Topic: SME and vulnerabilities

[David Gernez]

Hi everyone,

I was wondering if a new patch was on the run because there are a lot of vulnerabilities that has been discovered recently in apache/ssh/etc.. recently, and they seems to be high risk vuln.

http://www.debian.org/security/2002/dsa-134
http://www.debian.org/security/2002/dsa-133
http://www.debian.org/security/2002/dsa-132
http://www.debian.org/security/2002/dsa-131

Thanks.

David.

[robert]

The OpenSSH team finally divulged the vulnerability in openssh 2.9.9 thru 3.3.1 today and it is not exploitable in SME as long as you leave the default setting of "ChallengeResponseAuthentication" set to "no" in sshd_config.
I hope we'll see apache updates soon.

[Graham Harris]

Robert,

Are you sure about this?  I need a bit of comfort.  

I woke up this morning to a server that would not accept the root password.  For the record I do know my password, it was the same as admin and I could log in as admin but not root.  The only conclusion I could come to is that my box had been exploited by the SSH vulnerability and that the exploiter had reset the root password but not admin.

I've changed hard disks and installed SME5.5b9 this morning and I'm looking forward to having the time to fiddle with the old system and investigate further.

There is a remote possibility I was a victim of a "man in the middle" attack because yesterday I did ssh into my box from a new remote site.  Pretty unlikely, but possible.

Graham



robert wrote:
>
> The OpenSSH team finally divulged the vulnerability in
> openssh 2.9.9 thru 3.3.1 today and it is not exploitable in
> SME as long as you leave the default setting of
> "ChallengeResponseAuthentication" set to "no" in sshd_config.
> I hope we'll see apache updates soon.

[robert]

Well, this is what it says in the OpenSSH security advisory (http://lwn.net/Articles/3531/):

1. Versions affected:

        All versions of OpenSSH's sshd between 2.9.9 and 3.3
        contain an input validation error that can result in
        an integer overflow and privilege escalation.

        OpenSSH 3.4 and later are not affected.

        OpenSSH 3.2 and later prevent privilege escalation
        if UsePrivilegeSeparation is enabled in sshd_config.
        OpenSSH 3.3 enables UsePrivilegeSeparation by
        default.

        Although OpenSSH 2.9 and earlier are not affected
        upgrading to OpenSSH 3.4 is recommended, because
        OpenSSH 3.4 adds checks for a class of potential bugs.

2. Impact:

        This bug can be exploited remotely if
        ChallengeResponseAuthentication is enabled in sshd_config.

   Affected are at least systems supporting
   s/key over SSH protocol version 2 (OpenBSD, FreeBSD
   and NetBSD as well as other systems supporting
   s/key with SSH).  Exploitablitly of systems
   using PAM in combination has not been verified.

3. Short-Term Solution:
   
        Disable ChallengeResponseAuthentication in sshd_config.

   or

        Enable UsePrivilegeSeparation in sshd_config.


Since ChallengeResponseAuthentication is disabled by default in SME, it would seem that SME is not susceptible to this particular vulnerability at least. Also, I'm not sure how to read "between 2.9.9 and 3.3", if that includes 2.9.9 or not. In other words, 2.9.9 may not be susceptible to this vulnerability even with ChallengeResponseAuthentication enabled. However, 2.9.9 _is_ vulnerable to other known exploits, although I am told they are not trivial to exploit.
If you believe your system has been compromised, you might want to take this up with security@e-smith.com.