The OpenSSH vulnerability and the disclosure process [LWN.net]

By now, presumably, most of you are running on systems with an updated OpenSSH installed. It has been over a week since the "challenge/response" vulnerability was disclosed; there remains, however, a great deal of controversy over how that disclosure happened. According to one point of view, the OpenSSH team withheld specific information on the vulnerability in order to create fear, bring about massive upgrading, and draw attention away from what is, in the end, an OpenBSD-specific vulnerability. Such a view goes over well in the Linux community, where many users upgraded in a hurry only to find out that they never had been vulnerable in the first place. The real story is more complicated, however; it is worth understanding what was going on and how it reflects on how our security processes work.

The disclosure of a vulnerability is the opening bell of a high-stakes race between crackers, vendors, and system administrators. Crackers will put amazing amounts of time and energy into the rapid creation of exploit tools, which are then distributed to script kiddies and other "black hat" types worldwide. Before those tools are widespread, vendors have to create an updated package, put out an alert, and get system administrators to actually apply those packages. System administrators who lose the race - either because updates were not available, or because they did not apply those updates - run a serious risk of having their systems compromised.

The time window between the disclosure of the vulnerability and the posting of exploit tools can be less than one day.

This grace period before the exploits appear is at the core of why the OpenSSH team acted the way it did. Through careful information and release management, the OpenSSH developers hoped to maximize the amount of time that system administrators had to secure their systems. They wanted OpenSSH users to be able to begin running the race while keeping the crackers sidelined for a little longer.

The first step, thus, was to put out a vague notice that there was a problem, along with an OpenSSH release which contained the problem without actually fixing it. If the OpenSSH team had released a patch which fixed the real problem, it would undoubtedly have been easier for vendors to tell their users if they were vulnerable. It also would have enabled users to secure their systems - if, indeed, they were vulnerable - by simply disabling the challenge/response feature. But it also have given the crackers the information they needed to develop an exploit. Releasing a warning and enabling privilege separation were actions intended to deny the crackers access to that information. As OpenSSH maintainer Theo de Raadt tells us:

The warning permitted the community to move to privsep, filter their networks, or disable ssh for a window of time until a new one arrived.

In fact, according to the fourth version of the OpenSSH advisory, even telling users about other workarounds would have released too much information:

We could not alert the community that disabling ChallengeResponseAuthentication solved the problem, since this would highlight that the bug is in about 500 out of 27,000 lines of code.

For most security vulnerabilities, the accepted procedure is to notify vendor security contacts before the community as a whole so that they can prepare an updated package for their users. There are special, "security contacts only" mailing lists which exist for just this sort of notification. In this case, that procedure was not followed; vendors were told no more than anybody else about the nature of the vulnerability. This was a cause for some disgruntlement in the vendor community, which did not like having its response managed in this way. According to Mark Cox, who handles security at Red Hat:

At Red Hat we try to backport security fixes if that means they will have a lower impact on our users and therefore be easier to install. We try to avoid switching users to new upstream versions of software where there have been significant non-security fixes also added. In this particular case we were asked by the OpenSSH team to switch our userbase onto a brand new release of OpenSSH that had a significant functionality change, and one that was not completely working in all cases.

In fact, when the final Red Hat advisory came out, it noted that most users were not vulnerable and provided a patched version of OpenSSH 3.1. Until the disclosure, however, Red Hat (and other distributors) had no option other than preparing a full OpenSSH 3.3 package, fixing the problems, and pushing it onto the users. Keeping the vulnerability information secret most certainly made life harder for distributors. Now that the information is out and the hole closed, distributors like Red Hat can prepare OpenSSH 3.4 packages with full testing prior to release.

The OpenSSH team did not disclose the vulnerability to vendors for a simple reason: they did not trust those vendors to keep the information secret. Quoting Theo de Raadt again:

It has been shown that these mailing lists do not work, and that they leak information into blackhat or public forums very quickly...

I've seen leaks happen. Last week, the resolver issue was released extremely quickly (too quickly I think) because leaks started moving through the FreeBSD and NetBSD communities within hours of their security contacts being informed.

It does not help, of course, that there are some 80 vendors which ship OpenSSH in some product or other. This remains a disturbing claim, however: the free software security contact mechanism, it is said, is not secure. Then again, perhaps the old Ben Franklin quote applies: three may keep a secret if two of them are dead. It is almost certainly unrealistic to expect 80 vendors to keep something under wraps for very long.

So how can our community function in the claimed absence of a working security infrastructure? Should all vulnerabilities be handled the way this one was? The OpenSSH team claims that this bug was special, for a couple of reasons. One is that OpenSSH is now nearly ubiquitous - there are far more ssh servers exposed to the net than web servers, for example. Thus the vulnerability had to be handled with extra care. The other reason, of course, was that there was a way to protect users against exploits without (immediately) disclosing the nature of the problem. From the OpenSSH advisory:

We feel that this method of releasing served the community best for a "contained" vulnerability of this kind. We do not suggest this is necessarily the correct information release process for all problems, and as firm believers of full disclosure have never suggested that, though we believe that disclosure must be carefully handled.

The real answer, according to Theo, is "fast vendors." In the end, for most users, it is still a matter of how quickly their distributor makes an update available. In this case, the first OpenSSH exploit turned up on Bugtraq 22 hours after the disclosure went out. Opinions certainly differ on the best way to give users a head start, but security in the modern world is still a race.

(As a postscript, the OpenSSH team is recommending that all users upgrade to 3.4, even if they are not vulnerable to this particular problem. It has "lots of other fixes people need.")

to post comments

The OpenSSH vulnerability and the disclosure process

Posted Jul 4, 2002 2:57 UTC (Thu) by jasone (subscriber, #2423) [Link] (3 responses)

Perhaps the OpenSSH developers had good intentions when they decided how to divulge the security problems with their software, but in practice there were serious problems with their approach. Forcing users to update to the most recent release is unreasonable. Anyone with a basic understanding of software engineering knows that as changes are made to software, corresponding bugs are introduced (statistically speaking). Perhaps there are many important fixes in the newest release, but there are also feature additions, which surely means new bugs. For me personally, the OpenSSH team's disclosure strategy was equivalent to a denial of service attack, since I felt the only reasonable option was to disable ssh completely until I could assess the vulnerability of my systems.

The OpenSSH vulnerability and the disclosure process

Posted Jul 4, 2002 8:00 UTC (Thu) by beejaybee (guest, #1581) [Link] (2 responses)

> Perhaps the OpenSSH developers had good intentions when they decided how to divulge the security problems with their software, but in practice there
were serious problems with their approach.

Same applies to ISS... In principle I want to know that I can _expect_ an attack. Vigilance is perhaps the most important part of system security, though it is certainly expensive in human resources; directed vigilance at specified highlighted weaknesses therefore helps (though is, of course, not adequate in itself).

> Forcing users to update to the most recent release is unreasonable.

Agreed. Though in this case the changes from (say) v3.1 to v3.4 are not hard to assimilate in a working environment. Ideally I'd like to have seen "official" backported patches for the 3.x series as well as the release of v3.4. That would have given us a choice between jumping to v3.4, waiting for an official release (in some cases of an unofficial backport) from our favoured supplier, or accepting reduced functionality. However the OpenSSH team certainly deserve credit for the speed with which they acted, and the way in which their action uncovered other vulnerabilities.

> I felt the only reasonable option was to disable ssh completely until I could assess the vulnerability of my systems.

Your choice. My personal view is that a service must be maintained, and that withdrawing SSH would only encourage the deployment of other protocols (telnet, ftp, rcp, rlogin etc) which by their very nature are more risky than SSH. If you're really paranoid, disconnect your system from the Net - that's the only way to be absolutely sure you won't suffer remote compromise!

The OpenSSH vulnerability and the disclosure process

Posted Jul 4, 2002 8:24 UTC (Thu) by edmundo (guest, #616) [Link] (1 responses)

"withdrawing SSH would only encourage the deployment of other
protocols (telnet, ftp, rcp, rlogin etc) which by their very nature
are more risky than SSH"

I'm not sure about that: telnet is vulnerable to packet sniffing, but
at least a bug-free telnetd is safe against worms and script kiddies.

By the way, there is at least one alternative implementation of sshd:
http://www.net.lut.ac.uk/psst/

The OpenSSH vulnerability and the disclosure process

Posted Jul 4, 2002 10:08 UTC (Thu) by beejaybee (guest, #1581) [Link]

> I'm not sure about that: telnet is vulnerable to packet sniffing, but
at least a bug-free telnetd is safe against worms and script kiddies.

Umm. Telnet access to your host is vulnerable to keystroke trapping on any system used to access your host, as well as packet sniffing. Even if you only give away an unpriveleged username/password combo, ways may exist to exploit this directly or through privelege escalation due to bugs in unrelated programs.

System compromise is a problem relevant to ssh/telnet/ftp style access; but worms aren't, since there is no direct way for them to propogate, unless the system has already been compromised.

There seem to be a lot of systems around running versions of telnetd which are undoubtedly not bug-free; even those versions of telnetd which have no _known_ vulnerabilities are in any case probably just as insecure as ssh.

I stand by my previous comment.

Other SSHs

Posted Jul 4, 2002 11:07 UTC (Thu) by job (guest, #670) [Link]

This is a time to think of the other SSH implementations out there. There is the non-free (but free-of-charge) at ssh.com, and then there's GNU lsh which has matured a lot and is all GPLed.

The OpenSSH vulnerability and the disclosure process

Posted Jul 4, 2002 21:57 UTC (Thu) by DeletedUser2440 ((unknown), #2440) [Link]

Perhaps if Theo wouldn't have done the advisory mail Theo style, flaming people for not upgrading to a broken version of openssh, he wouldn't be seen as a flamer.

Presentation really does matter.

Theo de Raadt is very good in what he does. Too bad he knows it so well.