently from what I've read these problems have been around for a *WHILE*, I read somewhere that these issues date back to the original port of the code base. Can anyone confirm this?


You could look through http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/buffer.c to make sure, but i've read the same thing.



Really bad for OpenSSH and for that matter the OpenBSD group. If in fact the problems have been around for a while then what does that say about the Open groups auditing process. Don;t get me wrong here, I use OpenBSD for almost everything so I'm not trying to bash here. Merely asking the logical question.


It means everyone makes mistakes - the OpenBSD team was never a godly team that made no mistakes. Look through cvs/errata for proof.

It also reinforces that security has to be multi-layered and constantly monitored.