Topic: new SSH exploit

[James Payne]

any words on when a patch for the latest SSH exploit will be made available? how safe would it be to go about installing the new version, ie, is it likely to break anything if i do?

info here: http://unthought.net/ssh-vuln.html

[Dan Brown]

As always, any security-related issues or questions should go to smesecurity@mitel.com.

[Paul F]

Slightly off topic but do you know if the security guys RESPOND to e-mail? The reason I ask is that I am concerned with a vulnerability but would like to verify whether or not SME is indeed vulnerable without having to wait months to find out.

Thanks!

[Dan Brown]

In my experience, yes, they do respond, and fairly quickly.

[Johan]

Got any answer from mitel?

[James Payne]

Johan - nope, but a few other threads have popped up here discussing it - do a seach for "SSH" to find them.

I'll post when I get a response...

(I still don't understand the "don't post security issues to the forum" thing. If anyone has a good explanation for it, please post).Johan wrote:

[cp]

I got a response that said they were aware of the problem and wouldn't give an ETA on a fix.

[Jens Kruuse]

James,

There are several reasons why posting security issues to the forum is discouraged (off the top of my head, in no particular order):

1) Malicious individuals are informed of potentially exploitable holes. In addition, lots of us here run SME and thus a cracker could get valid and vulnerable hosts just by checking for domains in the forum. Vulnerability + host = ouch!

2) Mitel has less time to fix holes before exploits are coded. It is common courtesy to give a software vendor a bit of time (eg. 2 or 4 weeks) to analyse the hole and create a fix.Thus they can announce the fix at the same time as the hole, giving the users a chance to patch their systems before the exploit/worm is created.

3) False security-related messages cause FUD (Fear, Uncertainty, Doubt). Some users may panic when they read about holes and question the quality and security of the product without understanding the issues. This is relevant even if the issue is actually valid! Quite possibly (even probably) the issue is relevant for all sorts of GNU/Linux distributions and not unique for e-smith. There have also been cases where an issue affected RedHat 7.3 (e-smith's "mother" distro) but not the more security conscious fork, we use.

4) Warnings about hacker attacks etc. (real or imagined) are bad PR for Mitel and e-smith. This may not be seen as a problem for users of the developer edition, but consider this: No SME Server income for Mitel => no e-smith developer edition.

Cheers,
Jens

[James Payne]

Jens,
Okay, thanks for the detailed response.

Only problems:

1. Malicious individuals have better places to look than the e-smith forums for potential holes.

2. Like 1, details of this problem in particular were already posted to bugtraq, securutyresponse, the openssh site itself, slashdot and a host of other sites. Anyone who wanted to know about such things would already do so.

3. Is fair enough, but I'd personally prefer to know about such things, than to imagine that everything is fine until an official patch is released.

4. I think you just hit the nail on the head. While I might not like the policy towards security notifications, I like having access to the e-smith developer release...

Cheers,
James.