[SECURITY] [DSA-134-2] Unknown OpenSSH remote vulnerability

2002-06-25T00:00:00
ID DEBIAN:DSA-134-2:C0DD6
Type debian
Reporter Debian
Modified 2002-06-25T00:00:00

Description


Debian Security Advisory DSA-134-2 security@debian.org http://www.debian.org/security/ Wichert Akkerman June 25, 2002


Package : ssh Problem type : remote exploit Debian-specific: no

This advisory is an update to DSA-134-1: some extra information is provided on broken or changed functionality in this new release and packages for Debian GNU/Linux 2.2/potato are now available.

Theo de Raadt announced that the OpenBSD team is working with ISS on a remote exploit for OpenSSH (a free implementation of the Secure SHell protocol). They are refusing to provide any details on the vulnerability but instead are advising everyone to upgrade to the latest release, version 3.3.

This version was released 4 days ago and introduced a new feature to reduce the effect of exploits in the network handling code called privilege separation. Unfortunately this release has a few known problems:

  • compression does not work on all operating systems since the code relies on specific mmap features

  • the PAM support has not been completed and may break a few PAM modules

  • keyboard interactive authentication does not work with privilege seperation. Most noticable for Debian users this breaks PAM modules which need a PAM conversation function (like the OPIE module).

The new privilege separation support from Niels Provos changes ssh to use a separate non-privileged process to handle most of the work. This means any vulnerability in this part of OpenSSH can never lead to a root compromise but only to access to a separate account restricted to a chroot.

Theo made it very clear this new version does not fix the vulnerability. Instead by using the new privilege separation code it merely reduces the risk since the attacker can only gain access to a special account restricted in a chroot.

Since details of the problem have not been released we were forced to move to the latest release of OpenSSH portable, version 3.3p1.

Please note that we have not had the time to do proper QA on these packages; they might contain bugs or break things unexpectedly. If you notice any such problems (besides the ones mentioned in this advisory) please file a bug-report so we can investigate.

Some notes on possible issues associated with this upgrade:

  • This package introduce a new account called `sshd' that is used in the privilege separation code. If no sshd account exists the package will try to create one. If the account already exists it will be re-used. If you do not want this to happen you will have to fix this manually.

  • (relevant for potato only) This update adds a backport of version 0.9.6 of the SSL library. This means you will have to upgrade tne ssl package as well.

  • (relevant for potato only) This update defaults to using version 2 of the SSH protocol. This can break existing setups where RSA authentication is used. You will either have to add -1 to the ssh invocation to keep using SSH protocol 1 and your existing keys, or create new keys for SSH protocol 2.

  • sshd defaults to enabling privilege seperation, even if you do not explicitly enable it in /etc/ssh/sshd_config .

  • If ssh does not work for you you can try to disable compression. We already included a patch from Solar Designer which fixes the problem with Linux 2.2 kernels, but there might be a few cases where this is not sufficient.

wget url will fetch the file for you dpkg -i file.deb will install the referenced file.

Debian GNU/Linux 2.2 alias potato


Potato was released for alpha, arm, i386, m68k, powerpc and sparc Packages for m68k are not available at this moment.

Source archives:

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
  Size/MD5 checksum:  2153980 c8261d93317635d56df55650c6aeb3dc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1.diff.gz
  Size/MD5 checksum:    37925 718ffc86669ae06b22d77c659400f4e8
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1.dsc
  Size/MD5 checksum:      784 b197de235e0d10f7bb66b4751808a033
http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1.orig.tar.gz
  Size/MD5 checksum:   831189 226fdde5498c56288e777c7a697996e0
http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0potato2.dsc
  Size/MD5 checksum:      871 cdfed0811edea5d6724794dbb40708db
http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0potato2.diff.gz
  Size/MD5 checksum:    33848 37e25d0536a2e9e5c4885d2f42190aa4

Architecture independent packages:

http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-0.potato.1_all.deb
  Size/MD5 checksum:      976 6b39f5a320b1c8bdbba05e2c8b041b70

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_alpha.deb
  Size/MD5 checksum:   589696 f0263fe6848b8bd09ad07a370ed6310a
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_alpha.deb
  Size/MD5 checksum:   746344 5a06b3db8f6eabf063c3099cb539ffe9
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_alpha.deb
  Size/MD5 checksum:  1548926 377068d478722db72c2fe52f3c23312b
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato2_alpha.deb
  Size/MD5 checksum:   863184 35fd7e643b2b9260ddc6f9fe3ae91c43
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato2_alpha.deb
  Size/MD5 checksum:    32936 3d27fe67e3291e4a70f57dd9df35a84d

arm architecture (ARM)

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_arm.deb
  Size/MD5 checksum:   468106 c1dc499d7a06db8e831906f942d1192e
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_arm.deb
  Size/MD5 checksum:  1348440 7fb0b6f32b6eb2dfc78391a302bd0e02
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_arm.deb
  Size/MD5 checksum:   728932 0a9872153979c364d41208082c80772d
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato2_arm.deb
  Size/MD5 checksum:   661860 ebbde85010cee05edc9f69becb94311a
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato2_arm.deb
  Size/MD5 checksum:    32164 4843d937dfff5c957ad86e954755a704

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_i386.deb
  Size/MD5 checksum:  1290006 362451bafdf4fe2104e54a0336893519
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_i386.deb
  Size/MD5 checksum:   461994 a1c785ce6982b9031410362f124d873a
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_i386.deb
  Size/MD5 checksum:   730338 747306c7e4ef0b767cb2985b74047b05
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato2_i386.deb
  Size/MD5 checksum:    32456 8f55767bd74ea25aae9205e7f8a794d0
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato2_i386.deb
  Size/MD5 checksum:   640020 3647f6184629594f3790a34c39baab24

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_powerpc.deb
  Size/MD5 checksum:   726602 93f47a77404ad9164565aac7ff901e43
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_powerpc.deb
  Size/MD5 checksum:  1384596 ff8ce54bc5fa3e0913ad1f359c36161b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_powerpc.deb
  Size/MD5 checksum:   502776 a09451aa914242e199eb8e5de529ec26
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato2_powerpc.deb
  Size/MD5 checksum:    32156 d8b9f4b31137e7fb05f0f9ec785a3dfc
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato2_powerpc.deb
  Size/MD5 checksum:   680374 270566725880521ad92ed966be21c42e

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.1_sparc.deb
  Size/MD5 checksum:  1338558 812adef25bd5abab26c47451dde84ba8
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.1_sparc.deb
  Size/MD5 checksum:   482712 d821248f15cc4e1fa6574e4cdfdf02e0
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.1_sparc.deb
  Size/MD5 checksum:   738056 d27a607775a80eb4aba24d29b35fe6ff
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0potato2_sparc.deb
  Size/MD5 checksum:    35010 da321e8fdf8f9bde1c1ffa859a54c32a
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0potato2_sparc.deb
  Size/MD5 checksum:   687352 a06d6f8008c0c7b641219dbceab230f6

Debian GNU/Linux 3.0 alias woody


Woody will be released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Packages for m68k are not available at this moment.

Source archives:

http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0woody1.dsc
  Size/MD5 checksum:      751 2409524dc15e3de36ebfaa702c0311ea
http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1.orig.tar.gz
  Size/MD5 checksum:   831189 226fdde5498c56288e777c7a697996e0
http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0woody1.diff.gz
  Size/MD5 checksum:    33009 4850f4a167cb515cc20301288e751e27

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_alpha.deb
  Size/MD5 checksum:   844556 7ef1518babcb185b5ef61fde2bd881c5
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_alpha.deb
  Size/MD5 checksum:    33422 ba9145a70719500ba56940e79e2cba02

arm architecture (Arm)

http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_arm.deb
  Size/MD5 checksum:   653454 4b6553ed08622525c6f22e7dc488f7c6
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_arm.deb
  Size/MD5 checksum:    32636 902f862c07059cdccb2ece3147f66282

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_hppa.deb
  Size/MD5 checksum:    33008 cdc5abf35a41df56be4780e251d203e8
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_hppa.deb
  Size/MD5 checksum:   750862 d66d8707a30787b9995f9716fdd97811

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_i386.deb
  Size/MD5 checksum:   637940 c3743ca590e7efd74cb97d5be98456be
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_i386.deb
  Size/MD5 checksum:    32928 d8a53753324406f2d9a386451e02e40d

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_ia64.deb
  Size/MD5 checksum:    34374 a7f36c83b84a5d4ade7a8ee992ca92da
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_ia64.deb
  Size/MD5 checksum:   998018 ff8346cfbcba7e156f825de86c440455

mips architecture (SGI MIPS)

http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_mips.deb
  Size/MD5 checksum:    32926 afc0d38e2c49eb7ef8de86a935509af3
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_mips.deb
  Size/MD5 checksum:   725414 22b6bc8d5fcfa09ba9391ed98ccf0851

mipsel architecture (SGI MIPS (Little Endian))

http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_mipsel.deb
  Size/MD5 checksum:    32894 71bc788f883eb7caf3262fe8b685dfd3
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_mipsel.deb
  Size/MD5 checksum:   722364 2ee3bfe9bdaa28b41dd6aaa6407e2fc6

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_powerpc.deb
  Size/MD5 checksum:    32658 7f7fa405891087d0da0c54e0fd516d02
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_powerpc.deb
  Size/MD5 checksum:   676954 4471019ed9c792bbaf6422394d7bb77c

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_s390.deb
  Size/MD5 checksum:    33274 81ff83437d47fba8c62351e249e70a2d
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_s390.deb
  Size/MD5 checksum:   666304 05666b9eb24bfb76bcd3c194912da912

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_sparc.deb
  Size/MD5 checksum:    32720 8f03b2b054e9fcf47ad826802e1a0192
http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_sparc.deb
  Size/MD5 checksum:   681598 2d1413a153f3e51fafaaee9a8ad4682b


apt-get: deb http://security.debian.org/ stable/updates main dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org