North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: new openssh issue

  • From: Ingevaldson, Dan (ISS Atlanta)
  • Date: Tue Sep 16 16:45:30 2003

As promised, our advisory:

http://xforce.iss.net/xforce/alerts/id/144

Regards,
===============================
Daniel Ingevaldson
Engineering Manager, X-Force R&D
[email protected] 
404-236-3160
 
Internet Security Systems, Inc.
The Power to Protect
http://www.iss.net 
===============================


-----Original Message-----
From: Ingevaldson, Dan (ISS Atlanta) 
Sent: Tuesday, September 16, 2003 4:01 PM
To: [email protected]; Richard A Steenbergen
Cc: William Allen Simpson; [email protected]
Subject: RE: new openssh issue 



ISS X-Force discovered this vulnerability and our advisory will be
released shortly.  We were working to determine the full scope of the
vulnerability before we notified the vendor.  Unfortunately, someone
else found the flaw and began to cause discuss it using specifics.  That
caused us to push forward our disclosure.  Typically, when we do X-Force
Advisories, we have developed an in-house, functional exploit (not proof
of concept) in order to verify the exact nature and scope of the issue.
We have not done so in this case.  Right now it is undetermined if the
issue is exploitable on *any* platform.  It may turn out that it may be
exploitable on every platform.

This issue is serious enough that it should be addressed on all
platforms as quickly as possible.  I'll forward our Advisory to the list
when it is public.

Regards,
===============================
Daniel Ingevaldson
Engineering Manager, X-Force R&D
[email protected] 
404-236-3160
 
Internet Security Systems, Inc.
The Power to Protect
http://www.iss.net 
===============================


-----Original Message-----
From: [email protected] [mailto:[email protected]] 
Sent: Tuesday, September 16, 2003 3:50 PM
To: Richard A Steenbergen
Cc: William Allen Simpson; [email protected]
Subject: Re: new openssh issue 


On Tue, 16 Sep 2003 15:33:03 EDT, Richard A Steenbergen said:

> > patched, but does anybody know whether there's a problem with the 
> > criscos?  (as in "how do I configure my router for that?" ;-)
> 
> Or better yet, the OpenSSH running on Junipers? Nothing on Juniper's
> site
> about a vulnerability so far.

A posting to full-disclosure quotes Theo as saying HP and Cisco are
affected, and I don't see any reason that Juniper would *NOT* be, given
the common code base of the OpenSSH implementations.  I'm not going to
say the routers are vulnerable, but I *would* say that ACLs blocking
port 22 to the router might be a good idea.....