[Dshield] SSH Vulnerability
ben at robson.ph
Tue Sep 16 15:35:31 GMT 2003
I generate security alerts for my employer, and have done one for the
SSH vulnerability. Given nobody has, as yet, posted a summary doco, I
thought I might slap mine up.
Please excuse any formatting or content that may offend peoples
sensibilities. DShield is not intended as its native target audience.
If anyone has some alternate "factual" information I would be interested.
*** SO ALERT *** OpenSSH Vulnerability
Purpose: Security Officer Alert
Subject: Possible Vulnerability in OpenSSH v3.6p1
Threat Level: High-Critical
Date: 17th September 2003
Systems Affected: All systems running OpenSSH
(except OpenBSD 3.3)
A vulnerability has been confirmed as existing within version 3.6p1
of the OpenSSH application. OpenSSH is an application critical to the
secure, remote management of the vast majority of Unix servers running
on networks throughout the world. With almost all Unix varieties now
installing and starting OpenSSH by default, and with it in the set of
tools that are usually left running by administrators, a very large
number of servers will be vulnerable to a remote attack until new
binaries are made available by vendors and applied or until
administrators download source code patch information and recompile and
Due to the pervasiveness of the OpenSSH application throughout Unix
variant based servers, desktops, and network appliances a very large
number of devices could be, and are likely vulnerable to this issue.
Whilst evidence of exploit code in the wild is yet to be
substantiated, rumours exist of individuals administering servers being
attacked, and compromised via their OpenSSH implementation.
Who is affected:
The OpenSSH vulnerability appears to affect all users of the OpenSSH
daemon, version 3.6p1, excluding users of OpenBSD 3.3 or above. All
Unix variant's are potential targets for this issue. It is unknown if
prior versions are vulnerable, but administrators should upgrade beyond
3.6p1 as soon as possible as vulnerabilities exist for all subsequent
versions as well.
As a mitigating action system and network administrators should either:
1. Disable the OpenSSH daemon (sshd) from running on devices,
2. Restrict access to the OpenSSH daemon (sshd) to
known/trusted hosts via a network or host based firewall.
To properly address this issue, by removing the vulnerability from
the OpenSSH application, administrators should either:
1. Apply patches to the OpenSSH source code and recompile the
2. Obtain new releases of the OpenSSH application from their
Whilst patches and new binaries are filtering in from vendors for
the OpenSSH application numerous questions are still outstanding:
1. How long has Theo Deraadt (OpenSSH principle developer) known
about the vulnerability?
2. How long has the underground hacker community known about the
3. Are the claims of a live exploit substantiated or fiction?
4. If 3. is 'substantiated', how long has Theo known this, and
why didn't he tell administrators that, at the least, a vulnerability
did exist so that they could take mitigating steps whilst they wait for
A recent trend, supported disturbingly by both Microsoft, other
leading vendors, and many in the security community, has been to
withhold information on new vulnerabilities that are identified. The
intent of this is to prevent malicious users from obtaining details of
the issue and developing exploits before the software vendors have the
opportunity to release patches.
Unfortunately for this method of issue management more often than
not the hacker community is still finding out about an issue before the
patch is released. This means that system and network administrators
are left with rumours and innuendo as to whether an issue exists, no
official guidance from those who know, and thus no ability to decide
whether a threat is real, whether they need to take action to prevent
being attacked, or the ability to determine what sort of action might
I call on the above parties to stop this foolishness, and at the
very least, when an issue is identified provide enough detail to allow
administrators of networks and systems to make decisions to protect
themselves whilst the software vendor works on fixing the problem.
Early on Monday 16th September 2004 (AEST) news came to the
Full-Disclosure mailing list of a rumoured vulnerability existing in the
OpenSSH application. Very quickly several other participants supported
this rumour, but little hard evidence was presented.
An initial posting by Christopher Neitzert reads, "Does anyone know
of or have source related to a new, and unpublished ssh
exploit? An ISP I work with has filtered all SSH connections due to
several root level incidents involving ssh. Any information is
Initial response by the security community was cautious, suggesting
mitigation strategies be put in place in case the rumours turned out to
Follow-up posts to Neitzert's query suggested that an issue existed
with the contents of buffer.c for version 3.6p1 of the OpenSSH application.
A later post provided the offending portion of the buffer.c file
which it was later disclosed contained an "off by one" vulnerability.
Carl Livitt established a dialogue with Theo Deraadt, the principle
of OpenSSH, and posted the following to the Full-Disclosure mailing list:
[ START MESSAGE ]
Straight from the horses mouth, this is a snippet of an email
conversation I just had with Theo Deraadt:
Is there a patch available to patch the off-by-one that has been
reported in OpenSSH ? As it is being actively exploited in the wild, I
would like to patch my servers ASAP (as you can probably imagine).
Thankyou for taking the time to read - and hopefully respond to - this
A flamefest ensued, but his answer was:
Bugger off, wait like the rest of the planet.
After more flaming abuse, I received this from him:
I have been spending the last 10 days making openbsd releases for
about 14-15 hours a day for people to use
We've been spending hours and hours making openssh release
We are dealing with an, as far as we know, unexploitable hole
(affects some systems, but not openbsd it is pretty clear) issue
for all of you who run other system
we've been dealing with this frantically
to make something that the internet relies on as good
as good as it possibly can be
no sleep for 30 hours
and you expect me to treat you special?
AND YOU EXPECT ME TO TREAT YOU SPECIAL?
AND YOU THINK THAT PASTING THAT TO SOME IRC CHANNEL MAKES YOU LOOK
and you think that you pasting it to some icb channel makes me feel
worth less, when every single hp and cisco switch containing this code
is likely vulnerable, and i don't like that, and want to make the
world a better place even if it kills me due to stress and lack of
sleep because i think that a better world is a better place to live
The main point is that " every single hp and cisco switch containing
this code is likely vulnerable". Oh dear, this could get nasty.. batten
down the hatches...
Poor Theo, he needs his rest.
[ END MESSAGE ]
By late evening on the 16th of September 2003 (AEST) patches began to
appear for the OpenSSH application. Reports soon followed of vendors
releasing new versions of the OpenSSH application to the community.
More information about the list