Mailing List Archive

On Tue, 23 Sep 2003, Richard A Steenbergen wrote:
> Ok I picked the short straw so I'll ask the question... I've seen the
> advisory for the OpenSSH exploits affecting JunOS, but I haven't seen any
> new builds since the exploit info was publicly released. Anyone know whats
> up with this?

Are you really running your junipers without a filter running on lo0.0,
protecting TCP/22, etc? If such are implemented properly, this issue is
not all that intresting..

However, of course Juniper should issue bugfix images..

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As stated in the field alert from Juniper... If you need the patch, contact
J-TAC. The patches are available.

Regards,

Guy

> -----Original Message-----
> From: Richard A Steenbergen [mailto:ras@e-gerbil.net]
> Sent: 23 September 2003 07:41
> To: juniper-nsp@puck.nether.net
> Subject: [j-nsp] Juniper and OpenSSH exploits
>
>
> Ok I picked the short straw so I'll ask the question... I've seen the
> advisory for the OpenSSH exploits affecting JunOS, but I
> haven't seen any
> new builds since the exploit info was publicly released.
> Anyone know whats
> up with this?
>
> --
> Richard A Steenbergen <ras@e-gerbil.net>
> http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41
> 5ECA F8B1 2CBC)
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP3ABqY3dwu/Ss2PCEQI4oQCg6fL+g96n6naUQcOPOTb2ufrMYHgAoLVj
jegVVavV1MvwnOB26a3LxDOT
=Zi2C
-----END PGP SIGNATURE-----

On Tue, Sep 23, 2003 at 10:58:40AM +0300, Pekka Savola wrote:
> Are you really running your junipers without a filter running on lo0.0,
> protecting TCP/22, etc? If such are implemented properly, this issue is
> not all that intresting..

Is it not true that a single packet (i.e., a packet with an
appropriately spoofed source-IP such that it will make it through
the filter) can cause problems? Or is two-way conversation between
the router and the attacker required in order to exploit the
vulnerability?

If a single packet is all that's required then a simple source-IP
based filter in front of the routing engine isn't enough to protect
yourself in this case.


--Jeff

Hi,

On Tue, Sep 23, 2003 at 08:39:20AM -0400, Jeff Aitken wrote:
> On Tue, Sep 23, 2003 at 10:58:40AM +0300, Pekka Savola wrote:
> > Are you really running your junipers without a filter running on lo0.0,
> > protecting TCP/22, etc? If such are implemented properly, this issue is
> > not all that intresting..
>
> Is it not true that a single packet (i.e., a packet with an
> appropriately spoofed source-IP such that it will make it through
> the filter) can cause problems? Or is two-way conversation between
> the router and the attacker required in order to exploit the
> vulnerability?

The current buffer problems happen inside an established TCP connection.

One packet won't be sufficient for that, you need to be able to spoof
the 3way-Handshake.

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de

On Tue, Sep 23, 2003 at 08:39:20AM -0400, Jeff Aitken wrote:

> If a single packet is all that's required then a simple source-IP
> based filter in front of the routing engine isn't enough to protect
> yourself in this case.

SSH runs over TCP so I would guess that's unlikely.

--
Sabri Berisha "I route, therefore you are"

"Wij doen niet aan default gateways" - anonymous engineer bij een DSL klant.

On Tue, Sep 23, 2003 at 02:56:59PM +0200, Gert Doering wrote:
> The current buffer problems happen inside an established TCP connection.

Ah, that is not what I was lead to believe, based on a conversation
with our SE, and I hadn't taken the time since then to read about
this specific problem. Thanks for the clarification!


--Jeff

On Tue, 23 Sep 2003, Jeff Aitken wrote:
> On Tue, Sep 23, 2003 at 10:58:40AM +0300, Pekka Savola wrote:
> > Are you really running your junipers without a filter running on lo0.0,
> > protecting TCP/22, etc? If such are implemented properly, this issue is
> > not all that intresting..
>
> Is it not true that a single packet (i.e., a packet with an
> appropriately spoofed source-IP such that it will make it through
> the filter) can cause problems? Or is two-way conversation between
> the router and the attacker required in order to exploit the
> vulnerability?
>
> If a single packet is all that's required then a simple source-IP
> based filter in front of the routing engine isn't enough to protect
> yourself in this case.

The question was already answered, but I'll answer the meta-question on
operational practice.

You really, really should have filters at your border routers which block
anyone from using your addresses (_especially_ your
management/infrastructure addresses) as source. Otherwise you'll have
just WAY too many ways to exploit your routers (consider e.g. SNMP UDP
vulnerabilities, etc.).

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings