Guess What? Serious Flaw Found in OpenSSH

CERT ^ | 9/16/2003 | CERT (Jason A Rafail)

[Bush2000]

CERT Advisory
Vulnerability Note VU#333628
OpenSSH contains a buffer management error

Some versions of the OpenSSH server contain a buffer management error. While the full impact of this vulnerability is unclear, this may lead to memory corruption and a denial of service situation.

[TomServo]

Heh heeeeeeeeee....

[shadowman99]

The OpenSSH developement team has developed patches and an advisory for this issue. More details will be available at

http://www.openssh.com/txt/buffer.adv

[toupsie]

And every organization that uses OpenSSH based on the possibly buggy code were able to get a patch along with the source code of the program in less than a day, free of charge. Most distributions of Unix and Linux do not have "sshd" turned on by default unlike Microsoft's DCOM system that allowed Blaster and Nachi easily infect thousands upon thousands of computers.

Not that I am complaining about Microsoft, Bill's buggy OS pays my bills.

[Cheapskate]

What is SSH? and does this have any signifigance to the normal computer using peon?

[Salo]

Pinging the Penguin Pinger.

Thanks, b2k.

Damn, I hate patching stuff. :-)

[Salo]

Think of it as a secure version of telnet. It will most likely not affect you.

[toupsie]

SSH is secure shell. It is a method to "securely" communicate to a Unix or Unix-like operating system -- it can run on a Windows system using cygwin. For sysadmins, it is a very handy tool for managing Unix or Unix-like servers and to establish secure channels of communication over the Internet or other untrusted networks. Most of the time, the interaction with the program is text based like old "dumb" terminals.

That's about as basic of a description I can give of SSH. It really is an amazing program with lots of features but you really have understand what it does to use it to its fullest.

[toupsie]

It actually does a lot more than telnet but that is a really good basic description of SSH. Just hope that Cheapskate knows what telnet is! :P

[Cheapskate]

thanks I really doubt it. Usin an E machine with 98

[RedWing9]

And every organization that uses OpenSSH based on the possibly buggy code were able to get a patch along with the source code of the program in less than a day, free of charge.

The irony....

BTW - it wasn't "possibly" buggy, it was. They wouldn't have had to release a patch if it wasn't. I'd like to use that the next time my programming team gets pegged for a bug, "well, if you didn't use that feature, then you wouldn't have a bug"... LMAO

[ikka]

Um, actually there are no confirmed reports at this point of being able to actually cause a crash or break in to the system. However, because there is the possibility of that happening, they have released the patch.

[sigSEGV]

And gosh... I updated all my production machines today without any downtime to customers. No reboot required. Can't say that about weekly MS patches.

[paulk]

ping

And I updated machines in several states - no reboot - no interuption of service and within hours, not weeks, as some in Redmond seem to think is soon enough.

[toupsie]

All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management errors. It is uncertain whether these errors are potentially exploitable, however, we prefer to see bugs fixed proactively.

They were being proactive on a non-default package instead of being reactive to a default package like Microsoft. Don't get me wrong. I benefit financially from Microsoft's poor record on security. Microsoft's inability to produce a secure operating system puts food on my table.

[toupsie]

You aren't kidding! I can't figure out for the life of me why Microsoft can't patch a system without it requiring a reboot. Why do I need to reboot a server to upgrade it's web browser component? When I patch or upgrade Unix systems, 99% of the time all I am doing is downing a process in memory and replacing it. The only time I can think of that I reboot Unix servers is for kernel upgrade which is once every few years.

[rdb3]

The Penguin Ping.

Wanna be Penguified? Just holla!

Got root?

[supercat]

You aren't kidding! I can't figure out for the life of me why Microsoft can't patch a system without it requiring a reboot.... When I patch or upgrade Unix systems, 99% of the time all I am doing is downing a process in memory and replacing it.

Microsoft doesn't know how to take down and restart processes without creating system instability.

[Dimensio]

Well, let's be completely honest. If you want remote login tools, the best "common" option is ssh, and the best free option in that regard is OpenSSH. Also, it's not a possible exploit, it's a real one -- though that wasn't confirmed until after the code was patched (the exploit wasn't released until after 3.7 was released, probably as a test to see if the suspected exploit fixed in the update really was a problem).

[Petronski]

Microsoft doesn't know how to take down and restart processes without creating system instability.

That sounds like a pretty big deficiency.