On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote:
> Date: Mon, 24 Jun 2002 15:00:10 -0600
> From: Theo de Raadt <deraadt@cvs.openbsd.org>
> Subject: Upcoming OpenSSH vulnerability
> To: bugtraq@securityfocus.com
> Cc: announce@openbsd.org
> Cc: dsi@iss.net
> Cc: misc@openbsd.org
>
> There is an upcoming OpenSSH vulnerability that we're working on with
> ISS. Details will be published early next week.
>
> However, I can say that when OpenSSH's sshd(8) is running with priv
> seperation, the bug cannot be exploited.
>
> OpenSSH 3.3p was released a few days ago, with various improvements
> but in particular, it significantly improves the Linux and Solaris
> support for priv sep. However, it is not yet perfect. Compression is
> disabled on some systems, and the many varieties of PAM are causing
> major headaches.
>
> However, everyone should update to OpenSSH 3.3 immediately, and enable
> priv seperation in their ssh daemons, by setting this in your
> /etc/ssh/sshd_config file:
>
> UsePrivilegeSeparation yes
>
> Depending on what your system is, privsep may break some ssh
> functionality. However, with privsep turned on, you are immune from
> at least one remote hole. Understand?
>
> 3.3 does not contain a fix for this upcoming bug.
>
> If priv seperation does not work on your operating system, you need to
> work with your vendor so that we get patches to make it work on your
> system. Our developers are swamped enough without trying to support
> the myriad of PAM and other issues which exist in various systems.
> You must call on your vendors to help us.
>
> Basically, OpenSSH sshd(8) is something like 27000 lines of code. A
> lot of that runs as root. But when UsePrivilegeSeparation is enabled,
> the daemon splits into two parts. A part containing about 2500 lines
> of code remains as root, and the rest of the code is shoved into a
> chroot-jail without any privs. This makes the daemon less vulnerable
> to attack.
>
> We've been trying to warn vendors about 3.3 and the need for privsep,
> but they really have not heeded our call for assistance. They have
> basically ignored us. Some, like Alan Cox, even went further stating
> that privsep was not being worked on because "Nobody provided any info
> which proves the problem, and many people dont trust you theo" and
> suggested I "might be feeding everyone a trojan" (I think I'll publish
> that letter -- it is just so funny). HP's representative was
> downright rude, but that is OK because Compaq is retiring him. Except
> for Solar Designer, I think none of them has helped the OpenSSH
> portable developers make privsep work better on their systems.
> Apparently Solar Designer is the only person who understands the need
> for this stuff.
>
> So, if vendors would JUMP and get it working better, and send us
> patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday
> which supports these systems better. So send patches by Thursday
> night please. Then on Tuesday or Wednesday the complete bug report
> with patches (and exploits soon after I am sure) will hit BUGTRAQ.
>
> Let me repeat: even if the bug exists in a privsep'd sshd, it is not
> exploitable. Clearly we cannot yet publish what the bug is, or
> provide anyone with the real patch, but we can try to get maximum
> deployement of privsep, and therefore make it hurt less when the
> problem is published.
>
> So please push your vendor to get us maximally working privsep patches
> as soon as possible!
>
> We've given most vendors since Friday last week until Thursday to get
> privsep working well for you so that when the announcement comes out
> next week their customers are immunized. That is nearly a full week
> (but they have already wasted a weekend and a Monday). Really I think
> this is the best we can hope to do (this thing will eventually leak,
> at which point the details will be published).
>
> Customers can judge their vendors by how they respond to this issue.
>
> OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away.
> On OpenBSD privsep works flawlessly, and I have reports that is also
> true on NetBSD. All other systems appear to have minor or major
> weaknesses when this code is running.
>
> (securityfocus postmaster; please post this through immediately, since
> i have bcc'd over 30 other places..)
> Date: Mon, 24 Jun 2002 15:00:10 -0600
> From: Theo de Raadt <deraadt@cvs.openbsd.org>
> Subject: Upcoming OpenSSH vulnerability
> To: bugtraq@securityfocus.com
> Cc: announce@openbsd.org
> Cc: dsi@iss.net
> Cc: misc@openbsd.org
>
> There is an upcoming OpenSSH vulnerability that we're working on with
> ISS. Details will be published early next week.
>
> However, I can say that when OpenSSH's sshd(8) is running with priv
> seperation, the bug cannot be exploited.
>
> OpenSSH 3.3p was released a few days ago, with various improvements
> but in particular, it significantly improves the Linux and Solaris
> support for priv sep. However, it is not yet perfect. Compression is
> disabled on some systems, and the many varieties of PAM are causing
> major headaches.
>
> However, everyone should update to OpenSSH 3.3 immediately, and enable
> priv seperation in their ssh daemons, by setting this in your
> /etc/ssh/sshd_config file:
>
> UsePrivilegeSeparation yes
>
> Depending on what your system is, privsep may break some ssh
> functionality. However, with privsep turned on, you are immune from
> at least one remote hole. Understand?
>
> 3.3 does not contain a fix for this upcoming bug.
>
> If priv seperation does not work on your operating system, you need to
> work with your vendor so that we get patches to make it work on your
> system. Our developers are swamped enough without trying to support
> the myriad of PAM and other issues which exist in various systems.
> You must call on your vendors to help us.
>
> Basically, OpenSSH sshd(8) is something like 27000 lines of code. A
> lot of that runs as root. But when UsePrivilegeSeparation is enabled,
> the daemon splits into two parts. A part containing about 2500 lines
> of code remains as root, and the rest of the code is shoved into a
> chroot-jail without any privs. This makes the daemon less vulnerable
> to attack.
>
> We've been trying to warn vendors about 3.3 and the need for privsep,
> but they really have not heeded our call for assistance. They have
> basically ignored us. Some, like Alan Cox, even went further stating
> that privsep was not being worked on because "Nobody provided any info
> which proves the problem, and many people dont trust you theo" and
> suggested I "might be feeding everyone a trojan" (I think I'll publish
> that letter -- it is just so funny). HP's representative was
> downright rude, but that is OK because Compaq is retiring him. Except
> for Solar Designer, I think none of them has helped the OpenSSH
> portable developers make privsep work better on their systems.
> Apparently Solar Designer is the only person who understands the need
> for this stuff.
>
> So, if vendors would JUMP and get it working better, and send us
> patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday
> which supports these systems better. So send patches by Thursday
> night please. Then on Tuesday or Wednesday the complete bug report
> with patches (and exploits soon after I am sure) will hit BUGTRAQ.
>
> Let me repeat: even if the bug exists in a privsep'd sshd, it is not
> exploitable. Clearly we cannot yet publish what the bug is, or
> provide anyone with the real patch, but we can try to get maximum
> deployement of privsep, and therefore make it hurt less when the
> problem is published.
>
> So please push your vendor to get us maximally working privsep patches
> as soon as possible!
>
> We've given most vendors since Friday last week until Thursday to get
> privsep working well for you so that when the announcement comes out
> next week their customers are immunized. That is nearly a full week
> (but they have already wasted a weekend and a Monday). Really I think
> this is the best we can hope to do (this thing will eventually leak,
> at which point the details will be published).
>
> Customers can judge their vendors by how they respond to this issue.
>
> OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away.
> On OpenBSD privsep works flawlessly, and I have reports that is also
> true on NetBSD. All other systems appear to have minor or major
> weaknesses when this code is running.
>
> (securityfocus postmaster; please post this through immediately, since
> i have bcc'd over 30 other places..)