| UNCONFIRMED: SSH 4.3 0day »baoz.net/0day-openssh-remote-exploit/
»lists.emergingthreats.net/piperm···872.html
quote:
Just to be on the safe side this may not be legit, but then again it
may be.
In the links below openssh 4.3 it appears being exploited. Previously
there were some vulnerabilities in this version in the past but they
seemed to be crc d0s's.
Links talking about ssh 0day:
»secer.org/hacktools/0day-openssh···oit.html
»baoz.net/0day-openssh-remote-exploit/
Right now I would still classify this as a rumor until more
information on this comes out or the capabilities of the authors of
these sites has been mapped out.
I have received one report this morning about ssh vulnerabilities (and
0day) and have had an old old 0day rumor from GCon (2004ish) that was
rumored at the con, but never surfaced. (but was boasted about by some
very skilled individuals).
If you have ssh open remotely , please monitor your external systems.
|
|
| I wanted to add I've seen anti-sec before:
»Owned Linux Boxes |
|
SUMwarePremium
join:2002-05-21
kudos:2 | reply to SirMeowmix_III
Rumours About OpenSSH in Red Hat Enterprise Linux From The H
7 July 2009 - quote:
A posting on the Web Hosting Talk forum is feeding speculation about a critical security vulnerability in the OpenSSH server in CentOS/Red Hat Enterprise Linux (RHEL). According to the posting, the vulnerability is present in the OpenSSL version 4.3 used in this distribution. Although the version number is already several years old, the Red Hat development team tend to backport patches for older versions, with the result that the software may well still be up-to-date.
It is rumoured, however, that the development team have introduced an error during this backporting process which may now be able to be exploited to gain access to servers. Scattered online reports of successful attacks, such as the recent attacks on ssanz.net and, some weeks ago, on astalavista.com, may also point to the existence of a zero-day exploit for an unknown vulnerability in specific versions of SSH.
In response to an enquiry from heise Security (The H's associate in Germany), Red Hat's Security Response Team declined to confirm the existence of the vulnerability. They did state that they are aware of the rumours and are watching the situation with the aim of collecting more information. Should it prove to be the case that there is an unpatched vulnerability, they will react as quickly as possible.
The H Security and heise Security would be grateful for any further information on this problem from readers.
An error in the translation process lead to this story referring to OpenSSL. The H apologises for the error.
|
|
Bink
join:2006-05-14
Denver, CO
kudos:4
1 edit | reply to SirMeowmix_III
Re: UNCONFIRMED: SSH 4.3 0day If you’re running a version of OpenSSH that’s that old on the public Internet, you probably deserve to be hacked. |
|
|
|
 shearerNorthern LightsPremium
join:2002-06-18
Asia | You could not be more right.
said by openssh wikipedia :
OpenSSH first appeared in OpenBSD 2.6 and the first portable release was made in October 1999.[3]
Release History:
OpenSSH 5.2: February 23, 2009
OpenSSH 5.1: July 21, 2008
OpenSSH 5.0: April 3, 2008
OpenSSH 4.9: March 30, 2008
Added chroot support for sshd
OpenSSH 4.7: September 4, 2007
OpenSSH 4.6: March 9, 2007
OpenSSH 4.5: November 7, 2006
OpenSSH 4.4: September 27, 2006
OpenSSH 4.3: February 1, 2006
|
|
 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to SirMeowmix_III
I'm going to hold my breath until tomorrow, at which point it won't be a zero-day any longer  |
|
| reply to Bink
said by Bink:If you’re running a version of OpenSSH that’s that old on the public Internet, you probably deserve to be hacked. Or you're running a currently supported version of RHEL/CentOS with back-ported patches...
As you can clearly see, RHEL5/CentOS 5 is still running 4.3:
»rhn.redhat.com/errata/RHBA-2009-0209.html
I speculate that based on the timeline of this "0day", previous usage by anti-sec, as well as article from SUMware that perhaps »rhn.redhat.com/errata/RHBA-2009-0209.html introduced the issue.
Bink, I agree with you to an extent but you have to trust your distribution to address the security issues, else run Gentoo and live on the cutting edge (and bleed accordingly). |
|
 CabalPremium
join:2007-01-21
Austin, TX
 ·Suddenlink
| reply to Bink
said by Bink:If you’re running a version of OpenSSH that’s that old on the public Internet, you probably deserve to be hacked. Way to read the post above you. RHEL's OpenSSH includes backported security and bugfixes.
--
Interested in open source engine management for your Subaru? |
|
Bink
join:2006-05-14
Denver, CO
kudos:4
2 edits | Clearly it doesn’t contain all the fixes if the current version is not vulnerable. At this point you are putting your complete faith in the vendor—and it’s probably questionable whether this 3+ year old “fork” of OpenSSH should still be called OpenSSH. |
|
| reply to SirMeowmix_III
Makes sense, I should probably be shaking my fist at Ubuntu 8.04 LTS too, not just RHEL, right?
SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
Trust the distribution maintainers or compile from source. |
|
 nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7
 ·AT&T U-Verse
| said by SirMeowmix_III :
Trust the distribution maintainers or compile from source.
Yes, that's exactly right.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.11 |
|
pandoraPremium
join:2001-06-01
Outland
kudos:1 Reviews:
 ·ooma
·Google Voice
·Future Nine Corp..
·Comcast
| reply to Bink
said by Bink:If you’re running a version of OpenSSH that’s that old on the public Internet, you probably deserve to be hacked. Some of us don't live to micromanage every component all the time. Posts like the one quoted are flip about Linux security problems, seem to not take them seriously and IMO help tarnish the Linux image.
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use." |
|
 yockTFTCPremium
join:2000-11-21
Miamisburg, OH
kudos:3 | said by pandora:said by Bink:If you’re running a version of OpenSSH that’s that old on the public Internet, you probably deserve to be hacked. Some of us don't live to micromanage every component all the time. Posts like the one quoted are flip about Linux security problems, seem to not take them seriously and IMO help tarnish the Linux image. I don't think you understand. The difference here is that Linux operating systems allow you to micromanage if you must. If you're simply going to trust the packager, then you're no worse off than waiting for Microsoft or Apple to patch vulnerabilities.
Linux gets a bad rap because people don't stop to consider this.
--
Have more fun with your GPS.
Geocaching.com |
|
pandoraPremium
join:2001-06-01
Outland
kudos:1 Reviews:
·ooma
·Google Voice
·Future Nine Corp..
·Comcast
| said by yock:I don't think you understand. I don't think YOU understand.  This is an example of the weakness of the Linux model. Somewhere someone didn't check out the ramifications of an update, that update has created an unexpected security vulnerability. Instead of admitting that, I see people blaming users.
In the Windows world, we are taught it is dangerous to download content from an untrusted site, as it could contain harmful software. By converse here in the Linux world, we are taught we are to trust downloading dangerous content from trusted sites. Somehow we are told this is an improvement over the Windows model.
The Linux model seems to revolve around downloading any junk from any site and assuming it is all good, because if any of it was bad, someone, somewhere, should have read the source, because you see that is the beauty of open source. If you download something that doesn't work, its your fault for not reading the source and correcting it. This is the wonderful Linux security model. 
At least with the Windows model, we know dangerous software can be downloaded and cause grief. As a result there is a vibrant security community. With Linux, when dangerous updates and upgrades create security vulnerabilities, instead of a means of repair, it seems the status quo is to bad mouth users while at the same time claiming superiority.
I just don't get it. There seem to be many circular stupidities going on with Linux. I'm thinking of writing about my Linux install experience in a post. The problem will be limiting the number of Linux stupidities I write about or else I'll be creating a book.
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use." |
|
yockTFTCPremium
join:2000-11-21
Miamisburg, OH
kudos:3 | Ugh. Okay, here you go.
Windows/OSX: Wait for bug fix
Linux/BSD: Wait for bug fix or patch it yourself
It's really that simple, and it's why many people choose Linux and BSD. People encourage others to patch their own software because Linux and BSD afford you that opportunity.
As for the Windows security community, it's primarily a collection of proprietary software vendors whose products suffer the same problems as Windows. Find a vulnerability and you're at the mercy of the developer. That isn't to say that the community doesn't help, but the community is quite a bit different than the community surrounding Linux and BSD.
As for that Linux and BSD community, it is that community that finds and fixes many of the vulnerabilities you hear about. Rather than monetizing bug fixes with complicated defense software, developers fix the security problem at the source. Sure, this means that the fix typically gets published in generic form before your OS distributor has had a chance to fully test and integrate it within their systems, but it doesn't change the fact that you *do* have access to it.
--
Have more fun with your GPS.
Geocaching.com |
|
pandoraPremium
join:2001-06-01
Outland
kudos:1 Reviews:
·ooma
·Google Voice
·Future Nine Corp..
·Comcast
| Linux - Download from Tom, Dick or Harry and assume all is well.
Windows - Download from Microsoft and assume all is well.
Gee, which model makes more sense ... let me think.
You have inspired me to start my Linux install thread, who knows it may be entertaining.
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use." |
|
| reply to pandora
Regressions and bugs are common with the GNU/Linux community, some that are introduced cause security concerns, others do not. This is something intrinsic with software development. Your comparison to the Win32 environment having a vibrant security community is laughable at best, especially from what I have seen first hand, as an IDS/Security guy.
No one is downloading dangerous content from trusted sites, the distribution maintainers need to be implicitly trusted to distribute good code just as Microsoft is implicitly trusted to not release defective-by-design or insecure-by-design software; funny to see them being ravaged by the recent IE ActiveX 0day.
I'm see no end-lusers being bad mouthed here, what I do see is a simple choice; trust the distribution maintainers to address security errata and have sufficient regression testing or compile from source.
While your book may be a best seller, and I wish you luck with that, I'm curious when the last time you build IIS, Internet Explorer, Media Player, or the other plethora of shovelware from source?
All the issues you've discussed are intrinsic with software development, luckily us GNU/Linux/UNIX users have an ace up our sleeves; compile from source. |
|
| reply to pandora
said by pandora:Linux - Download from Tom, Dick or Harry and assume all is well. Windows - Download from Microsoft and assume all is well. Gee, which model makes more sense ... let me think. You have inspired me to start my Linux install thread, who knows it may be entertaining. If Windows is your panacea why are you here, unless your intent is to create discourse and strife? This thread was a security related issue, not a dais for Windows users to hurl pseudo-truths in an attempt to sway us into emptying our wallets towards Redmond, WA. |
|
Bink
join:2006-05-14
Denver, CO
kudos:4
1 edit | reply to pandora
I take security quite seriously—and this is why I said what I did. The Internet is a hostile place and threats are constantly evolving. If your vendor chooses to maintain their own branch/a legacy version of the most popular encrypted shell access tool there is, instead of incorporating the current stable version, well, then they reap what they sow—and they are the ones tarnishing the image of Linux, not I. |
|
SUMwarePremium
join:2002-05-21
kudos:2
1 edit | reply to SirMeowmix_III
Re: pandora Re: pandora's remarks -
I'm creating a new acronym for such posts/posters -
JAMS: Just Another Microsoft Shill, who rarely if ever visits this forum, who's purpose when doing so is to disrupt a valuable thread by attempting to promote MS while attempting to denigrate Linux while simultaneously demonstrating their own personal ignorance for all to see. |
|
