RUMOR: OpenSSH exploit

[Posted July 7, 2009 by corbet]

The Internet Storm Center is reporting on rumors of an active OpenSSH exploit. Note the key word at this point: "rumors." What information exists suggests that the alleged exploit only works on older OpenSSH implementations. So it might not be a bad idea to ensure that your systems are current regardless of how this rumor plays out.

Works both ways

Posted Jul 7, 2009 18:30 UTC (Tue) by ncm (guest, #165) [Link] (5 responses)

If I had discovered an exploit that only worked on new releases of OpenSSH, I might want to start such a rumor so my targets might make themselves vulnerable by installing such a release.

Works both ways

Posted Jul 7, 2009 18:32 UTC (Tue) by ESRI (guest, #52806) [Link] (4 responses)

Alternately, if you discovered an exploit that worked only on an older version of OpenSSH, you might want to suggest what you just did so that we'd avoid installing a newer release and instead stick to the older, vulnerable version.

We're onto you!!

Works both ways

Posted Jul 7, 2009 20:50 UTC (Tue) by drfickle (guest, #1093) [Link] (2 responses)

Inconceivable!

Works both ways

Posted Jul 8, 2009 7:34 UTC (Wed) by jengelh (guest, #33263) [Link]

This is heavy. :-)

The question is ...

Posted Jul 8, 2009 21:39 UTC (Wed) by kmself (guest, #11565) [Link]

... are you the kind of cracker who'd put the exploit in the version in
front of you, or the version in front of me?

Now ... where was I?

Works both ways

Posted Jul 8, 2009 1:05 UTC (Wed) by ncm (guest, #165) [Link]

Ah, but then who started the rumor, and why?

What's "older"?

Posted Jul 7, 2009 18:31 UTC (Tue) by madscientist (subscriber, #16861) [Link] (4 responses)

Too bad no one is able to say what "older" means here. I have lots of Red Hat EL 4 systems, for example, that run OpenSSH 3.9p1 plus lots of Red Hat backported fixes. Is that "older"? It's certainly older (version-wise anyway) than what's on my Ubuntu 8.10 systems (OpenSSH 5.1p1).

Sigh. Well, someone will find out pretty soon I imagine.

What's "older"?

Posted Jul 7, 2009 19:03 UTC (Tue) by Thue (guest, #14277) [Link] (3 responses)

At http://secer.org/hacktools/0day-openssh-remote-exploit.html the attack is against OpenSSH 4.3, FWIW.

What's "older"?

Posted Jul 7, 2009 22:38 UTC (Tue) by charlieb (guest, #23340) [Link]

If the transcript is undoctored, the target system is not vanilla RHEL5:

2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata
Apache/2.2.11

What's "older"?

Posted Jul 8, 2009 12:52 UTC (Wed) by kpower (guest, #37136) [Link] (1 responses)

How much of that transcript is doctored?

How much of that is real?

How much is the result of social engineering?

How much is the result of harvesting passwords?

I think it's fake

Posted Jul 8, 2009 14:30 UTC (Wed) by dskoll (subscriber, #1630) [Link]

I think someone compromised the machine through some other method like brute-forcing the password, and then doctored the transcript.

Nevertheless, I've played it safe and firewalled off SSH on all my Internet-facing machines except from friendly IPs. I guess we'll see in the next few days...

RUMOR: OpenSSH exploit

Posted Jul 8, 2009 14:36 UTC (Wed) by ESRI (guest, #52806) [Link]

This post may be of interest (from the openssh-unix-dev list).

Fake.

Posted Jul 8, 2009 16:09 UTC (Wed) by asdlfiui788b (guest, #58839) [Link] (1 responses)

I'm getting tired of this shit. Own my box or shut up. No more rumors, no more speculation. It's fake BECAUSE there's no evidence to support it. I know it's been a while since Kaminsky found that exploit in the sky that made it fall, but that doesn't mean we need any more hype; especially if nothing's wrong.

Fake.

Posted Jul 10, 2009 18:45 UTC (Fri) by jlokier (guest, #52227) [Link]

I've seen a box owned by cracking an SSH flaw before, a few years ago.
It's very annoying - one likes to trust SSH.