SuSE: OpenSSH Advisory Update

    Date25 Jun 2002
    CategorySuSE
    1851
    Posted ByLinuxSecurity Advisories
    Theo de Raadt announced that the OpenBSD team is working with ISSon a remote exploit for OpenSSH. No details on the type of vulnerability are available at this time, but everyone is advised to upgrade to version 3.3.
    
    Date: Tue, 25 Jun 2002 10:39:34 +0200
    From: Olaf Kirch <This email address is being protected from spambots. You need JavaScript enabled to view it.>
    To: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Subject: [suse-security-announce] OpenSSH Vulnerability
    
    
    There's a new vulnerabiltiy in the OpenSSH daemon. The OpenSSH/OpenBSD
    team does not release any details concerning this issue, except:
    
     -      This bug still exists in the most recent version, 3.3
    
     -      They are asking all users to upgrade to version 3.3 (sic),
     	and enable the PrivilegeSeparation option.
    
    Setting PrivilegeSeparation to on causes large portions of the daemon
    to run in a so-called "chroot jail", i.e. in a very restricted environment.
    An attacker breaking this part of the SSH daemon will *not* obtain full
    root privilege (as he would if sshd runs without this option), but
    will find himself in an empty directory, inside a process running as
    a non privileged user (he can still do some harm this way, but it's
    a far cry from full root powers, of course).
    
    In a posting to bugtraq, Theo de Raadt says that using privilege
    separation, this new vulnerability cannot be exploited.
    
    The SuSE security team is working on creating OpenSSH updates with
    privilege separation enabled, and testing this functionality. We
    will release updated RPMs on FTP as they become available.
    
    In the meanwhile, we suggest that
    
     -	if you do not need external access to your SSH daemons,
     	turn off the SSH service on these machine completely,
    	or block external access at the firewall.
    
     -	if you do need extern access to your SSH daemons,
     	make sure you restrict the hosts that it will talk to
    	by setting appropriate firewall rules.
    
    	If, for some reason, you cannot configure your firewall to
    	block external SSH access, you can also restrict access through
    	/etc/hosts.allow; the following will allow connections from
    	hosts with IP addresses 1.2.3.4 and 5.6.7.8 while disallowing
    	any other connections.
    
    		sshd	: 1.2.3.4	: allow
    		sshd	: 5.6.7.8	: allow
    		sshd	: ALL		: deny
    
    	It is not clear however whether this is really effective
    	because we do not know anything about the vulnerability
    	at all.
    
    Olaf Kirch
    
    
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"23","type":"x","order":"1","pct":56.1,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":12.2,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"13","type":"x","order":"3","pct":31.71,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.