From: Anders Holm (anders.holm at domain elivefree.net)
Date: Tue 25 Jun 2002 - 11:15:31 IST
> -----Original Message-----
> From: ilug-admin at domain linux.ie [mailto:ilug-admin at domain linux.ie]On Behalf Of Paul
> Kelly
> Sent: 25 June 2002 09:50
> To: ilug at domain linux.ie
> Subject: Re: [ILUG] openssh vulnerability
>
>
> Anders Holm wrote:
> > at this point I'm now including the author of the SecurityFocus.com
> > announcement, so if he feels like it may have the freedom to
> defend himself.
> > I am doing this because I do not believe in "battering" people
> behind their
> > backs.
>
> As I expected, it's being covered quite well outside our little patch of
> the Internet. The slashdot comments are pretty much in line with what
> we've been saying here.
Still... Slashdot is more widely known to the world then ILUG is, no offence
to anyone. So realistically they wouldn't have had much of a chance to
respond unless already on the list, would they?
> > You apparently like OpenSSH, but don't like them to tell you
> > that there may a problem with it. I disagree the strongest to this
> > behaviour, that is why, and it is my freedom to say so as well.
>
> Nope. I'm happy that they say there's a vulnerability out there. I'm
> happy that they suggest in advance that PrivSep is a good
> workaround for it.
>
> I'm not happy that they may release details of the vulnerability before
> a patch has been released. Now this is just a 'may' but there has been
> no mention of a patch to fix it yet. I understand that the clock is
> ticking, but it profits noone to discuss the problem openly before it is
> fixed.
Which they still haven't. Apparently the patch would need some assistance
from different vendors in order to get it working satisfactorily. It remains
to be seen what information will actually be revealed "early next week".
Same for the patch, which I'm sure is on the way as we speak.
> The well established path for a vulnerability report is to fix the thing
> first, maybe mention that a problem exists, and distribute this full fix
> to the major vendors so that they have plenty of time to have fresh
> binary packages available at the appointed hour for the publication of
> the vulnerability.
Probably exactly what has happened, apart from the fact that the vendors
don't seem too interested in helping out. By making a public statement like
this, at least people will have a chance of trying to close the
vulnerability. As stated previously, how long has certain hackers known of
this without sys admin's knowing of it? At least we now have a chance of
"fighting back" and are able to keep an even closer eye out for intrusions.
I agree that it would have been the most optimal solution for us all if the
patch would have been distributed at the same time as the alert went out,
but at least we now know. That is the main thing here I believe. Not knowing
is even worse. What would you have said if you would have been compromised
due to this vulnerability and they had known it existed?
> PrivSep is NOT yet an acceptable solution by any stretch of the
> imagination. The Mandrake people have already found bugs in its
> interaction with PAM. For all we know it may expose us to further
> vulnerabilities on par with those in the commercial SSH 3.0 release
> (allowed anyone to ssh in to disabled accounts without a password). This
> code is out a WEEK! I for one wouldn't even consider running it on a
> production machine.
As you yourself state it is a work around, not a solution. And yes, they
also stated that there was problems with PrivSep. And by _not_ running it
currently on a production machine, what problems do you keep open for
exploitation? What other methods, apart from SSH, would you have that are
secure to use? Those are very important questions, which should not be taken
lightly by any sys admin with machines out in the wild.
> Paul.
//Anders//
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:17:30 GMT