Red Hat packages are available now via up2date.
Gene
Joe Budzyn wrote:
>I have been following these reports this afternoon. I was waiting for a good
>report to share, and they just arrived. I just sent the FreeBSD security
>advisory to the msusec mailing list. Here is the OpenBSD advisory.
>
>From: Chris Wysopal <[log in to unmask]>
>Subject: [VulnWatch] OpenSSH Security Advisory: buffer.adv
>
>
>List: openbsd-misc
>Subject: OpenSSH Security Advisory: buffer.adv
>From: Markus Friedl <markus () openbsd ! org>
>Date: 2003-09-16 12:32:15
>[Download message RAW]
>
>This is the 1st revision of the Advisory.
>
>This document can be found at: http://www.openssh.com/txt/buffer.adv
>
>1. Versions affected:
>
> All versions of OpenSSH's sshd prior to 3.7 contain a buffer
> management error. It is uncertain whether this error is
> potentially exploitable, however, we prefer to see bugs
> fixed proactively.
>
>2. Solution:
>
> Upgrade to OpenSSH 3.7 or apply the following patch.
>
>Appendix:
>
>Index: buffer.c
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
>retrieving revision 1.16
>retrieving revision 1.17
>diff -u -r1.16 -r1.17
>--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16
>+++ buffer.c 16 Sep 2003 03:03:47 -0000 1.17
>@@ -69,6 +69,7 @@
> void *
> buffer_append_space(Buffer *buffer, u_int len)
> {
>+ u_int newlen;
> void *p;
>
> if (len > 0x100000)
>@@ -98,11 +99,13 @@
> goto restart;
> }
> /* Increase the size of the buffer and retry. */
>- buffer->alloc += len + 32768;
>- if (buffer->alloc > 0xa00000)
>+
>+ newlen = buffer->alloc + len + 32768;
>+ if (newlen > 0xa00000)
> fatal("buffer_append_space: alloc %u not supported",
>- buffer->alloc);
>- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
>+ newlen);
>+ buffer->buf = xrealloc(buffer->buf, newlen);
>+ buffer->alloc = newlen;
> goto restart;
> /* NOTREACHED */
> }
>
>
>On Tue, Sep 16, 2003 at 01:59:38PM -0400, Uwe Rossbach wrote:
>
>
>>Does anyone have a confirmation of this slashdot story and Full
>>Disclosure posting. The only thing I noticed is that there is a new
>>openSSH version (3.7) as of 5 am today on the server in Canada. The
>>exploit looks for root access by trying a large number of accounts and
>>connection requests. Leading to denial of service if not successful. Uwe
>>Rossbach
>>
>>
>>
>>"
>>
>>
>> [Full-Disclosure] new ssh exploit?
>>
>>*christopher neitzert * [log in to unmask] <mailto:chris%40neitzert.com>
>>/Mon, 15 Sep 2003 13:48:34 -0400/
>>
>> * Previous message: [Full-Disclosure] new ssh exploit?
>> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010103.html>
>> * Next message: [Full-Disclosure] new ssh exploit?
>> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010120.html>
>> * *Messages sorted by:* [ date ]
>> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/date.html#10116>
>> [ thread ]
>> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/thread.html#10116>
>> [ subject ]
>> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/subject.html#10116>
>> [ author ]
>> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/author.html#10116>
>>
>>
>>------------------------------------------------------------------------
>>
>>--=-sz+BJAPCz1yL37OtGOWm
>>Content-Type: text/plain
>>Content-Transfer-Encoding: quoted-printable
>>
>>More on this;
>>
>>The systems in question are FreeBSD, RedHat, Gentoo, and Debian all
>>running the latest versions of OpenSSH.
>>
>>The attack makes an enormous amount of ssh connections and attempts
>>various offsets until it finds one that works permitting root login.
>>
>>I have received numerous messages from folks requesting anonymity or
>>direct-off-list-reply confirming this exploit;
>>
>>The suggestions I have heard are:
>>
>>Turn off SSH and
>>
>>1. upgrade to lsh.
>>
>>or
>>
>>2. add explicit rules to your edge devices allowing ssh from only-known
>>hosts.
>>
>>or
>>
>>3. put ssh behind a VPN on RFC-1918 space.
>>
>>thanks.
>>
>>
>>
>>
>>On Mon, 2003-09-15 at 12:02, christopher neitzert wrote:
>>
>>
>>>/ Does anyone know of or have source related to a new, and unpublished ssh
>>>
>>>
>>/>/ exploit? An ISP I work with has filtered all SSH connections due to
>>/>/ several root level incidents involving ssh. Any information is
>>/>/ appreciated.
>>/>/=20
>>/>/=20
>>/--=20
>>Christopher Neitzert - GPG Key ID: 7DCC491B
>>
>>--=-sz+BJAPCz1yL37OtGOWm
>>Content-Type: application/pgp-signature; name=signature.asc
>>Content-Description: This is a digitally signed message part
>>
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG v1.2.2 (GNU/Linux)
>>
>>iD8DBQA/ZftxAXFK233MSRsRAuSUAJ9jv5aBH2wVpgv6r4sC4NaA3dnXrACglaxX
>>+fZt/6hiarcw2KVtQq1i0Nk=
>>=MaEF
>>-----END PGP SIGNATURE-----
>>
>>--=-sz+BJAPCz1yL37OtGOWm--
>>
>>
>>
>>------------------------------------------------------------------------
>>
>> * Previous message: [Full-Disclosure] new ssh exploit?
>> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010103.html>
>> * Next message: [Full-Disclosure] new ssh exploit?
>> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/010120.html>
>> * *Messages sorted by:* [ date ]
>> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/date.html#10116>
>> [ thread ]
>> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/thread.html#10116>
>> [ subject ]
>> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/subject.html#10116>
>> [ author ]
>> <http://lists.netsys.com/pipermail/full-disclosure/2003-September/author.html#10116>
>>
>>
--
*Gene Willacker*
Systems Analyst
Michigan State University
Food Stores Building
East Lansing, MI 48824
/1-517-353-1691/
