[ale] OpenSSH root vulnerability

Transam transam at cavu.com
Thu Mar 7 18:15:44 EST 2002


Recent versions of OpenSSH -- including the newest -- have a just reported
vulnerability that allow local users to make themselves root.  If one uses
OpenSSH to connect into a malevolent or compromised SSH server then root
access to the client system can be gained as well.  The possibility of
a remote root vulnerability on any OpenSSH server system has not been
ruled out.

If you are not sure what version of SSH you are using and you are running
on the server side, just do

     telnet yourself.com 22

If you see

     SSH-1.99-OpenSSH_2.9p2

or anything similar that includes "OpenSSH" then you are in danger.

On the client side you can do

     ssh -V

Either of these techniques also are supported for the non-Open version too.

Consider using /etc/hosts.allow or IP Chains or IP Tables to limit
access to your SSH server  to trusted systems or simply turn off the
server if not needed.  Frankly, the Open version of SSH has suffered
a lot of serious security vulnerabilities in the past 18 months or so
and I must recommend against it in favor of the commercial version at
http://www.ssh.com.  Note that this latter version is free on Linux and
they were the people who created SSH.  They also have a nifty GUI-based
Windows and Mac client that I am told is rather nice and only USD 99.

This problem has been patched in OpenSSH 3.1, which has been released
today (March 7, 2002).  It appears that neither Red Hat nor Slackware
have yet integrated this patch into their trees.


* Flaw weakens Linux security software
March 1st, 2002

Programmers have found a vulnerability in Linux that could allow
protective firewall software to grant malicious computer users access to
protected networks. The flaw, which affects versions 2.4.14 through
2.4.18-pre9 of the Linux kernel, is in a component of the Netfilter
firewall software.

http://www.linuxsecurity.com/articles/firewalls_article-4527.html


A Datamation Magazine survey of IT execs & SysAdmins picks the best 
software and hardware.  This mag is not specific to any platform or 
hardware.  The best product of 2001 was RH 7.2 as a Desktop.  No
Microsoft product even made the list.  Point this out to your higher
ups and associates:

http://Security.ITtoolbox.com/browse.asp?c=SecurityNews&r=/news/dispnews.asp?i=65198


Bob Toxen
transam at cavu.com                       [Bob's ALE Bulk email]
bob at cavu.com                           [Please use for email to me]
http://www.cavu.com                    [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com/ [My 5* book:"Real World Linux Security"]
http://www.cavu.com/sunset.html        [Sunset Computer]

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list