I think this is serious enough for fellow ISP admins that I would post it here.
Do you all know how Debian's progress is regarding this? We are starting to get a large increase in SSH probes... perhaps crackers are already compiling a list of hosts running SSH, so when the full vunerability is released, they can attack immediately. How are you guys handling this? Jason http://www.zentek-international.com/ ----- Original Message ----- From: "X-Force" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, June 26, 2002 11:56 PM Subject: ISS Advisory: OpenSSH Remote Challenge Vulnerability > -----BEGIN PGP SIGNED MESSAGE----- > > Internet Security Systems Security Advisory > June 26, 2002 > > OpenSSH Remote Challenge Vulnerability > > Synopsis: > > ISS X-Force has discovered a serious vulnerability in the default > installation of OpenSSH on the OpenBSD operating system. OpenSSH is a > free version of the SSH (Secure Shell) communications suite and is used > as a secure replacement for protocols such as Telnet, Rlogin, Rsh, and > Ftp. OpenSSH employs end-to-end encryption (including all passwords) and > is resistant to network monitoring, eavesdropping, and connection > hijacking attacks. X-Force is aware of active exploit development for > this vulnerability. > > Impact: > > OpenBSD, FreeBSD-Current, and other OpenSSH implementations may be > vulnerable to a remote, superuser compromise. > > Affected Versions: > > OpenBSD 3.0 > OpenBSD 3.1 > FreeBSD-Current > OpenSSH 3.0-3.2.3 > > OpenSSH version 3.3 implements "privilege separation" which mitigates > the risk of a superuser compromise. Prior to the release of this > advisory, ISS and OpenBSD encouraged all OpenSSH users to upgrade to > version 3.3. Versions of FreeBSD-Current built between March 18, 2002 > and June 23, 2002 are vulnerable to remote superuser compromise. > Privilege separation was implemented in FreeBSD-Current on June 23, > 2002. > > Note: OpenSSH is included in many operating system distributions, > networking equipment, and security appliances. Refer to the following > address for information about vendors that implement OpenSSH: > http://www.openssh.com/users.html > > Description: > > A vulnerability exists within the "challenge-response" authentication > mechanism in the OpenSSH daemon (sshd). This mechanism, part of the SSH2 > protocol, verifies a user's identity by generating a challenge and > forcing the user to supply a number of responses. It is possible for a > remote attacker to send a specially-crafted reply that triggers an > overflow. This can result in a remote denial of service attack on the > OpenSSH daemon or a complete remote compromise. The OpenSSH daemon runs > with superuser privilege, so remote attackers can gain superuser access > by exploiting this vulnerability. > > OpenSSH supports the SKEY and BSD_AUTH authentication options. These are > compile-time options. At least one of these options must be enabled > before the OpenSSH binaries are compiled for the vulnerable condition to > be present. OpenBSD 3.0 and later is distributed with BSD_AUTH enabled. > The SKEY and BSD_AUTH options are not enabled by default in many > distributions. However, if these options are explicitly enabled, that > build of OpenSSH may be vulnerable. > > Recommendations: > > Internet Scanner X-Press Update 6.13 includes a check, OpenSshRunning, > to detect potentially vulnerable installations of OpenSSH. XPU 6.13 is > available from the ISS Download Center at: http://www.iss.net/download. > For questions about downloading and installing this XPU, email > [EMAIL PROTECTED] > > ISS X-Force recommends that system administrators disable unused OpenSSH > authentication mechanisms. Administrators can remove this vulnerability > by disabling the Challenge-Response authentication parameter within the > OpenSSH daemon configuration file. This filename and path is typically: > /etc/ssh/sshd_config. To disable this parameter, locate the > corresponding line and change it to the line below: > > ChallengeResponseAuthentication no > > The "sshd" process must be restarted for this change to take effect. > This workaround will permanently remove the vulnerability. X-Force > recommends that administrators upgrade to OpenSSH version 3.4 > immediately. This version implements privilege separation, contains a > patch to block this vulnerability, and contains many additional pro- > active security fixes. Privilege separation was designed to limit > exposure to known and unknown vulnerabilities. Visit > http://www.openssh.com for more information. > > Additional Information: > > ISS X-Force and Black Hat consulting will host a presentation titled, > "Professional Source Code Auditing" at Black Hat Briefings USA 2002. The > presentation will explore advanced source code auditing techniques as > well as secure development best-practices. Please refer to > http://www.blackhat.com and > http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#Dowd for > more information. > > Credits: > > The vulnerability described in this advisory was discovered and > researched by Mark Dowd of the ISS X-Force. ISS would like to thank Theo > de Raadt of the OpenBSD Project for his assistance with this advisory. > > > > ______ > > About Internet Security Systems (ISS) > Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a > pioneer and world leader in software and services that protect critical > online resources from an ever-changing spectrum of threats and misuse. > Internet Security Systems is headquartered in Atlanta, GA, with > additional operations throughout the Americas, Asia, Australia, Europe > and the Middle East. > > Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved > worldwide. > > Permission is hereby granted for the electronic redistribution of this > document. It is not to be edited or altered in any way without the > express written consent of the Internet Security Systems X-Force. If you > wish to reprint the whole or any part of this document in any other > medium excluding electronic media, please email [EMAIL PROTECTED] for > permission. > > Disclaimer: The information within this paper may change without notice. > Use of this information constitutes acceptance for use in an AS IS > condition. There are NO warranties, implied or otherwise, with regard to > this information or its use. Any use of this information is at the > user's risk. In no event shall the author/distributor (Internet Security > Systems X-Force) be held liable for any damages whatsoever arising out > of or in connection with the use or spread of this information. > > X-Force PGP Key available on MIT's PGP key server and PGP.com's key > server, as well as at http://www.iss.net/security_center/sensitive.php > > Please send suggestions, updates, and comments to: X-Force > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBPRnHMDRfJiV99eG9AQHc3wQApUjGfFHFybhfo8vCqlNZ63eEu7ehQyiF > lrufj/P7q2cFY/VLICepeDtLhP52bcchNm3WTlaIT3wWLnZzObvgtabHOIax0Z7t > oob/Li9+NTB2abwvQiFoX37DPmbhFJ6p1UxgfvVQ6+77nPZse/ID+EFSwLVGL45t > ak0sHKrvD0o= > =MfYf > -----END PGP SIGNATURE----- > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
