North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: [rootshell] Security Bulletin #25
I just got this. MHSC is also on the SSH mailer-list. It looks as if ALL accusations of SSH being exploitable are thinly founded at best. >Date: Mon, 2 Nov 1998 11:45:53 +0200 (EET) >From: Tatu Ylonen <[email protected]> >To: [email protected], [email protected] >Subject: Important information about IBM-ERS's "ssh" advisory (fwd) >Message-ID: <[email protected]> >MIME-Version: 1.0 >Content-Type: TEXT/PLAIN; charset=US-ASCII >Sender: [email protected] >Precedence: bulk >X-UIDL: a3533f8bef2d09b2dd5c56b653ba57e1 > >Please find enclosed a copy of a message from the IBM Emergency response >team. > > Tatu > >SSH Communications Security http://www.ssh.fi/ >SSH IPSEC Toolkit http://www.ipsec.com/ >Free Unix SSH http://www.ssh.fi/sshprotocols2/ > >---------- Forwarded message ---------- >Date: Mon, 02 Nov 1998 04:15:28 EST > >From: David A. Curry <[email protected]> >To: [email protected], [email protected], [email protected], > [email protected] >Subject: Important information about IBM-ERS's "ssh" advisory > >-----BEGIN PGP SIGNED MESSAGE----- > >On Friday, Oct. 30th, IBM-ERS sent out a draft advisory to be released on >Monday, Nov. 2nd that described a buffer overflow condition in Version >1.2.x "sshd." This draft was sent to the Forum of Incident Response and >Security Teams, and also to the "ssh-bugs" list for their comment/review. >The draft was identified as ERS-SVA-E01-1998:005.1. > >Rootshell has unfortunately chosen to include a copy of this draft advisory >in their recent newsletter, apparently for the purposes of defending itself >against charges that it was unfairly disparaging "sshd." Use of IBM-ERS's >draft advisory in this manner was not approved or authorized by IBM-ERS, >and does a disservice to all. > >Here are the facts about this advisory: > >1. IBM-ERS advisory ERS-SVA-E01-1998:005.1 was never issued publicly by > IBM. > >2. In response to a telephone query from Kit Knox of Rootshell, IBM-ERS > attempted to contact Kit on Friday evening, and was unable to reach > him. Specific contact information for IBM-ERS, as well as a brief > status update, were left on Mr. Knox's voice mail. Mr. Knox never > contacted IBM-ERS after that time. > >3. IBM has been working closely with Tatu Ylonen, author of "ssh," to make > sure that the potential vulnerability described in the advisory is not > exploitable. Upon further investigation, the problem originally > described appears to have been influenced by outside factors and does > not appear to be an exploitable problem in "sshd." > >4. IBM-ERS advisory ERS-SVA-E01-1998:005.1 was CANCELLED on the morning > of Sunday, Nov. 1st, *before* Mr. Knox issued his newsletter. > >5. At this time, IBM-ERS has NO KNOWLEDGE of any security vulnerabilities, > exploitable or otherwise, in the "sshd" program. > >We hope that this clarifies IBM's involvement in this situation. > >- --------------------------------------------------------------------------- > >The information in this document is provided as a service to customers of >the IBM Emergency Response Service. Neither International Business Machines >Corporation, nor any of its employees, makes any warranty, express or implied, >or assumes any legal liability or responsibility for the accuracy, complete- >ness, or usefulness of any information, apparatus, product, or process >contained herein, or represents that its use would not infringe any privately >owned rights. Reference herein to any specific commercial products, process, >or service by trade name, trademark, manufacturer, or otherwise, does not >necessarily constitute or imply its endorsement, recommendation or favoring > >by IBM or its subsidiaries. The views and opinions of authors expressed >herein do not necessarily state or reflect those of IBM or its subsidiaries, >and may not be used for advertising or product endorsement purposes. > >-----BEGIN PGP SIGNATURE----- >Version: 2.7.1 > >iQCVAwUBNj12ufWDLGpfj4rlAQGbNAQAhxLTKJh8H0s9uS0KbUVO3IxjfAYrcSuf >TTpwZjQ3qciBr+8+LVU/WIk4OLGX7WLl2ZLqisUzNkBra4k0xPd2vKbKp6Pfd+6o >DlNwfiwpty1wzPD/7eiu4xclHt0emMpDC6QMkJldk4/lv7iQmPltpeXdGqRVYja8 >fXtGXZO90UM= >=hlDX >-----END PGP SIGNATURE----- and then found this. >To: [email protected] >CC: [email protected] >Subject: Re: ssh 1.2.26 and root compromise >References: <[email protected]>, <[email protected]> <4n7%[email protected]> >Content-Type: text/plain; charset=us-ascii >Content-Transfer-Encoding: 7bit >Sender: [email protected] >Precedence: bulk >X-UIDL: 82af265d49d9ab5f1da6706787093894 > >Karl J. Runge wrote: > >> Maybe. I see about 125 calls to log_msg() in the ssh 1.2.x source code. >> Does anyone see one (or more?) calls that might be passing unprotected >> strings? I assume the unlimited %s are the place to start... >> [info: IBM's announcement points us to log_msg() as the source >> of the buffer overrun, but does not say which one. See rootshell >> statement which has the IBM announcement] >> >> I doubt the logging of "log_msg" has to do with the use of the word >> "log", but the IBM announcement is dated 10/30 ... (I just saw it today >> for the first time). > >The IBM advisory was cancelled within 24 hours. The appearent buffer >overflow IBM found was not reproducable on any other systems, and >appearently was due to some local problem with the Linux installation on >one particular machine. See > >http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:005.1 .txt, > >http://www.ssh/fi/sshprotocols2/rootshell.html and > >http://www.rootshell.com/ > >Personally, I am very disappointed with rootshell's unprofessional >handling of that incident. Their continuing stubborn insistance - in >spite of all contrary evidence - that something other than their >security policy must be at fault fatally resembles the worst exemples >I've ever seen in corporate IT security. > >Sevo > > >-- >Sevo Stille >[email protected] > ___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:[email protected]>[email protected] Internet phone: hawk.mhsc.com Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com/ ___________________________________________ I bet the human brain is a kludge. -- Marvin Minsky
|