×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Hole in SSH1 with RSAREF

jamie posted more than 14 years ago | from the don't-panic dept.

News 160

Read the CERT Advisory carefully, because it's a bit complex. A buffer overrun in the RSAREF2 library, a common implementation of a common crypto algorithm, combines with a buffer overrun in version 1 of sshd to allow unauthorized execution of arbitrary code. PGP is not affected. SSH2 is not affected. All versions of the free SSH1 are affected, but only "when --with-rsaref is explicitly supplied on the command line." (On my system, "ssh&nbsp-V" tells me whether I compiled in RSAREF, presumably the same for both client and server.)

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

160 comments

Re:How is this obnoxious comment informative? (1)

ghoti (60903) | more than 14 years ago | (#1465830)

The question I replied to would not have arisen if the original poster had read the advisory before posting. So I don't understand what's wrong with telling him to do just that.

A healthy dose of conspiracy for the day (2)

Zigg (64962) | more than 14 years ago | (#1465831)

Someone on BUGTRAQ floated that the RSAREF buffer overflow might be used in an AIM-style ``detection'' fashion. (Remember the AIM buffer overflow that was used to see if the client on the other end was a ``genuine'' AIM client or not?)

As most know, if you're in the US, RSAREF is the be-all and end-all of what you can use -- and only then, noncommercially. If you want to use RSA without RSAREF, you have to buy software from someone who pays RSA licensing fees. (On a side note, it's probably worthless to see if you can get a personal license from RSA to use OpenSSL or some other toolkit, even if you have money. I floated this question on the OpenBSD list, since OpenBSD includes OpenSSL, and it seems it's been tried -- and RSA ignored the request.)

In any event, RSA could theoretically use the RSAREF vulnerability to scan US hosts for compliance with the RSAREF mandate. If the buffer overflow was there, and they were a commercial entity, the red alert klaxon would sound and the lawyers would be summoned. Not a pretty picture.

The way to combat a potential scenario like this would be to get the news out as fast as possible that you can patch RSAREF (RSA graciously allowed us in the CERT advisory to patch it, gee how nice of them) and should ASAP.

Re:just compile without RSAREF (2)

Zigg (64962) | more than 14 years ago | (#1465832)

If you get hacked because of this bug, please write a nice "thank you" letter to the U.S. Patent Office.

And to RSA as well. It's amazing to me that in the CERT advisory, they grant permission to have this fix be made, but don't grant permission for any further fixes to be made, should they become necessary. I can see if, in their original onerous license, they might not have added that clause just because they weren't thinking about it. But come on, RSA! Wake up!

I think RSA believes their patent enforced monopoly entitles them to write sloppy, slow, poor quality code.

My personal feeling is that they put out the code ``for the benefit of academia'', to train a horde of students to bow down at the RSA throne -- and then when those students get out in the Real World(TM), they love RSA the algorithm, but need to shell out big bucks to use a better RSA implementation because -REF just plain sucks. It would not surprise me if this were intentional.

RSA gives consent to patch (We shouldn't need it) (1)

rise (101383) | more than 14 years ago | (#1465843)

"Under the terms of the RSAREF license, changes to the RSAREF code other than porting or performance improvement require written consent. RSA Security hereby gives its consent to implement a patch to RSAREF to address this advisory."

Given that they're an IP-happy organization with a long history of iffy code I'm glad to see that they're doing the obvious thing and giving others permission to fix the problem. Of course if they weren't requiring use of their code for "their" algorithms this wouldn't be an issue.

Re:Not ssh, RSAREF (1)

chrisv (12054) | more than 14 years ago | (#1465844)

Actually, if I'm not mistaken, RSAREF is open source, in the case that the RSAREF license allows you to patch the library to make it run faster. If it's closed-source, you wouldn't be able to do so, and there would be no point in having such a clause in the license for it.

Slightly Old News? (1)

Cardinal (311) | more than 14 years ago | (#1465845)

It's interesting that the CERT advisory was dated yesterday.. I saw a notice a couple weeks ago here [securityfocus.com] , unless this is another RSAREF2 issue. If it is the same, I'm curious what the delay was for, does CERT do its own research/checking on matters before releasing advisories, or did it simply take awhile for word to spread?

Re:How is this obnoxious comment informative? (1)

mochaone (59034) | more than 14 years ago | (#1465846)

What are you, some kind of empath? You can tell from where you sit that the guy was snapping at the other poster? When I look at it I see that guy is trying to be helpful by pointing him to the link that has the answer to the guy's question.

It's uptight people like you who make me sick. Someone should moderate you down.

I fully understand that I will be moderated down too.


Is this fixed already? (4)

rangek (16645) | more than 14 years ago | (#1465847)

Okay, I have heard about this RSA/ssh buffer overrun thing for a few weeks now. So I do

[rangek@pinot-noir rangek]$ ssh -V
SSH Version 1.2.27 [i586-unknown-linux], protocol version 1.5.
Compiled with RSAREF.

But then I do

[rangek@pinot-noir rangek]$ rpm -q --queryformat '%{CHANGELOGTEXT}"\n"' ssh
- RSAref buffer overrun patch (rsa.c) as described in Core SDI advisory
from December 1, 1999. Thanks to Oystein Viggen for sending me this patch."

So is this the fix for the advisory in the story or is this another new problem that this package is vulnerable to?

Re:Interesting point. (1)

SuperguyA1 (90398) | more than 14 years ago | (#1465849)

Happily undiscovered by whom? If the wrong person happened to stumble across the bug and didn't say anything they could cause all sorts of havoc.

www.zedz.net RPMS already updated (3)

bholzm1 (26184) | more than 14 years ago | (#1465850)

For you lazy bastards who install ssh RPMS, ssh-1.2.27-7us on www.zedz.net already has been fixed.

From the ChangeLog:

* Mon Dec 06 1999 Jan "Yenya" Kasprzak

- RSAref buffer overrun patch (rsa.c) as described in Core SDI advisory from December 1, 1999. Thanks to Oystein Viggen for sending me this patch.

Default US SRPMS install uses RSAREF (2)

Wee (17189) | more than 14 years ago | (#1465851)

I just installed SSH1 v1.2.27 last night on a new machine. I got lazy and installed via a SRPM, and didn't do anything more than 'rpm --rebuild ./ssh-1_2_27-5us_src.rpm'. It's uses RSAREF. Bummer.

-B

The Key Point is... (2)

Tower (37395) | more than 14 years ago | (#1465855)

SSH 2 is not affected... though it certainly had its share of problems earlier, but it *seems* as if most of those have beentaken care of.

Not to mention that you have to specifically enable this particualar library - which I doubt most people would have, given the other choices of ciphers (correct me if I'm wrong, but *I* saw no reason to)... then again, IANACG (Crypto Guru)

Interesting point. (1)

SuperguyA1 (90398) | more than 14 years ago | (#1465859)

Anyone who ever asks you why open source software has an advantage point them to this story. I'm willing to bet if only the binaries for the ssh protocol were sent this still would not be a known problem. Thanks to whomever took the time to find this security hole!

score 5 unbelievable (0)

Anonymous Coward | more than 14 years ago | (#1465861)

Beat the scripts and script kiddies

Affected Items (3)

Tower (37395) | more than 14 years ago | (#1465863)

These are the possibly affected items in the BSD family:
p5-Penguin, p5-Penguin-Easy, jp-pgp, ja-w3m-ssl, ko-pgp, pgpsendmail, pine4-ssl, premail, ParMetis, SSLtelnet, mpich, pipsecd, tund, nntpcache, p5-Gateway, p5-News-Article, ru-pgp, bjorb, keynote, OpenSSH, openssl, p5-PGP, p5-PGP-Sign, pgp, slush, ssh, sslproxy, stunnel, apache+mod_ssl, apache+ssl, lynx-ssl, w3m-ssl, zope

Re:OpenSSH? (1)

storem (117912) | more than 14 years ago | (#1465865)

Every implementation which is based upon RSAREF1. It's a problem in the source (free available btw)

Re:The Key Point is... (1)

KrAphtd1nN3r (33859) | more than 14 years ago | (#1465869)

It's kinda hard to audit code that's not released...(i.e. RSAREF)



"If you're going to make claims back them up or get out of my fucking face."




I suggest you do the same. You don't have very convincing arguments about OpenBSD source auditing being an "urban legend". And it is still considered the most secure OS around.

Re:Interesting point. (2)

Zigg (64962) | more than 14 years ago | (#1465870)

This is a classic example of ``security by obscurity'', and it's what Microsoft relies on. I would say that the problem would have been found eventually. If you follow BUGTRAQ at all you'll notice that there are people finding buffer overflows in code they don't have the source to simply by throwing shellcode into fields that look like they have a fixed length. If it makes it crash, they've found a potential exploit. (Note to security gurus: yes, I know this is terribly simplistic; but it makes my point.)

And Microsoft is not affected. (0)

Anonymous Coward | more than 14 years ago | (#1465871)

Microsoft The Microsoft Security Response Team has investigated this issue, and no Microsoft products are affected by the vulnerability

This doesn't only affect ssh (1)

btellier (126120) | more than 14 years ago | (#1465873)

ssh isn't the only application that uses RSAREF. This is NOT a problem with the sshd source, it is a problem with the RSAREF source! From the OpenSSH advisory: - openssh: Even though the OpenSSH code checks all input parameters carefully, internal RSAREF functions can still overflow. Users within the USA should update their shared ssl library. - isakmpd: When used with x509 certificates and rsa signature mode, the signature functions in RSAREF might overflow. - httpd: When SSL support is enabled in /etc/rc.conf using -DSSL, and when using RSA keys, the signature functions in RSAREF might overflow. -Brock Tellier

Re:just compile without RSAREF (1)

chrisv (12054) | more than 14 years ago | (#1465874)

Ehh, some of us in the US don't touch RSAREF with a 10 foot long pole.. or even a 100 foot long pole for that matter.

Debian Version of SSH (1)

srhea (22301) | more than 14 years ago | (#1465875)

For what it's worth, I'm using the Debian version of ssh, installed from ssh 1.2.26-1.2 out of stable, and ssh -V reports:

SSH Version 1.2.26 [i586-unknown-linux], protocol version 1.5.
Standard version. Does not use RSAREF.

So all of you with a stock Debian slink install should be okay. Does anyone know about the ssh version in potato (unstable)?

Sean

Re:OpenSSH? (1)

Col. Panic (90528) | more than 14 years ago | (#1465876)

Here:

FUNCTIONALITY ADDITION: Nov 11, 1999 Various OpenSSH improvements have been made since the 2.6 release shipped. To resolve the various (non-security related) features which users may want, we are making a jumbo patch available. This is now at VERSION THREE. Revision 3 of this jumbo source code patch exists. NOTE: /etc/sshd_config and /etc/ssh_config may need changes.

Re:The Key Point is... (0)

Anonymous Coward | more than 14 years ago | (#1465877)

"Check the facts, you stupid moron."

If only I could respond to posts as eloquently as you.
Let me be the first to congratulate you on improving the quality of Slashdot posts.

Re:Affected Items (1)

QuMa (19440) | more than 14 years ago | (#1465888)

Ehm I think certainly the vanilla pgp is safe, and probably all the other pgps to... See the statement that is linked in the story.

How does one test the server (0)

Anonymous Coward | more than 14 years ago | (#1465889)

I installed ssh from RPM files. ssh -V tells me the client does not use RSAREF. The advisory does not say how to test the server.

These lines are in my /etc/ssh/sshd_config file:
RhostsRSAAuthentication yes
RSAAuthentication yes

Is RSAREF the same as RSAAuthentication?

Re:The Key Point is... (1)

JAPH Doggy (96000) | more than 14 years ago | (#1465890)

> It's kinda hard to audit code that's not released...(i.e. RSAREF)

Hmmm... that's funny. I have the source to RSAREF right here in front of me. I'm sure millions of other people do too.

--

This is a fundamental issue with RSA in the USA (2)

jabbo (860) | more than 14 years ago | (#1465892)

Fundamentally, it's a "demo version" of BSAFE, which is RSA Data Security Inc.'s real product, the one they sell you for money, put actual effort into, optimize, etc. Since RSADSI (the company) owns the relevant patents on RSA (the cipher) in the USA until September 20, 2000, it's up to them to dictate terms and tell you what you can and can't do with their patents. It turns out they're not too bad at heart, as evidenced by a correspondence I had with their Chief Scientist, Burt Kaliski. (Dr. Kaliski has published many useful papers on cryptography, and is well known in the field) -- The intent of the RSAREF license is to support research and other non-commercial development activities. For commercial development, RSA Data Security's preference is to license its commercial toolkits such as BSAFE (or the recently announced BSAFE SSL toolkit, which is available worldwide). --

RSAREF is provided as a service to people who want to do R&D and have more brains than money, as it were. Datafellows Ltd. and the other windoze SSH vendors had to license BSAFE or negotiate their own license for implementing and selling RSA-capable software in the USA for money, as is the intent of RSADSI (it is their livelihood).

Nonetheless, for non-commercial usage, there are more than a few people who might suggest that it is worthwhile to sidestep this issue by simultaneously not depriving RSADSI of income, and also not leaning on them to support RSAREF, which sucks and is a total waste of time/money for them. I'm not saying that you should do an end run around the patent if you live in the USA. What I am suggesting is that

  • RSA is a company of reasonable human beings who want you to pay them for making money off of their patented technologies
  • Only users in the USA are affected by the RSAREF situation, which suits both parties poorly, as users get crappy support and RSA wastes uncompensated effort any time they have to fix it
  • OpenSSH, for example, is freely available, supported (after a fashion), and does not incur monetary losses to RSA when deployed for R&D purposes, eg. researching secure network protocols

So, make up your own mind about what's morally, legally, and ethically the right thing to do. Our patent system sucks, the "Smart card" RSA patent may not really apply, yada yada, but more importantly, what is the Right Thing to do here?

I can't make that decision for you. All I can do is present the facts and some relevant discussion.

If you want more explicit advice, you can ask RSADSI, but they are famous for being vague about these issues, and aren't making any money by supporting stupid questions about free libraries.

Re:Slightly Old News? (0)

Anonymous Coward | more than 14 years ago | (#1465894)

For whatever reason, CERT is always behind.

Re:Default US SRPMS install uses RSAREF (1)

rangek (16645) | more than 14 years ago | (#1465895)

just installed SSH1 v1.2.27 last night on a new machine. I got lazy and installed via a SRPM, and didn't do anything more than 'rpm --rebuild ./ssh-1_2_27-5us_src.rpm'. It's uses RSAREF. Bummer.

See my other post. [slashdot.org]

I think 1.2.27-7us fixed this bug.

Re:OpenSSH? (2)

Kaa (21510) | more than 14 years ago | (#1465900)

Since the replies up to the time I started writing this were needlessly rude and unpleasent, I thought I'd answer you.

Thank you for unexpected civility (and on Slashdot, of all places! What the world is coming to?...). The assholes were rude and wrong.

A quote from the OpenBSD web page:

NOTE: OpenSSH does not have the ssh 1.2.27 rsa bug.

but also

SECURITY FIX: The USA version of the ssl library package, called sslUSA26, contained buffer overflows. A binary patch is available for people who installed before December 3.

and

The third ssh jumbo patch is now available. Numerous (non-security) additions/changes have been made to OpenSSH since the OpenBSD 2.6 release.


Kaa

Re:Not very bad (2)

rangek (16645) | more than 14 years ago | (#1465901)

guarentee that 90% of the people reading this are safe.

I think you are wrong. A lot of people install ssh from the ssh rpms available on rpmfind [w3.org] . The us versions here are compiled with RSAREF. But I think the latest version fixes this. See my other post [slashdot.org] .

Re:The Key Point is... (0)

Anonymous Coward | more than 14 years ago | (#1465902)

they shouldn't use code that is released to the public. If they didn't, maybe they'd have a chance of building a solid reputation.
You are a fool and a troll. I hope you get moderated as "idiot", but there doesn't seem to be that choice. Advocating "security through obscurity" should be a punishable offence.

You already have a natural, moral, and legal right (0)

Anonymous Coward | more than 14 years ago | (#1465903)

You already have a right to patch. Check out 17 USC 117 [cornell.edu] .
Anomalous Cowherd

Re:International users... (1)

Scott Wunsch (417) | more than 14 years ago | (#1465904)

If your car were an old beat-up rusted-out Pinto that didn't start, chances are pretty good that nobody would steal it. That's the case here. The RSAREF library is generally considered far inferior to the international libraries, and nobody in their right mind outside the US would consider using it, all legal issues aside.

What is RSAREF? (1)

_Lint_ (30522) | more than 14 years ago | (#1465905)

Could some kind soul please explain...
1) What is RSAREF?
1a) Is RSAREF only required if you use the RSA encription algorithm?
1b) Can one use ssh (or OpenSSH) without RSA? Is this preferable?
2) Is it legal to use ssh without REFRSA in the US?

Thanks

Re:Feds: PGP approved 4 export! Now: RSAREF has bu (0)

Anonymous Coward | more than 14 years ago | (#1465906)

Too bad you can't use Blowfish with SSH... Without RSA, how will exchange keys?

Your problem is you are using packages (1)

Dredd13 (14750) | more than 14 years ago | (#1465907)

Very simple. If you don't compile the source or patch the code yourself, you have no way of knowing what, if anything, your RPM/etc. is patched for, which specific CERT advisories, etc.

Not to sound elitist, but if you're not compiling from source, then you should contact your software vendor for information as to what the hell they've done. It is especially annoying if it is not documented (in something other than the source code) what they've patched, if they haven't changed the version number at all.

Re:The Key Point is... (1)

KrAphtd1nN3r (33859) | more than 14 years ago | (#1465908)

Woooops, mistake from my part here...sorry for that, I'm reading the RSAREF license right now to punish myself...

Re:Slightly Old News? (1)

netpuppy (77874) | more than 14 years ago | (#1465909)

I think they were waiting to get a patch written, and to give all the vendors time to do their research.

Core SDI developed the exploit. CERT is just notoriously slow ... which is a shame, because most vendor patches don't come out until after the CERT vulnerability.

Re:How does one test the server (1)

Scott Wunsch (417) | more than 14 years ago | (#1465911)

RSAREF is the library that American users are obliged to link with because of silly patent stuff. Those of us outside the US can use better international libraries, which do not suffer from this bug. Since ssh -V tells you that you're not using RSAREF, you should be fine.

Re:[Free|Open] BSD ha[d|s] the bug too (0)

Anonymous Coward | more than 14 years ago | (#1465912)

But [Open BSD] IS a better system than Linux.
"Better" is so overloaded. There are some BSD distributions (aka "BSDs" or "BSD-based operating systems")) that do some things better than some Linux distributions (aka "Linuces" or "Linux-based operating systems"). So what? There are some Solarises (wait, isn't the plural of iris just irides and clitoris just clitorides, so therefore shouldn't it be Solorides? :-) than do some things better than some Irices. And vice versa. It depends what you want.

Certainly the Open distribution of BSD comes with a more secure-by-default installation configuration than does the Redhat distribution of Linux. But other concerns are often preëminent. For example, perhaps you want a pre-installed version of KDE and StarOffice so that your secretary can use it.

Re:Not very bad (2)

Delta-9 (19355) | more than 14 years ago | (#1465913)

Doh.


clf:~> ssh1 -V
SSH Version 1.2.27 [i586-unknown-linux], protocol version 1.5.
Standard version. Does not use RSAREF.


is more useful.

sorry.

Re:The Key Point is... (1)

trog (6564) | more than 14 years ago | (#1465914)

That is correct. Also, to dispell the urban "legend", the ssh volunerability was posted to bugtraq by...guess who? Theo De Raat, the lead programmer for OpenBSD.

Their code auditing is what discovered this in the first place.

The problem is C (1)

Animats (122034) | more than 14 years ago | (#1465917)

The real problem is the C programming language, and its casual attitude toward subscript checking. Trusted software shouldn't be written in C. The number of security holes generated by this issue alone is in the hundreds. Sendmail is notorious for this.

To exploit them, read The Tao of Buffer Overflow [cultdeadcow.com] , a well-written tutorial on how to crack a system that has a buffer overflow.

It's a real problem. All the safer languages that were fast (Modula, Pascal, Ada) have died off. C++ was on the right track until the Standard Template Library came out with its unsafe iterators; now there are whole new classes of holes.

Sorry for the rant. I used to work on secure operating systems, and things aren't getting better; they're getting worse. What passes for "secure systems" today is pathetic.

Re:OpenSSH? (0)

Anonymous Coward | more than 14 years ago | (#1465918)

Why did this link to the advisory get marked 'Informative' and the identical link three messages up (when reading in Nested mode) get marked 'Flamebait'?

Moderators are idiots.

-- neil, posting anonymously because expressing unpopular ideas is discouraged

Re:Interesting point. (1)

DGolden (17848) | more than 14 years ago | (#1465919)

Most likely, it would have been found by /someone/ who was semi-randomly pounding on a test binary, just like the way a lot of other exploits are found in binary-only products. They wouldn't necessarily tell anyone, in fact, they might well keep it secret until they'd used it to transfer as much wealth or information as they wanted to their own hands. Or they might tell all their friends on some irc channel. Open Source programs are not immune to this, obviously. However, the access to source code means that concerned users can audit it themselves, rather than the holes being found by people who want to use them for their own, possibly criminal, ends. It also encourages the developer to write better code in the first place, since there'll be other people looking at it.

Re:The Key Point is... (0)

Anonymous Coward | more than 14 years ago | (#1465920)

I apologize. I meant they shouldn't have used code that isn't released to the public. My bad.

You can apologize now for hurting my feelings, you meanie.

Re:This is a fundamental issue with RSA in the USA (2)

Inoshiro (71693) | more than 14 years ago | (#1465921)

Only users in the USA are affected by the RSAREF situation, which suits both parties poorly, as users get crappy support and RSA wastes uncompensated effort any time they have to fix it

Our good friend, Theo de Radt, said as much. OpenSSH checks the args to the RSAREF package strictly, and so is not vulnerable. SSH1 w/ RSAREF is vulnerable (and there is aparently a working exploit). Any packages that use RSAREF might also have holes (OpenSSL, etc).

Here [openbsd.org] is a good graphic describing the encryption situation :-) RSAREF, export restrictions, etc, all contribute to it.
---

1.2.27-7us is fixed (2)

Wee (17189) | more than 14 years ago | (#1465922)

I saw your post and went and got a copy. Yeah, it fixed the hole. But I'm just going to go ahead and install 1.2.27-7us via sources instead of SRPM anyway.

I shoulda been installing SSH via sources anyway.

-B

Re:How does one test the server (0)

Anonymous Coward | more than 14 years ago | (#1465923)

AFAIK RSAREF is just the library from RSA which the RSAAuthentication etc. use. So if your client says it doesn't use RSAREF then the package probably wasn't compiled to use it so you're probably safe. I say probably because I'm not 100% sure, so you might want to remain in yellow alert.

naughty bits (0)

Anonymous Coward | more than 14 years ago | (#1465924)

So if you can get your hands on more than one "clitoris", you now have several "clitorides"? I always thought the plural of "clitoris" was "clitorama". :-)

So what's the plural of "penis"? "Penides"? Or "dicksen"? :-)

Re:The Key Point is... (0)

Anonymous Coward | more than 14 years ago | (#1465925)

Don't worry about it. You're obviously a very stupid person.

Re:Not very bad (1)

randombit (87792) | more than 14 years ago | (#1465926)

I think you are wrong. A lot of people install ssh from the ssh rpms available on rpmfind. The us versions here are compiled with RSAREF.

Right, but anyone on Bugtraq has known about this for a long time, and has had plenty of time to upgrade to OpenSSH or SSH2. And if you're actually running Linux and not reading Bugtraq, IMO you're pretty much asking to get rooted.

And anyway, SSH is the kind of thing you _should_ build from source, no matter how nice RPMs are. I mean, hell, I love rpm, but do you know who built those RPMs on rpmfind? I could easily build a trojaned SSH (for instance, make it so the RNG subsystem always returns 0, so your keys are easy to guess) and submit it to rpmfind (faking the hostname, etc so it looks like it came from redhat or SSH). If it came from RedHat's ftp site (and the GPG signature validated), I would probably consider it, but getting SSH from someone you don't know is not particularly smart. Just get the source from the official site (somewhere in finland, check www.ssh.fi for links) and build it yourself.

For instance, I get PGP/GPG RPMS from ftp.gnupg.org and ftp.pgpi.org because they are trusted sources, so I'm ok with that. I also trust the SSH ftp site: if they had RPMs there I would get them, but they don't, so I build from source. But I won't trust some random person who submits to rpmfind.

Re:OpenSSH? (2)

Anonymous Coward | more than 14 years ago | (#1465927)

OpenSSH [openssh.com] is not vulnerable to this exploit. Mail from Bugtraq:

Subject: Re: Security Advisory: Buffer overflow in RSAREF2
From: Niels Provos
Date: 1999-12-04 22:45:20

In message , Gerardo Richarte writes:

To make this clear: in combination with the buffer overflow in rsaglue.c this makes possible to get a remote shell on a machine running sshd AND it also makes possible to use a reverse exploit to gain access on clients' machines, using malicious sshd.

I fear that this posting should have been even clearer. To sum the problem up more clearly:

ssh-1.2.27 (if compiled with RSAREF2) is vulnerable. Attackers can obtain a shell on the machine running sshd. The exploit uses buffer overflows in the RSAREF2 implementation AND in the rsaglue.c file in ssh-1.2.27. I am surprised that there wasnt a bigger outrage on the mailing list about this, it is quite serious!!!

On the other hand, OpenSSH is not vulnerable to this remote exploit. Since rsaglue.c was rewritten, OpenSSH does stricter parameter checking than ssh-1.2.27 and these recent problems in ssh-1.2.27 did NOT affect OpenSSH.

Nonetheless, OpenSSH users in the USA that use OpenSSL compiled with RSAREF2 should update their ssl library (since isakmpd or httpd may be affected), see previous postings on Bugtraq, and http://www.openbsd.org/errata.html#sslUSA [openbsd.org]

Another thing is worth mentioning, RSA could use the buffer overflow in RSAREF2 to scan machines in the USA for RSA license violation. For example, sshds that do not use RSAREF2 do will behave differently than those that do.

Information on OpenSSH can be found at http://www.openssh.com/ [openssh.com]
Information on OpenSSL can be found at http://www.openssl.org/ [openssl.org]

Re:Debian Version of SSH (1)

fluch (126140) | more than 14 years ago | (#1465928)

Potato uses OpenSSH as the default SSH client, ssh -V reports: SSH Version OpenSSH-1.2, protocol version 1.5. Compiled with SSL. Martin

what about openssh1.2 with ssl? (1)

Dandre (90053) | more than 14 years ago | (#1465930)

If when I type 'ssh -V' I get:

SSH Version OpenSSH-1.2, protocol version 1.5. Compiled with SSL.

Is that all right? It doesn't mention RSAREF, so I wasn't sure. I suspect it's fine, given that it doesn't directly mention RSAREF, but I thought I'd check.

Thanks,

David Andre

Re:The Key Point is... (2)

Matthew Weigel (888) | more than 14 years ago | (#1465931)

Actually, as I recall the discussion on the OpenBSD mailing list when this came up a week or two ago, this bug compromises the security of an OpenBSD system in the US only (due to our wonderful patent laws). Further, the latest version of OpenBSD (2.6) is not I repeat not affected by this, since it uses OpenSSH -- an implementation of SSH that has undergone their scrutiny.

As for that "urban legend," you're smoking crack. OpenBSD is very up-front that everything in the base installation has undergone extensive testing; ssh, because it is not free software, is not in the base install. Idiot.

Re:Interesting point. (1)

Gummbah (72706) | more than 14 years ago | (#1465938)

I think this might be debatable. If only the binaries were released, would the problem have been found in the first place? It might have lived happily and undiscovered for months. Not to say anything bad on open source programs. Far from it.

Not ssh, RSAREF (1)

molo (94384) | more than 14 years ago | (#1465939)

ssh is open source. RSAREF is the closed source (patented) library that is at issue. The vulnerability exists in RSAREF and affects all these other products.

Personally, I'm glad Debian distributes its ssh without RSAREF.

Would the vulnerability exist if RSAREF was open sourced? I doubt it. There are plenty of other RSA implementations that don't have this problem.

,,, (1)

Signail11 (123143) | more than 14 years ago | (#1465940)

To quote for the advisory:
OpenSSL
OpenSSL with RSAREF is not vulnerable.
OpenBSD / OpenSSH
and following the subsequent link to the OpenBSD page:
"A buffer overflow in the RSAREF code included in the USA version of the libssl package (called sslUSA, is possibly exploitable in httpd, ssh, or isakmpd, if SSL/RSA features are enabled or used. NOTE: International users using the ssl26 package are not affected."


--
Flames? Think I'm a karma whore?

Re:OpenSSH? (2)

jd (1658) | more than 14 years ago | (#1465941)

Since the replies up to the time I started writing this were needlessly rude and unpleasent, I thought I'd answer you.

OpenSSH -is- affected, at least for older versions for the US. International versions are not affected, and I believe the latest OpenSSH for the US is also not affected.

SSH 2 availability (1)

Anonymous Coward | more than 14 years ago | (#1465942)

When I first looked at SSH 2, it did not appear like its license was free - in fact it looked far from it. Is there a *free* version available now? I've been using version 1 because the license appears more friendly.

At least for now, ssh -V yields:
SSH Version 1.2.27 [i686-unknown-linux], protocol version 1.5.
Standard version. Does not use RSAREF.

I guess I'm OK, although I'd like to be out from under these silly Patent restrictions. :(

just compile without RSAREF (2)

trance9 (10504) | more than 14 years ago | (#1465943)


If you get hacked because of this bug, please write a nice "thank you" letter to the U.S. Patent Office.

RSAREF is also slow. I think RSA believes their patent enforced monopoly entitles them to write sloppy, slow, poor quality code. The international RSA libraries are much better all around. Not that I would encourage those of you in the US to violate the law by avoiding RSAREF...

But I would like to point out that the RSA patent is about to expire, and those of us in Canada and Europe don't touch RSAREF with a 10 foot pole.

How is this obnoxious comment informative? (1)

Frac (27516) | more than 14 years ago | (#1465944)

somebody please mod that guy back down... this only encourages people that snap at each other to be modded up.

Security Software (1)

generic (14144) | more than 14 years ago | (#1465945)

This is why auditing your code has become so important. At least with Open source we can patch it ourselves with out waiting for a vendor. I like to come up with a "user supplied input tree" and look for trouble spots.

Not very bad (3)

fremen (33537) | more than 14 years ago | (#1465946)

This is not as bad as you might think. This hole relies on ssh being built with the proprietary third party RSAREF library. If you haven't built ssh that way, then you're safe. I guarentee that 90% of the people reading this are safe. To make sure, type the following:

ssh -V

This should return the following:

Standard version. Does not use RSAREF.

Also, let's not forget that the Bugtraq people have known about this for months. If you don't read Bugtraq, you should.

Re:Your problem is you are using packages (1)

Col. Panic (90528) | more than 14 years ago | (#1465947)

Yeppers. It's just that gnorpm is sooo sweet I can't resist using it. ;)

Re:What is RSAREF? (0)

Anonymous Coward | more than 14 years ago | (#1465948)

Could some kind soul please explain...
1) What is RSAREF?

RSA REFerence library. A (c) library that
performs RSA encryption/decryption. RSA
allows its use for non-commercial purposes.

International patent law (generally) does not
recognize mathematical patents, such as the
one that covers the RSA algorithm (in the US).
Thus, one can (generally) use the RSA algorithms
unencumbered by the US patent internationally.

Since the US recognizes the RSA patent, the
only legal options to US users are:
1. use the RSAREF library, and only use
the product (ssh, etc.) for non-commercial
purposes.
-or-
2. buy a licensed implementation of RSA
(e.g., datafellows ssh2)

Re:Your problem is you are using packages (1)

rangek (16645) | more than 14 years ago | (#1465949)

Very simple. If you don't compile the source or patch the code yourself, you have no way of knowing what, if anything, your RPM/etc. is patched for, which specific CERT advisories, etc.

Sure you do. You check the changelog. If you don't trust the packager, get the source package and look it over. If you really don't trust the packager, get the tar.gz sources.

All I was asking was whether the message in the changelog I saw was about this bug or another, new one. I was confused because I got the fix weeks ago, and heard about it several other places weeks ago. Now all of a sudden it pops up on Slashdot.

So the problem isn't packages, it is the variable pace of news on the net. I.e., it apparently takes CERT quite a while (~2 weeks) to publish a notice, by which time the fix is already in place on quite a few systems.

And I don't think there is anything elite about installing raw source all the time. You try to manage a few dozen workstations and servers running quite a few packages not found in the standard distribution (RedHat in this case) without package management. Hardly possible, I assure you.

Package management is something I am thankful for everyday. Hell, I even make packages for software that is only released internally because it is just so much easier to install that way.

I don't use RSAREF (1)

Black Art (3335) | more than 14 years ago | (#1465950)

Having read the code for RSAREF1 and RSAREF2, refuse to use either. RSAREF2 seems to just be a minor patch release for RSAREF1 (do the diffs and see for yourself.). The code is pretty ugly, it is not 64bit clean code, and is a pain to compile.

With much better RSA libraries out there, why use it, other than the legal threats from RSA.

Re:naughty bits (1)

Tom Christiansen (54829) | more than 14 years ago | (#1465952)

The classical rules would say to use the following for "singular, plural":
  • clitoris, clitorides (Greek)
  • penis, penes (Latin)
  • vagina, vaginae (Latin)
  • testis, testes (Latin)
  • scrotum, scrota (Latin)
  • larynx, larynges (Greek)
  • pharyx, pharynges (Greek)
(Yes, the last two could theoretically occur in sexual contexts. But Sphinx/Sphinges probably wouldn't. :-)

In practice, only medical texts tend to do so. (Now you know why physicians take Greek and Latin.) The rest of us just add the normal English endings. It's not like these comes up very often in pillow talk.

You can see the -ides inflection in compounds:

% look clitori
Clitoria
clitoridauxe
clitoridean
clitoridectomy
clitoriditis
clitoridotomy
clitoris
clitorism
clitoritis
As for irides (literally, rainbows), hm... I suppose some of these naughty bits might on occasion be iridescent.

I'm glad slashdot has never done a feature article on how to talk dirty in Latin [obscure.org] . Otherwise we'd doubtless be innundated with requests for Natalia the Irrumatrix. :-)

And no, "Irrumatrix" isn't the bootleg, uncut, XXX-rated version of that silly Matrix movie with Keanu caught doing the naughty. Then again, with recent advances in digital technology, one never knows what they might come up with. :-)**2

Re:The Key Point is... (2)

Matthew Weigel (888) | more than 14 years ago | (#1465954)

this bug compromises the security of an OpenBSD system in the US only
Excuse me, I didn't quite get this one right: please insert "if installed before the patched RSAREF was available and not updated since" before "only".

Re:The Key Point is... (0)

Anonymous Coward | more than 14 years ago | (#1465956)

You flaming idiot - RSAREF source *is* available on the web.

Re:And Microsoft is not affected. (0)

Anonymous Coward | more than 14 years ago | (#1465957)

yep. they already have backdoors built in by default. NSAKEY anyone ?

Re:What is RSAREF? (1)

frost22 (115958) | more than 14 years ago | (#1465960)

Here we go:

RSAREF is a library implementing the RSA algorithm

since the RSA algorithm is patented by RSADSI in the US, you may not use RSA without either a special license or linking to RSAREF, which contains some general license.

since this stupid patent is only valid in USA, the above paragraph only applies in USA

people outside the US usually use other - better - RSA implementations

as a side note, the buffer overflow problem is not in RSAREF but in the glue code used by ssh to link to it

ssh can be compiled without rsaref. AFAIK it even does so out of the box.

the legality of using ssh without rsaref in the USA is shady. In most cases you are infringing on RSADSI's patents. If this alone is illegal (punishable) is unknown to me; certainly it's ground for them to sue you. YMMV

READ THE FOLLOWUP!! There IS an exploit! (2)

Nicolas MONNET (4727) | more than 14 years ago | (#1465967)

I thought it was safe reading the message you posted, however someone followed up with this:

---------------------------
Date: Mon, 13 Dec 1999 22:03:15 -0300
From: Iván Arce
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: ssh-1.2.27 exploit

snip

We have a working exploit against Linux and OpenBSD, we are waiting for CERT to publish their advisory. As soon as that happens, or before if its taking too long, we'll publish the exploit. Since the problem is not being actively exploited (as far as we know), there didnt seem to be a reason to post the exploit code with our advisory.

-ivan
---------------------------

Re:,,, (0)

Anonymous Coward | more than 14 years ago | (#1465968)

fuck you, you stupid little fraud. You have to earn our enmity here. You can't ride the coattails of that prick Cignal 11. Until you act like a prick, we have no choice but to love you.

International users... (1)

Anonymous Coward | more than 14 years ago | (#1465969)

Are supposedly not affected, because RSAREF shouldn't have been exported from the United States.

Is it just me, or is this almost laughable?

Can anybody tell me with a straight face that nobody has illegally exported? Statements like that make me curious-- how comfortable is it, really, to have your head buried in the sand?

Anyway, I wasn't writing this to be a troll. It just struck me as funny that CERT would try to act like international users aren't affected because of export laws. Nobody is going to steal my car, because there are laws against it, right?

OpenSSH is *NOT* Affected (0)

Anonymous Coward | more than 14 years ago | (#1465971)

from www.openssh.org/security.html OpenSSH was never vulnerable to the recent (November, 1999) security issue in Datafellows SSH. This has been on bugtraq and vuln-dev for a while now.

Actually... (1)

Tower (37395) | more than 14 years ago | (#1465972)

FYI:The OpenBSD list is a little different, if you check the link. This is primarily for FreeBSD, but I posted it as the BSD family, since many people run FBSD apps and packages on other flavors...

Re:The Key Point is... (1)

KrAphtd1nN3r (33859) | more than 14 years ago | (#1465973)

Check the facts, you stupid moron. SSH1 has absolutely nothing to do with OpenBSD. The OpenBSD team wrote OpenSSH, which is an alternative to the commercial version of SSH. They are not responsible for this problem. It would also be interesting to note that they fixed a couple of other problems in SSH by rewriting it.

Re:International users... (1)

arcade (16638) | more than 14 years ago | (#1465985)

Are supposedly not affected, because RSAREF shouldn't have been exported from the United States.

Yup. And If I've understood everything correctly, you would be pretty stupid if you compiled it WITH rsaref. :) If i remember correctly, it makes things less secure.

I could of course be wrong.

Most SSH2 installations in USA *are* affected (1)

rcgraves (10702) | more than 14 years ago | (#1465986)

ssh2 does not implement the ssh1 protocols, so
ssh2 simply execs ssh1 when a v1.5 client
connects. Everyone installs ssh2 in ssh1
compatibility mode because the free Mac/Win ssh
clients, like NiftyTelnet and ttssh, only do ssh1.

The ssh1 RPMs currently on ftp.hacktic.nl and
mirrors (replay.com is no more) have been patched
to avoid this problem. I assume debian is OK too.

All the BSD's use OpenSSH now, so they're fine as
long as you're up to date.

Unamericans should be OK because they don't link
with RSAREF.

Americans who haven't linked with RSAREF are
violating RSA's patent.

Re:SSH 2 availability (2)

Tower (37395) | more than 14 years ago | (#1465987)

According to ssh.org:

You can get the SSH2 from various anonymous ftp sites around the globe for purposes of NON-COMMERCIAL USE and EDUCATIONAL USE as defined by the Licence Agreement.

http://www.ssh.org/licensing/ssh2_non-commercial _licensing.html

So it all depends on what position you are in. Works great for me(tm)

Re:The Key Point is... (0)

Anonymous Coward | more than 14 years ago | (#1465988)

They are responsible for compromising the security of machines that run their distribution. OpenBSD has established a niche based off the urban legend that all code released under their distribtution has undergone extensive auditing and all that other security bullshit. This proves that they're liars.

If you're going to make claims back them up or get out of my fucking face.

Feds: PGP approved 4 export! Now: RSAREF has bug! (0)

Anonymous Coward | more than 14 years ago | (#1465989)

Interesting timing on these two events. Maybe the NSA [hi echelon!] was hoping no one would notice.

Well, I abide by a simple rule. If feds approve it, I don't use it.

I'll stick with Blowfish, thank you. It's not exportable... and therefore better than what is.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...