Debian alert: Unknown OpenSSH remote vulnerability

Posted by dave on Jun 25, 2002 7:50 PM EDT
Mailing list
Mail this story
Print this story

This advisory is an update to DSA-134-2: the changes mainly deal with packaging issues; if you have already successfully installed an openssh package from a previous DSA-134 advisory you may disregard this message.

-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------------
Debian Security Advisory DSA-134-2                   security@debian.org
http://www.debian.org/security/                            Michael Stone
June 25, 2002
- ------------------------------------------------------------------------

Package        : ssh
Problem type   : remote exploit
Debian-specific: no

This advisory is an update to DSA-134-2: the changes mainly deal with
packaging issues; if you have already successfully installed an
openssh package from a previous DSA-134 advisory you may disregard
this message.

Theo de Raadt announced that the OpenBSD team is working with ISS to
address a remote exploit for OpenSSH (a free implementation of the
Secure SHell protocol). They are refusing to provide any details on
the vulnerability but instead are advising users to upgrade to the
latest release, version 3.3.

This version was released 22 Jun 2002 and enabled by default a feature
called privilege seperation, in order to minimize the effect of
exploits in the ssh network handling code. Unfortunately this release
has a few known problems:

* compression does not work on all operating systems since the code
  relies on specific mmap features

* the PAM support has not been completed and may break a few PAM modules

* keyboard interactive authentication does not work with privilege
  seperation. Most noticable for Debian users this breaks PAM modules
  which need a PAM conversation function (like the OPIE module).

The new privilege separation support from Niels Provos changes ssh to
use a separate non-privileged process to handle most of the work. This
means that any vulnerability in this part of OpenSSH can never lead to
a root compromise but only to compromise of an unprivileged account
restricted to a chroot.

Theo made it very clear that this new version does not fix the
vulnerability. Instead, using the new privilege separation code
mitigates the vulnerability since the attacker can only gain access to
that unprivileged chroot'd account.

Since details of the problem have not been released, the move to the
latest release of OpenSSH portable, version 3.3p1, is the only known
method of mitigating the risk of the reported vulnerability.

Please note that we have not had the time to do proper QA on these
packages; they might contain bugs or break things unexpectedly. If you
notice any such problems (besides the ones mentioned in this advisory)
please file a bug-report so we can investigate.

Some notes on possible issues associated with this upgrade:

* This package introduce a new account called `sshd' that is used in
  the privilege separation code. If no sshd account exists the package
  will try to create one. If the account already exists it will be
  re-used. If you do not want this to happen you will have to fix this
  manually. 

* (relevant for potato only) This update adds a backport of version
  0.9.6c of the SSL library. This means you will have to upgrade the
  ssl package as well.

* (relevant for potato only) This update defaults to using version 2
  of the SSH protocol. This can break existing setups where RSA
  authentication is used. You will either have to 
    - add -1 to the ssh invocation to keep using SSH protocol 1 and
      your existing keys, or 
    - change the Protocol line in /etc/ssh/ssh_config and/or
      /etc/ssh/sshd_config to "Protocol 1,2" to try protocol 1 before
      protocol 2, or
    - create new rsa or dsa keys for SSH protocol 2

* sshd defaults to enabling privilege seperation, even if you do not
  explicitly enable it in /etc/ssh/sshd_config . Again, unless you have
  "UsePrivilegeSeparation no" in your sshd_config, you will be using
  privilege seperation with this package.

* If ssh does not work for you you can try to disable compression. We
  included a patch from Solar Designer which should fix the problem
  with Linux 2.2 kernels, but there might be a few cases where this is
  not sufficient.

* (relevant for potato only) Privilege seperation does not currently
  work with Linux 2.0 kernels

* If for some reason you cannot use privilege seperation (e.g.,
  because you are running a 2.0 kernel) but have already installed the
  openssh 3.3p1 package, you can revert to previous behavior by adding
  "UsePrivilegeSeparation no" to your /etc/ssh/sshd_config file. *Note
  that disabling privilege seperation will leave you vulnerable to the
  security problem described in this advisory and should only be done on
  an emergency basis.*

Some issues from previous openssh 3.3p1 packages corrected in this
advisory (not a complete changelog):

* (relevant for potato only) the installation question, "[do you want
  to allow protocol 2 only" no longer defaults to "yes". Users who
  answered yes to this question and also chose to regenerate their
  sshd_config file found that they could no longer connect to their
  server via protocol 1. See /usr/doc/ssh/README.Debian for instructions
  on how to enable protocol 1 if caught in this situation.

* (relevant for potato only) the ssh package no longer conflicts with
  rsh-server, nor does it provide an rsh alternative

* installation will no longer fail if users choose to generate
  protocol 1 keys

Again, we regret having to release packages with larger changes and
less testing than is our usual practice; given the potential severity
and non-specific nature of the threat we decided that our users were
best served by having packages available for evaluation as quickly as
possible. We will send additional information as it comes to us, and
will continue to work on the outstanding issues.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Potato was released for alpha, arm, i386, m68k, powerpc and sparc
  Packages for m68k are not available at this moment.

  Source archives:

    http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0potato6.diff.gz
      Size/MD5 checksum:    33694 8b83048b2bd7838703aaba40ae119810
    http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1.orig.tar.gz
      Size/MD5 checksum:   831189 226fdde5498c56288e777c7a697996e0
    http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0potato6.dsc
      Size/MD5 checksum:      871 bc2713452395932dc716df3cdb55a905
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
      Size/MD5 checksum:  2153980 c8261d93317635d56df55650c6aeb3dc
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1.diff.gz
      Size/MD5 checksum:    37925 718ffc86669ae06b22d77c659400f4e8
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1.dsc
      Size/MD5 checksum:      784 b197de235e0d10f7bb66b4751808a033

  Architecture independent packages:

    http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-0.potato.1_all.deb
      Size/MD5 checksum:      976 6b39f5a320b1c8bdbba05e2c8b041b70

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato6_alpha.deb
      Size/MD5 checksum:   863748 ae52add3e16fa3ac768c6f90851061ef
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato6_alpha.deb
      Size/MD5 checksum:    33204 b37dfcf4220fa0f56621aea9ea57a29e
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_alpha.deb
      Size/MD5 checksum:   589696 f0263fe6848b8bd09ad07a370ed6310a
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_alpha.deb
      Size/MD5 checksum:   746344 5a06b3db8f6eabf063c3099cb539ffe9
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_alpha.deb
      Size/MD5 checksum:  1548926 377068d478722db72c2fe52f3c23312b

  arm architecture (ARM)

    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato6_arm.deb
      Size/MD5 checksum:   661912 e0f863a5d9ea719440ddfd7cd46e0f2b
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato6_arm.deb
      Size/MD5 checksum:    32424 2127978be04489fddd033dcbe1b8200c
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_arm.deb
      Size/MD5 checksum:   468106 c1dc499d7a06db8e831906f942d1192e
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_arm.deb
      Size/MD5 checksum:  1348440 7fb0b6f32b6eb2dfc78391a302bd0e02
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_arm.deb
      Size/MD5 checksum:   728932 0a9872153979c364d41208082c80772d

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato6_i386.deb
      Size/MD5 checksum:    32722 5ae7edb8eb38e4b01eeae2b080953dc7
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato6_i386.deb
      Size/MD5 checksum:   640376 7b9926d3bb35f65150e7f2be01da8b66
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_i386.deb
      Size/MD5 checksum:  1290006 362451bafdf4fe2104e54a0336893519
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_i386.deb
      Size/MD5 checksum:   461994 a1c785ce6982b9031410362f124d873a
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_i386.deb
      Size/MD5 checksum:   730338 747306c7e4ef0b767cb2985b74047b05

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato6_powerpc.deb
      Size/MD5 checksum:    32418 26a91d2f170eff0dbd68810de496bffd
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato6_powerpc.deb
      Size/MD5 checksum:   680472 c3d312c2bc0866c7ed66be67964386d1
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_powerpc.deb
      Size/MD5 checksum:   726602 93f47a77404ad9164565aac7ff901e43
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_powerpc.deb
      Size/MD5 checksum:  1384596 ff8ce54bc5fa3e0913ad1f359c36161b
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_powerpc.deb
      Size/MD5 checksum:   502776 a09451aa914242e199eb8e5de529ec26

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato6_sparc.deb
      Size/MD5 checksum:    35274 fc253370c6c9982015458b5dccc73f66
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato6_sparc.deb
      Size/MD5 checksum:   687500 ad2e133fa6e3b1878f0a099748c541e6
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_sparc.deb
      Size/MD5 checksum:  1338558 812adef25bd5abab26c47451dde84ba8
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_sparc.deb
      Size/MD5 checksum:   482712 d821248f15cc4e1fa6574e4cdfdf02e0
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_sparc.deb
      Size/MD5 checksum:   738056 d27a607775a80eb4aba24d29b35fe6ff


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Woody will be released for alpha, arm, hppa, i386, ia64, m68k, mips,
  mipsel, powerpc, s390 and sparc. Packages for m68k are not available
  at this moment.

  Source archives:

    http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0woody4.dsc
      Size/MD5 checksum:      815 9b2d9ce52d08a1578edbfda9617231d9
    http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1.orig.tar.gz
      Size/MD5 checksum:   831189 226fdde5498c56288e777c7a697996e0
    http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0woody4.diff.gz
      Size/MD5 checksum:    34040 778ca8992b1bf7057d07f12018fb5bb3

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody4_alpha.deb
      Size/MD5 checksum:   844780 48ba4028203c023213718f87b1bfa537
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody4_alpha.deb
      Size/MD5 checksum:    33604 15a9c4de1b4957c6a30046adc085adac


  arm architecture (ARM)

    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody4_arm.deb
      Size/MD5 checksum:   653722 1a468897f1b4752fce130ae3f12034b2
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody4_arm.deb
      Size/MD5 checksum:    32830 34b2f0346a718c69aeaa87a15ca6773b

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody4_i386.deb
      Size/MD5 checksum:    33114 74c669d2646536853e044b13e62a2567
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody4_i386.deb
      Size/MD5 checksum:   638128 728e289d717ecc7c3a55d45091f3449e

  ia64 architecture (Intel ia64)

    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody4_ia64.deb
      Size/MD5 checksum:   998226 2fe4594fc8c748745f4f066a99195c04
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody4_ia64.deb
      Size/MD5 checksum:    34568 9bd4d13b6e9c364f650b0ab99bf007ba

  mipsel architecture (MIPS (Little Endian))

    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody4_mipsel.deb
      Size/MD5 checksum:   722614 b31db1cd4c9599aa9ba83c904c5c39d7
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody4_mipsel.deb
      Size/MD5 checksum:    33082 6f7ac7c2ecbd39ceb5d243854197f1c5

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody4_powerpc.deb
      Size/MD5 checksum:    32856 b6827c0d4bef215ab5661fa16b637f32
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody4_powerpc.deb
      Size/MD5 checksum:   677164 143803bd2413ee67886706246717734d

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody4_sparc.deb
      Size/MD5 checksum:    32902 5af151b5d6ccf438fd6e07c763de3d4a
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody4_sparc.deb
      Size/MD5 checksum:   681752 d1b5c205d58d495573b51a98a13a96df

- -- 
- ----------------------------------------------------------------------------
apt-get: deb http://security.debian.org/ stable/updates main
dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQCVAwUBPRk5QA0hVr09l8FJAQHTNQP/ScD97wpZxX3gFtou5xILY+L/Kl664SuM
i85mUYvxAYZco6QMdbvUQ3tsMowLC/L9wN2oZN+EcqcDtvmZN2VVl73NxszsRHb1
QgxQV2xkuVfc+aKl4D1BAYpzBtKS0BUSvBzrUR8KEd/mm4BdRA6OeUp/SiWtAoCw
byzXf5Z7EFM=
=nAYz
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


  Nav
» Read more about: Story Type: Security; Groups: Debian

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.