User: Password:
Subscribe / Log in / New account


Crying wolf over OpenSSH

By Jake Edge
July 15, 2009

In the security world, there is always tension between under and over-reporting on vulnerabilities. Not only between the "full" and "responsible" disclosure camps, but also for those trying to make sure that users are aware of the most recent attacks. Sometimes, that can lead to reports that eventually turn out to be incomplete, overstated, or flat out wrong. There is value even in incorrect reports, though; at a minimum they can raise the profile of the most vulnerable of services—reminding administrators to update and/or reconfigure the affected program—which may reduce the impact of the next exploit.

For many reasons, ssh vulnerabilities—or purported vulnerabilities—are treated differently than others. If this had been a report of yet another content management system cross-site scripting flaw or wireshark dissector bug, it would not have gotten much, if any, notice. But, ssh is one service that is turned on for nearly every server on the internet. Without ssh, many administrators couldn't access the server to handle important tasks—security updates for example.

In addition, many internet servers have just a few, trusted users, which may—unfortunately—make their administrators rather sanguine about patching for local privilege escalation flaws. That makes a way to subvert ssh and get that local access suddenly a much more dangerous flaw. In addition, many administrators allow root to log in remotely, so an ssh vulnerability might lead to root privileges without needing an additional privilege escalation flaw.

It is safe to say that exploitable ssh vulnerabilities are very high on the list of things that keep system administrators up at night. So that makes it rather easy to stir up a firestorm of publicity by reporting one. The Internet Storm Center (ISC) was one of the first to report on the rumored OpenSSH vulnerability (which we also passed along). The whole thing got started with a post to the full-disclosure mailing list that purported to show an ssh "zero-day" exploit compromising a server in New Zealand.

It wasn't very long before folks realized that it was likely the result of a "brute force" attack against a user password, but there was enough "chatter" of various sorts (see the updates on the ISC post) that it was difficult to be sure. In the end, we still aren't completely sure, but OpenSSH developer Damien Miller posted his belief that there was no ssh zero-day; ISC also posted a notice calling the vulnerability reports bogus. In the absence of any more information, those would seem to close the book on this vulnerability.

While it was a bit of a fire drill, it is likely that the reports led to some system administrators taking a look at their ssh installation to make sure it was up-to-date. They may also have tightened up their configuration in ways that might lessen the chances of a vulnerability affecting their systems. Disallowing root logins, requiring key-based instead of password-based logins, or restricting ssh access to certain IP addresses are all steps that administrators may have taken. Perhaps it was needless in this case, but a general tightening up of ssh configuration is likely to be helpful in fending off brute-force or other attacks down the road.

Comments (9 posted)

Brief items

DHCP server can take over client (The H)

The H warns of a DHCP client vulnerability which allows a hostile server to take over the system. "According to Marcus Meissner from SUSE, the vulnerability doesn't affect Red Hat and SUSE because their source code includes the FORTIFY_SOURCE feature. With it, the GNU Compiler Collection (GCC) knows how large the buffer is, including the maximum size. The glibc gets the buffer size information and uses a version of strcpy() that checks and makes sure that no more than 20 bytes are copied. If the buffer is greater, then the program is aborted."

Comments (35 posted)

New vulnerabilities

acroread: multiple vulnerabilities

Package(s):acroread CVE #(s):CVE-2009-1492 CVE-2009-1493
Created:July 13, 2009 Updated:July 15, 2009

From the Gentoo advisory:

Arr1val reported that multiple methods in the JavaScript API might lead to memory corruption when called with crafted arguments (CVE-2009-1492, CVE-2009-1493).

Gentoo 200907-06 acroread 2009-07-12

Comments (none posted)

apache: multiple vulnerabilities

Package(s):apache CVE #(s):CVE-2009-1890 CVE-2009-1891
Created:July 9, 2009 Updated:December 7, 2009
Description: Apache has two denial of service vulnerabilities. From the Mandriva alert: The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests (CVE-2009-1890). Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects (CVE-2009-1891).
Mandriva MDVSA-2009:323 apache 2009-12-07
rPath rPSA-2009-0154-1 httpd 2009-11-24
Red Hat RHSA-2009:1580-02 httpd 2009-11-11
Fedora FEDORA-2009-8812 httpd 2009-08-20
Ubuntu USN-802-2 apache2 2009-08-19
CentOS CESA-2009:1205 httpd 2009-08-10
Red Hat RHSA-2009:1205-01 httpd 2009-08-10
Slackware SSA:2009-214-01 httpd 2009-08-03
Debian DSA-1834-2 apache2 2009-07-31
Mandriva MDVSA-2009:168 apache 2009-07-28
Debian DSA-1834 apache2 2009-07-15
Red Hat RHSA-2009:1156-01 httpd 2009-07-14
Ubuntu USN-802-1 apache2 2009-07-13
CentOS CESA-2009:1148 httpd 2009-07-14
Gentoo 200907-04 apache 2009-07-12
Red Hat RHSA-2009:1148-01 httpd 2009-07-09
Mandriva MDVSA-2009:149 apache 2009-07-09
rPath rPSA-2009-0142-1 httpd 2009-11-12
rPath rPSA-2009-0142-2 httpd 2009-11-12
CentOS CESA-2009:1580 httpd 2009-11-12
SuSE SUSE-SA:2009:050 apache2,libapr1 2009-10-26

Comments (none posted)

camlimages: integer overflow

Package(s):camlimages CVE #(s):CVE-2009-2295
Created:July 14, 2009 Updated:June 1, 2010
Description: From the Debian advisory: Tielei Wang discovered that CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution.
Gentoo 201006-02 camlimages 2010-06-01
Fedora FEDORA-2009-7491 ocaml-camlimages 2009-07-11
Fedora FEDORA-2009-7494 ocaml-camlimages 2009-07-11
Debian DSA-1832-1 camlimages 2009-07-13
Mandriva MDVSA-2009:286 ocaml-camlimages 2009-10-21

Comments (none posted)

dbus: policy bypass

Package(s):dbus CVE #(s):CVE-2009-1189
Created:July 14, 2009 Updated:May 3, 2011
Description: From the Ubuntu advisory: It was discovered that the D-Bus library did not correctly validate signatures. If a local user sent a specially crafted D-Bus key, they could spoof a valid signature and bypass security policies.
SUSE SUSE-SR:2011:008 java-1_6_0-ibm, java-1_5_0-ibm, java-1_4_2-ibm, postfix, dhcp6, dhcpcd, mono-addon-bytefx-data-mysql/bytefx-data-mysql, dbus-1, libtiff/libtiff-devel, cifs-mount/libnetapi-devel, rubygem-sqlite3, gnutls, libpolkit0, udisks 2011-05-03
Red Hat RHSA-2010:0018-01 dbus 2010-01-07
CentOS CESA-2010:0018 dbus 2010-01-08
Mandriva MDVSA-2009:256-1 dbus 2009-12-05
Mandriva MDVSA-2009:256 dbus 2009-10-06
Debian DSA-1837-1 dbus 2009-07-18
Ubuntu USN-799-1 dbus 2009-07-13

Comments (none posted)

dhcp: arbitrary code execution

Package(s):dhcp3 CVE #(s):CVE-2009-0692
Created:July 15, 2009 Updated:January 27, 2010

From the Red Hat advisory:

The Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692)

Ubuntu USN-803-2 dhcp3 2010-01-27
Mandriva MDVSA-2009:312 dhcp 2009-12-03
Fedora FEDORA-2009-8344 dhcp 2009-08-07
Debian DSA-1833-2 dhcp3 2009-08-25
Mandriva MDVSA-2009:151 dhcp 2009-07-15
CentOS CESA-2009:1154 dhcp 2009-07-15
Ubuntu USN-803-1 dhcp3 2009-07-14
SuSE SUSE-SA:2009:037 dhcp-client 2009-07-15
Slackware SSA:2009-195-01 dhcp 2009-07-15
Red Hat RHSA-2009:1136-01 dhcp 2009-07-14
Red Hat RHSA-2009:1154-02 dhcp 2009-07-14
Gentoo 200907-12 dhcp 2009-07-14
Debian DSA-1833-1 dhcp3 2009-07-14
Fedora FEDORA-2009-9075 dhcp 2009-08-27

Comments (none posted)

dhcp: arbitrary file overwrite

Package(s):dhcp CVE #(s):CVE-2009-1893
Created:July 15, 2009 Updated:July 16, 2009

From the Red Hat advisory:

An insecure temporary file use flaw was discovered in the DHCP daemon's init script ("/etc/init.d/dhcpd"). A local attacker could use this flaw to overwrite an arbitrary file with the output of the "dhcpd -t" command via a symbolic link attack, if a system administrator executed the DHCP init script with the "configtest", "restart", or "reload" option. (CVE-2009-1893)

CentOS CESA-2009:1154 dhcp 2009-07-15
Red Hat RHSA-2009:1154-02 dhcp 2009-07-14

Comments (none posted)

dhcp: denial of service

Package(s):dhcp3 CVE #(s):CVE-2009-1892
Created:July 15, 2009 Updated:December 4, 2009

From the Debian advisory:

Christoph Biedl discovered that the DHCP server may terminate when receiving certain well-formed DHCP requests, provided that the server configuration mixes host definitions using "dhcp-client-identifier" and "hardware ethernet". This vulnerability only affects the lenny versions of dhcp3-server and dhcp3-server-ldap. (CVE-2009-1892)

Mandriva MDVSA-2009:312 dhcp 2009-12-03
Fedora FEDORA-2009-8344 dhcp 2009-08-07
Debian DSA-1833-2 dhcp3 2009-08-25
Gentoo 200908-08 dhcp 2009-08-18
Mandriva MDVSA-2009:172 dhcp 2009-07-28
Fedora FEDORA-2009-9075 dhcp 2009-08-27
Debian DSA-1833-1 dhcp3 2009-07-14

Comments (none posted)

djbdns: unconstrained offsets

Package(s):djbdns CVE #(s):CVE-2009-0858
Created:July 14, 2009 Updated:July 15, 2009
Description: From the Debian advisory: Matthew Dempsky discovered that Daniel J. Bernstein's djbdns, a Domain Name System server, does not constrain offsets in the required manner, which allows remote attackers with control over a third-party subdomain served by tinydns and axfrdns, to trigger DNS responses containing arbitrary records via crafted zone data for this subdomain.
Debian DSA-1831-1 djbdns 2009-07-13

Comments (none posted)

libtiff: arbitrary code execution

Package(s):tiff CVE #(s):CVE-2009-2347
Created:July 14, 2009 Updated:March 8, 2011
Description: From the Ubuntu advisory: Tielei Wang and Tom Lane discovered that the TIFF library did not correctly handle certain malformed TIFF images. If a user or automated system were tricked into processing a malicious image, an attacker could execute arbitrary code with the privileges of the user invoking the program.
Gentoo 201209-02 tiff 2012-09-23
Oracle ELSA-2012-0468 libtiff 2012-04-12
Mandriva MDVSA-2011:043 libtiff 2011-03-08
rPath rPSA-2010-0064-1 libtiff 2010-10-17
Mandriva MDVSA-2009:169-1 libtiff 2009-12-03
SuSE SUSE-SR:2009:014 dnsmasq, icu, libcurl3/libcurl2/curl/compat-curl2, Xerces-c/xerces-j2, tiff/libtiff, acroread_ja, xpdf, xemacs, mysql, squirrelmail, OpenEXR, wireshark 2009-09-01
Gentoo 200908-03 tiff 2009-08-07
Mandriva MDVSA-2009:169 libtiff 2009-07-28
CentOS CESA-2009:1159 libtiff 2009-07-23
Fedora FEDORA-2009-7775 libtiff 2009-07-19
Fedora FEDORA-2009-7724 libtiff 2009-07-19
Red Hat RHSA-2009:1159-01 libtiff 2009-07-16
Debian DSA-1835-1 tiff 2009-07-15
Mandriva MDVSA-2009:150 libtiff 2009-07-13
Ubuntu USN-801-1 tiff 2009-07-13

Comments (none posted)

mumbles: unsafe shell usage

Package(s):mumbles CVE #(s):
Created:July 13, 2009 Updated:July 15, 2009

From the Red Hat bugzilla entry:

The Firefox plugin uses os.system in an insecure fashion.

Version-Release number of selected component (if applicable): mumbles-0.4-1.fc10

        def open_uri(self, uri):
                mime_type = gnomevfs.get_mime_type(uri)
                application = gnomevfs.mime_get_default_application(mime_type)
                os.system(application[2] + ' "' + uri + '" &')

This would be much better written to use the subprocess module and use an argument list like [application[2], uri], or else by using the shell's own substitution mechanism like this:

os.environ['URI'] = uri
os.system(application[2] + ' "$URI" &')  
Fedora FEDORA-2009-7498 mumbles 2009-07-11

Comments (none posted)

sork-passwd-h3: cross-site scripting

Package(s):sork-passwd-h3 CVE #(s):CVE-2009-2360
Created:July 13, 2009 Updated:September 14, 2009

From the Debian advisory:

It was discovered that sork-passwd-h3, a Horde3 module for users to change their password, is prone to a cross-site scripting attack via the backend parameter.

Gentoo 200909-14 horde 2009-09-12
Debian DSA-1829-2 sork-passwd-h3 2009-07-14
Debian DSA-1829-1 sork-passwd-h3 2009-07-11

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds