[ILUG] openssh vulnerability

Anders Holm anders.holm at elivefree.net
Tue Jun 25 06:59:27 IST 2002 

Ok, lets see...

What I can get out of this is that Theo and Co. actually has _tried_
resolving this _with_ vendors, but that they are not responding properly to
this vulnerability and apparently does not seem to care to help out.

When a new vulnerability is discovered, one _should_ first talk to the
vendors, as you yourself point out, before going public with an announcement
like this. But apparently he has done so, without any good results.... So,
where does he "dictate security policy"?? I for one happen to like the idea
of getting warned about security holes... Don't you?

Theo also states that PrivSep IS NOT A FIX but at least a workaround UNTIL a
patch can be distributed. So, he is giving people a way of closing a flaw
until it can be fixed. Since when is that bad? Sure, not ideal, but is it
_so_ horrible?

I'd suggest to calm down and let the hormones cool down, and try to realise
what is actually being achieved before going on like this. Especially
flaming someone who not even has been copied on your flames, and probably
knows nothing of it. Would you like to be treated the same way?

Oh, Standard disclaimer applies, anything said in this e-mail is my view and
not the company I work for etc. blah, blah blah.......

Best Regards
Anders Holm


-----Original Message-----
From: ilug-admin at linux.ie [mailto:ilug-admin at linux.ie]On Behalf Of Paul
Jakma
Sent: 25 June 2002 02:56
To: kevin lyda
Cc: Paul Kelly; ilug at linux.ie
Subject: Re: [ILUG] openssh vulnerability


On Tue, 25 Jun 2002, kevin lyda wrote:

> another interpretation is this:
>
> if the openssh team releases a patch today, the crackers will know the
> vulnerability immediately.  if the openssh team releases privsep across
> the ports (which appears to also stop the attack), then the crackers
> are no wiser.
>
> the "vulnerability clock" starts ticking the moment a patch comes out
> that directly addresses the problem.  privsep will protect systems,
> but not directly give away the vulnerability.

the vulnerability clock started ticking as soon as the problem was
introduced in public code!

The problem may have been there for months or longer, some black hats
may have known of it way before ISS / Theo.

it /seems/ theo has chosen to dictate security policy to vendors
rather than work with vendors to have an actual fix ready for the
publish date. Which means that the only way to have a fix installed
on or before Theo's publish date is to install privsep (which has
only been proven on OpenBSD and doesnt yet work nicely with pam,
etc.. apparently).

So it seems there's guaranteed to be a window of opportunity for a
remote ssh exploit on all non-OpenBSD systems.

ah well...

> kevin

regards,
--
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
If you can count your money, you don't have a billion dollars.
		-- J. Paul Getty


--
Irish Linux Users' Group: ilug at linux.ie
http://www.linux.ie/mailman/listinfo/ilug for (un)subscription information.
List maintainer: listmaster at linux.ie

More information about the ILUG mailing list