D&C Lug - Home Page
Devon & Cornwall Linux Users' Group

[ Date Index ][ Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] ISS Advisory: OpenSSH Remote Challenge Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 27 June 2002 2:02 pm, Simon Waters wrote:
Anyone know about SUN Cobalt Raq Linux yet?

I think the HP-UX advisory sums it up nicely, "disable
challengeResponse, disable KeyboardIntAuth, and await 3.4" sums
up the approach nicely, now if they had said that at first Zozo
could have got more sleep this week, he always sounds like he
needs more.

Pah! sleep! whats that? ;) I've got myu rocket fuel and penguin mints (as well 
as the proplus) to keep me alive and kicking :p

Seriously though, i'm not at *all* impressed by the way this vunrability has 
been dealt with, ISS should be shot dead - they've been the root cause of all 
the hastle this week (except maybe the icecast vunrabilities).

Theo (the OpenBSD one, not me :p) didn't sign his messages, which left me 
until yesterday afternoon (when openBSD updated the website) in 2 minds about 
it.  and he didn't even mention that some boxes wen't affected (infact, i 
don't *think* any default linux distro is affected - debian isn't, thats for 
sure.)

then ohh yay, i've just got yet *another* security advisory through (YASA?;)):

ISS X-Force released an advisory about an OpenSSH "Remote Challenge
Vulnerability". Unfortunately, the advisory was incorrect on some
points, leading to widespread confusion about the impact of this
vulnerability. 

no kidding.

No version of OpenSSH in Debian is affected by the
SKEY and BSD_AUTH authentication methods described in the ISS
advisory. 

and just as i start to be happy....

However, Debian does include OpenSSH servers with the PAM
feature described as vulnerable in the later advisory by the OpenSSH
team. (This vulnerable feature is authentication using PAM via the
keyboard-interactive mechanism [kbdint].) This vulnerability affects
OpenSSH versions 2.3.1 through 3.3. No exploit is currently known for
the PAM/kbdint vulnerability, but the details are publicly known. 

oh yay. thank god we don't have PAMAuthenticationViaKbdInt on.

All
of these vulnerabilities were corrected in OpenSSH 3.4.

which means the last 3 hours spent upgrading the servers, again. woo hoo.

so it's not just BSD_AUTH and SKEY - also PamInteractive is possibly vunrable 
- - luckily debian sets off by default.

Oh and a mod_ssl bug in Apache made it to BugTraq - only
relevant to people who share Apache instances between clients if
I read it right - it never rains but it pours.

yes - and guess what - it affects us. ARGHHH. at least on OpenBSD, maybe 
linux, too.

IF ANYONE ELSE RELEASES ANOTHER VUNRABILITY THIS WEEK IM GOING TO KILL THEM 
PERSONALLY.

;-)

my favourite part of security notices has to be the 'workaround' section. 
mod_ssl's is:

"Disallow per-directory configuration files by only having 'AllowOverride 
None' directives in your httpd.conf file, and restart the webserver."

that should probably be rephrased:

"Disallow per-directory configuration files by only having 'AllowOverride 
None' directives in your httpd.conf file, restart the webserver, and redirect 
your support email address to /dev/null."

the best one had to be a solaris one a few years back, that recommended 
shutting down portmap and all nfs related systems until the problem is fixed, 
which they mentioned would probably be a few days.  Great, except portmap was 
running to provide shared filesystesm over all the webservers ;p

Perhaps Theo will give me a job patching things.

CPO? Chief Patch Officer ? ;) mnybe also we could have Patch Manager, and 
Bugtraq-mailing-list-reader, too.  It's needed this week ;)

i need a new job, too :p


and even more fun :

[Thu Jun 27 14:35:57 2002]  Transfer-Encoding: chunked - denied and logged
[Thu Jun 27 14:35:57 2002]  Invalid error redirection directive: 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAhGGGGã1ÀPPPPÆ$SPP1Ò1ɱÁá▒Ñê1À°Ír
       
ÊÿD$|$ ué1ÀD$ÆD$ dD$
                
D$D$T$▒T$▒$1À°]Í1ÉÑ,$s'1ÀPPPPÿ$Tÿ$ÿ$ÿ$ÿ$QP°ÍXXXXX<Ot
                                                                    XXAù 
uÎë½1ÀPQP1À°ZÍÿD|uï1ÀPÆ$
                                                                                    
            
4$hBLE*h*GOBã°        PS°PP°Í1ÀPhn/shh//biãPSáPQSP°;ÍÌ

==-=-=-=-

thank god for that. yay yay aya.

~ Theo, as always, fully awake and spelling terrible ;)

- -- 

Theo Zourzouvillys
http://zozo.org.uk/

Q:      Why did the germ cross the microscope?
A:      To get to the other slide.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9Gxe1448CrwpTn6YRAiGQAJ91N84RJIhIuqoA2loA2wiGR83sVQCg9qfS
kwdXzQDIvh4J8vAUz8Lal00=
=bOR5
-----END PGP SIGNATURE-----


--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.


Lynx friendly