Red Hat packages are available now via up2date. Gene Joe Budzyn wrote: >I have been following these reports this afternoon. I was waiting for a good >report to share, and they just arrived. I just sent the FreeBSD security >advisory to the msusec mailing list. Here is the OpenBSD advisory. > >From: Chris Wysopal <[log in to unmask]> >Subject: [VulnWatch] OpenSSH Security Advisory: buffer.adv > > >List: openbsd-misc >Subject: OpenSSH Security Advisory: buffer.adv >From: Markus Friedl <markus () openbsd ! org> >Date: 2003-09-16 12:32:15 >[Download message RAW] > >This is the 1st revision of the Advisory. > >This document can be found at: http://www.openssh.com/txt/buffer.adv > >1. Versions affected: > > All versions of OpenSSH's sshd prior to 3.7 contain a buffer > management error. It is uncertain whether this error is > potentially exploitable, however, we prefer to see bugs > fixed proactively. > >2. Solution: > > Upgrade to OpenSSH 3.7 or apply the following patch. > >Appendix: > >Index: buffer.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/buffer.c,v >retrieving revision 1.16 >retrieving revision 1.17 >diff -u -r1.16 -r1.17 >--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16 >+++ buffer.c 16 Sep 2003 03:03:47 -0000 1.17 >@@ -69,6 +69,7 @@ > void * > buffer_append_space(Buffer *buffer, u_int len) > { >+ u_int newlen; > void *p; > > if (len > 0x100000) >@@ -98,11 +99,13 @@ > goto restart; > } > /* Increase the size of the buffer and retry. */ >- buffer->alloc += len + 32768; >- if (buffer->alloc > 0xa00000) >+ >+ newlen = buffer->alloc + len + 32768; >+ if (newlen > 0xa00000) > fatal("buffer_append_space: alloc %u not supported", >- buffer->alloc); >- buffer->buf = xrealloc(buffer->buf, buffer->alloc); >+ newlen); >+ buffer->buf = xrealloc(buffer->buf, newlen); >+ buffer->alloc = newlen; > goto restart; > /* NOTREACHED */ > } > > >On Tue, Sep 16, 2003 at 01:59:38PM -0400, Uwe Rossbach wrote: > > >>Does anyone have a confirmation of this slashdot story and Full >>Disclosure posting. The only thing I noticed is that there is a new >>openSSH version (3.7) as of 5 am today on the server in Canada. The >>exploit looks for root access by trying a large number of accounts and >>connection requests. Leading to denial of service if not successful. Uwe >>Rossbach >> >> >> >>" >> >> >> [Full-Disclosure] new ssh exploit? >> >>*christopher neitzert * [log in to unmask] <mailto:chris%40neitzert.com> >>/Mon, 15 Sep 2003 13:48:34 -0400/ >> >> * Previous message: [Full-Disclosure] new ssh exploit? >> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010103.html> >> * Next message: [Full-Disclosure] new ssh exploit? >> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010120.html> >> * *Messages sorted by:* [ date ] >> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/date.html#10116> >> [ thread ] >> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/thread.html#10116> >> [ subject ] >> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/subject.html#10116> >> [ author ] >> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/author.html#10116> >> >> >>------------------------------------------------------------------------ >> >>--=-sz+BJAPCz1yL37OtGOWm >>Content-Type: text/plain >>Content-Transfer-Encoding: quoted-printable >> >>More on this; >> >>The systems in question are FreeBSD, RedHat, Gentoo, and Debian all >>running the latest versions of OpenSSH. >> >>The attack makes an enormous amount of ssh connections and attempts >>various offsets until it finds one that works permitting root login. >> >>I have received numerous messages from folks requesting anonymity or >>direct-off-list-reply confirming this exploit; >> >>The suggestions I have heard are: >> >>Turn off SSH and >> >>1. upgrade to lsh. >> >>or >> >>2. add explicit rules to your edge devices allowing ssh from only-known >>hosts. >> >>or >> >>3. put ssh behind a VPN on RFC-1918 space. >> >>thanks. >> >> >> >> >>On Mon, 2003-09-15 at 12:02, christopher neitzert wrote: >> >> >>>/ Does anyone know of or have source related to a new, and unpublished ssh >>> >>> >>/>/ exploit? An ISP I work with has filtered all SSH connections due to >>/>/ several root level incidents involving ssh. Any information is >>/>/ appreciated. >>/>/=20 >>/>/=20 >>/--=20 >>Christopher Neitzert - GPG Key ID: 7DCC491B >> >>--=-sz+BJAPCz1yL37OtGOWm >>Content-Type: application/pgp-signature; name=signature.asc >>Content-Description: This is a digitally signed message part >> >>-----BEGIN PGP SIGNATURE----- >>Version: GnuPG v1.2.2 (GNU/Linux) >> >>iD8DBQA/ZftxAXFK233MSRsRAuSUAJ9jv5aBH2wVpgv6r4sC4NaA3dnXrACglaxX >>+fZt/6hiarcw2KVtQq1i0Nk= >>=MaEF >>-----END PGP SIGNATURE----- >> >>--=-sz+BJAPCz1yL37OtGOWm-- >> >> >> >>------------------------------------------------------------------------ >> >> * Previous message: [Full-Disclosure] new ssh exploit? >> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010103.html> >> * Next message: [Full-Disclosure] new ssh exploit? >> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010120.html> >> * *Messages sorted by:* [ date ] >> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/date.html#10116> >> [ thread ] >> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/thread.html#10116> >> [ subject ] >> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/subject.html#10116> >> [ author ] >> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/author.html#10116> >> >> -- *Gene Willacker* Systems Analyst Michigan State University Food Stores Building East Lansing, MI 48824 /1-517-353-1691/