Security
Brief items
OpenSSH 3.4
OpenSSH 3.4 was released just five days after the release of version 3.3. The release closes "at least one major security vulnerability"; upgrading to 3.4 is recommended. Please see the vulnerability report for a list of security alerts from distributors as they become available.OpenSSH provides a critical entry point to many systems on the net; this could be nasty. If you plan to wait for an update from your distributor, please consider setting UsePrivilegeSeparation yes or ChallengeResponseAuthentication no in sshd_config to avoid the vulenrability. UsePrivilegeSeparation is only available in OpenSSH versions 3.2 or 3.3. Setting ChallengeResponseAuthentication may impeed customary access for some or all of your users.
Version 3.3 firmed up "privilege separation" support, and made it the default. Essentially, privilege separation works by splitting the ssh server into two cooperating processes. One process is charged with talking to the network; it runs without privilege. The other process sits back, makes decisions, and hands out privileges when it's convinced that is the right thing to do.
The end result is that there is little to be achieved by compromising the "front line" process. Even if somebody does discover a vulnerability in that code, it can not be used to gain access to the system. The privileged process, by virtue of its simplicity and its separation from the network, is far easier to verify as being truly secure.
The 3.4 release closes the serious vulnerability described in advisories from OpenSSH and ISS. The vulnerability prompted a week long code audit by the OpenSSH team which resulted in "many other fixes. We believe that some of those fixes are likely to be important security fixes."
Updated Apache advisory and response from ISS
The Apache Software Foundation has issued an updated advisory on the "chunk handling" vulnerability. Now that a 32-bit remote exploit is circulating, an Apache upgrade is suggested even more urgently than before.
Meanwhile, ISS has sent out a response to the
extensive criticism it has taken for having announced the vulnerability
without allowing the ASF (or anybody else) any time to prepare patches.
"Due to the general nature of open-source and its openness, the
virtual organizations behind the projects do not have an ability to enforce
strict confidentiality. By notifying the open source project, its nature
is that the information is quickly spread in the wild disregarding any type
of quiet period. ISS X-Force minimizes the quiet period and delay of
protecting customers by providing a security patch.
"
If you haven't already, see this week's Leading Items for our opinion.
See the vulnerability report for current information on this problem and distributor alerts.
Papers from "Open Source Software: Economics, Law and Policy"
Two interesting papers considering the relationship between security and open source were presented at the recent conference on Open Source Software: Economics, Law and Policy in Toulouse (France).-
Ross Anderson: "Security in Open versus Closed Systems - The Dance of Boltzmann, Coase and Moore" (PDF format)
However, there are more pressing security problems for the open source community. The interaction between security and openness is entangled with attempts to use security mechanisms for commercial advantage - to entrench monopolies, to control copyright, and above all to control interoperability. As an example, I will discuss TCPA, a recent initiative by Intel and others to build DRM technology into the PC platform.
This paper was also the subject of articles in the New York Times and News.com. For more information and links to related articles, see Ross Anderson's home page.
-
Roger Needham: "Security and Open Source" (PDF format)
Security problems in software are of course an extremely bad thing, regardless of the business model under which the software was written. I want to consider why anybody thinks that the business model matters, and whether there is evidence that it does. I shall also look somewhat to the future.
Security reports
Acrobat reader 4.05 temporary files
Jarno Huuskonen reports a low risk possible local file overwrite (symlink attack) in Acrobat Reader 4.05. Acrobat Reader 5.05 for Linux is available from Adobe (registration required). Some Linux distributions include version 4.05.Duma Photo Gallery System (DPGS) file overwrite vulnerability
The Duma Photo Gallery System has been officially unmaintained since July 30, 2000. This week, a vulnerability was reported that may allow an attacker to use DPGS to overwrite files on the web server.(Proprietary product) YaBB Cross-Site Scripting vulnerability
A cross-site scripting vulnerability in YaBB 1 Gold SP1 and earlier versions is fixed in YaBB 1 Gold - SP 1.1.
New vulnerabilities
Privilege escalation vulnerability in OpenSSH 2.9.9 through 3.3
| Package(s): | openssh | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 26, 2002 | Updated: | July 3, 2002 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | OpenSSH versions 2.9.9 through 3.3 have a
bug in input validation which can lead to
an integer overflow and privilege escalation.
According to the OpenSSH developers:
Systems running with UsePrivilegeSeparation yes or ChallengeResponseAuthentication no are not affected.
The 3.4 release contain many other fixes done over a week long audit started when this issue came to light. We believe that some of those fixes are likely to be important security fixes. Therefore, we urge an upgrade to 3.4. Upgrading to OpenSSH 3.4 is recommended. See the CERT Advisory and OpenSSH Security Advisory for more information including patches for the "pre-authentication problem." OpenSSH 3.3 users are encouranced to also read the previous vulnerability report. OpenSSH 3.2 and later have the bug in input validation but prevent the privilege escalation if privilege separation is enabled by setting UsePrivilegeSeparation in sshd_config. Version 3.3 was the first release to turn on "privilege separation" by default Essentially, privilege separation works by splitting the ssh server into two cooperating processes. One process is charged with talking to the network; it runs without privilege. The other process sits back, makes decisions, and hands out privileges when it's convinced that is the right thing to do. CERT Advisory: CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Handling | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Privilege Separated OpenSSH 3.3
| Package(s): | openssh | CVE #(s): | |||||||||||||||||||||||||||||
| Created: | June 24, 2002 | Updated: | June 26, 2002 | ||||||||||||||||||||||||||||
| Description: | The release of OpenSSH
3.3 includes greatly improved support for privilege separation,
which is now enabled by default.
The process charged with talking to the network; now runs without privilege.
Upgrading is strongly recommended (see below).
Previously any corruption in the sshd could lead to an immediate remote root compromise if it happened before authentication, and to local root compromise if it happend after authentication. Privilege Separation will make such compromise very difficult if not impossible.
Or to put it into the words of Theo de Raadt: "Privilege Separation will one day save our asses." So, turn it on now. When upgrading with a 2.2.x kernel, disabling compression is recommended to avoid this bug which causes sshd to log a fatal mmap argument error then crash. Update: According to this OpenSSH Security Advisory OpenSSH 3.3 has a serious privilege escalation vulnerable. Please see the new vulnerability report for more information and a list of available alerts. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Resources
Paper on SSH insecurity
A group has put together a paper showing how to "provably fix the SSH protocol." Thanks to "deneb" for forwarding this along to us.
MOPS, a code auditing tool
jose nazario has pointed us to the announcement of MOPS, a code auditing tool. "I wanted to announce a first prototype release of MOPS, a tool designed to help find security bugs in C programs and verify their absence. MOPS lets you statically (at compile time) verify facts about the ordering of security-critical operations in the program."
Linux Security Week and Advisory Watch
The June 24th Linux Security Week and June 21st Linux Advisory Watch newsletters from LinuxSecurity.com are available.
Events
Upcoming Security Events
| Date | Event | Location |
|---|---|---|
| June 27 - 28, 2002 | 14th Annual Computer Security Incident Handling Conference | (Hilton Waikoloa Village)Hawaii |
| June 28 - 29, 2002 | Edinburgh Financial Cryptography Engineering 2002 | Edinburgh, Scotland |
| July 31 - August 1, 2002 | Black Hat Briefings 2002 | (Caesars Palace Hotel and Resort)Las Vegas, NV, USA |
| August 2 - 4, 2002 | Defcon | (Alexis Park Hotel and Resort)Las Vegas, Nevada |
| August 5 - 9, 2002 | 11th USENIX Security Symposium | San Francisco, CA, USA |
| August 6 - 9, 2002 | CERT Conference 2002 | Omaha, Nebraska, USA |
| August 19 - 21, 2002 | Canadian Security & Intelligence Conference(CSICON) | (Hyatt Regency)Calgary, Alberta Canada |
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.
Page editor: Dennis Tenney
Next page:
Kernel development>>