SSH expliot.

[drag]

There is a new expliot for SSH that can allow unauthorized people to access any server running the latest version of OpenSSH that hasn't been patched to version 3.7 yet.

So if you are running some server on the internet that's not behind a firewall you need either turn off SSH or apply the patch.

I know that Debian has this fixed and a "apt-get update" and "apt-get upgrade" will fix the problem. It's not 3.7, but non-the-less it has been patched and is safe from this attack.


Most every Distro has a bug fix for this, if you don't know check out the status of your distro here.

This is a pretty serious problem.

 

[fell8]

Bump for a great heads-up.

 

[spyordie007]

this should probably be stickied.

 

[Sunner]

Should be pointed out that exploitability of this is unknown at present though.
Of course patching/upgrading is The Right Thing anyway

 

[drag]

hehe if you go to slashdot, every other person claims to have succesfully rooted his/her own server using the exploit.

 

[Barnaby W. Füi]

The issue I saw was that it was using memset() (IIRC) further than it should, and writing zeroes to bad places. I don't know how writing zeroes could execute arbitrary code, but I am no C coder.

So far it seems like all hearsay.

 

[singh]

Damn.

 

[Haden]

I doesn't seem to be exploitable, of course updating is very important but I fear damage can be done offering fake 3rd party patches/mirrors if admins panic.

 

[drag]

Originally posted by: BingBongWongFooey
The issue I saw was that it was using memset() (IIRC) further than it should, and writing zeroes to bad places. I don't know how writing zeroes could execute arbitrary code, but I am no C coder.

So far it seems like all hearsay.

Ya it probably is, but if it isn't we aren't going find out for a couple days. Meanwhile we have the zero-day'ers having some fun with more then a few systems.

Ssh is one of those things I depend on and use to keep everything nice and secure, but accessable, so go figure.

Here is some revision notes(link stolen from slashdot, of course)

 

[Sunner]

Originally posted by: drag
hehe if you go to slashdot, every other person claims to have succesfully rooted his/her own server using the exploit.

Well, I'll admit, I was mostly talking about OpenBSD boxen running OpenSSH, don't have much of a clue about the situation with other OS's.

Oh well, just finnished updating my boxes, so for now, I feel rather safe in any case

 

[spyordie007]

Originally posted by: Haden
I doesn't seem to be exploitable, of course updating is very important but I fear damage can be done offering fake 3rd party patches/mirrors if admins panic.

it's a good thing we only have two kinds of admins in this world, those who panic and patch with the first piece of code they can get their hands on and those who never patch at all..

Seriously though, someone will likely come up with something that will take advantage of this exploit and that's why it's a good idea to patch (from the right source of course).

 

[drag]

Ya, downloading from ftp sites is the one major gleaming flaw in Linux security.

If one of those servers get hacker (either thru technical or social-engineering) then a successfull cracker can infect thousands of machines run by normally astute and reliable admins whose servers would otherwise would probably remain unaccessable.

edit: It's happened before. I beleive a server distributing source code for bind (I think) was infected with modified code were it openned up a backdoor for a cracker to gain access to a system... Stuff like that made me realise the importance of md5 checksums in downloading packages and stuff. (of course only works when md5sum is stored on seperate and secure server.)

 

[spyordie007]

I suppose you could say that this is one instance where security by obscurity works.

Of course the obvious solution is to have the MD5sum located on the website for the package and not on the mirror servers so that you can verify your checksum from the download server against the referring server.

 

[Barnaby W. Füi]

The real solution is to use PGP keys.