Posted on 06/27/2002 9:05:34 PM PDT by Bush2000
Critical hole found in encryption program
A popular open-source program for encrypted communications has a serious flaw that could let Internet attackers slip into servers running the software, said its creators and a security company this week. The program, Open Secure Shell (OpenSSH), is included in many widely used operating system distributions, such as OpenBSD 3.0, OpenBSD 3.1 and FreeBSD-Current, all open-source variants of the Unix OS. Such operating systems appear on networking equipment and security appliances, among other things.
The flaw affects versions 3.0 to 3.2.3 of the software, said Grant Slender, principal consultant for Australasia at network protection company Internet Security Systems, which first discovered the vulnerability.
Slender said the flaw involves OpenSSH's inadequate handling of "buffer overflow" attacks, in which a message sent to a program is much longer than the program is designed to expect. Attackers exploit such holes by flooding programs with more characters than they can accommodate and running the excess characters as executable code.
Because of the flaw, "it is possible for a remote (off-site) attacker to send a specially crafted (message) that triggers an overflow," according to the ISS advisory. "This can result in a remote denial-of-service attack on the OpenSSH daemon." A denial-of-service attack overloads a server with requests for information, tying up the machine indefinitely.
The advisory also said that hackers exploiting the hole would enter a server at the highest level of access. "The OpenSSH daemon runs with superuser privilege, so remote attackers can gain superuser access by exploiting this vulnerability," it said.
ISS has been criticized recently for its handling of another security alert involving a flaw in the popular open-source Apache Web server. ISS alerted the public to the Apache hole the same day it warned the Apache developers, giving the programmers no head start on fixing the flaw. This time, the company gave notice.
Slender said ISS notified OpenSSH's senior developer, who had created a patch. "In this case, we did contact the senior developer and, with his coordination, we worked toward making sure the (programming) community was ready to have the vulnerability announced," he said.
ISS is advising system administrators to disable unused OpenSSH authentication mechanisms.
It's also possible for administrators to remove the vulnerability by disabling the challenge-response authentication parameter within the OpenSSH daemon configuration file, according to the advisory. Slender also said people should upgrade.
Information about the vulnerability has been posted on security mailing lists such as Bugtraq and Debian.
Gotta love the response time when there is a named senior developer with a public reputation to uphold.
/john
You are making a terribly flawed assumption. Your statement assumes that every platform is of equal quality and that it is virtually impossible for any platform to be genuinely more secure than another. It also assumes that every platform functions virtually identically and that whatever problems apply to one inherently apply to all of them. If we were talking about cars you'd be arguing essentially that American and European cars only have more problems in the US than major Japanese cars because more people in America drive them and thus they are exposed to a great number of potentially bad drivers and dangerous driving conditions.
Microsoft isn't well-known for preventing problems from occuring by taking long periods of time to test the product thoroughly. It makes up for that with, generally speaking, timely patches. That's good enough for the average person and even most businesses. That is not however good enough for the DoD or other major departments of the federal government responsible for protecting the public 24/7/365.25.
And Bush2000, give it a rest. I have already stated that I don't view Microsoft as the problem and that I am against the government policies such as software patents that protect them from competition. You are starting to become like Scott McCollum in your attempts to paint me as a Microsoft-hating, Communist. You have already proven yourself to be totally lost to Bill Gates' cult of personality.
One remote hole in the default install, in nearly 6 years!
Hmmm... Let me see. The article was posted at 10:30 AM Friday. You posted a flag to me at 3:29 PM Friday. What was I doing during all that time? Let me think....
Oh yeah--I was WORKING FOR A LIVING!!!!!
Get off my back. I use MSFT as much or more than Linux--but it's not a religion.
Duly noted. I got back home late Weds. night from spending three days @ Microsoft in Redmond, WA at their Executive Briefing Center.
Microsoft's entire focus right now is on making Windows as secure as Linux. Can you believe that? I wonder if they've seen this article. (smirk)
In all seriousness, they're apparently finally getting around to shipping their OS with everything locked down the way Linux/Unix variants are shipped and forcing users to open up the services they need. Quite a change, well over-due IMO. I remain skeptical that they can actually pull it off. I've heard the same crap from them for 2 years now. (I go twice yearly.)
As far as their DRM (Digital Rights Management) schema is concerned, there ain't no way in HELL I'm ever going to implement MS' version of DRM and give them the keys to my media. They can't even get Passport and .NET services down right. And when I brought those instances up, they suggested that MS would give the "keys" to the Government or to the U.N. (of all things!) to "enforce" Digital Rights in Cyberspace! The uproar in the room when they said that was something. LOL!!!
When MS suggested that the US Gov't would hold the keys to DRM, it was a pretty mellow "No way" from the group. The second they suggested the U.N. everyone in the room pretty much said HELL NO!!! Made me feel good, since I now know I'm not alone (outside of FR) in my anti-UN stance.
I don't suppose you'd like to provide evidence to the contrary.
The availability of source code reduces security holes and reduces the user's exposure to them. No one has claimed that open source eliminates security holes. Last Tuesday when one of the main OpenSSH coders announced this vuln, there were patches within a matter of hours. I had all my machines (Linux and Windows) patched by Thursday.
Oh, and "hackers" do spend more time banging on BSD than Windows. Why do you think there is an Apache worm floating around out there for FreeBSD when the Win32 Apache vulnerability is the most easily exploited?
Why me?
Seems like it worked. What was the turn around time to fix? It certainly seems pretty good.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.