Contributed by Dengue on from the adv.token dept.
Subject: Revised OpenSSH Security Advisory (adv.token)
Date: Fri, 26 Apr 2002 14:00:43 +0200
From: Markus Friedl
(Comments are closed)
OpenBSD Journal
Contributed by Dengue on from the adv.token dept.
Subject: Revised OpenSSH Security Advisory (adv.token)
Date: Fri, 26 Apr 2002 14:00:43 +0200
From: Markus Friedl
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By Anonymous Coward () on
By Anonymous Coward () on
and if not why?
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
and anoncvs3.usa.openbsd.org in OPENBSD_3_1 is unpatched.
Comments
By ciph3r () ciph3r@securebydefault.org on mailto:ciph3r@securebydefault.org
OPENBSD_3_1 is the -release branch, and -stable is patched branch.
Comments
By Anonymous Coward () on
OPENBSD_3_1 is 3.1-stable
OPENBSD_3_1_BASE is 3.1-release
the patch is missing
By Anonymous Coward () on
Comments
By xs () xs on xs
Which dumbass would use "mode-1" ssh anyway.
So please stop bitching around and better fix some bugs yourself.
By Ben Lindstrom () mouring@eviladmin.org on mailto:mouring@eviladmin.org
As for 'harding', if you used PrivSep (which is currently default off because it is still pretty new) then you get an added layer of protection since all critical code is ran as a seperate user.
Besides, I doubt your involved. Want to make a difference? Start auditing.
- Ben
Comments
By person () on
Comments
By Anonymous Coward () on
(www.ssh.com / www.microsoft.com or whatever)
Or maybe pay for somone to do the job. You don't get everything for free.
Comments
By Cindy_Montreal () on
One of the things I liked about OpenBSD, was it user base. Yes, there are a few smegheads, out there, who use OpenBSD and never think how much hardwork goes in it. No code is perfect, no software is perfect, unless you count the infamous"Hello, world". And I am sure that some smeghead out there, could write an "hello, world" program with lots of security flaws in it.
At work I have to deal with smeggers who burn databases on CD-Roms, delete the server copy, give access to the CD-Rom copy to other end users,then phone the Help Center, open a ticket, claiming they no longer can change the data, modify the ACL, or import new data.
I was thinking about end users most of the day. And in the end I realized the end users, is the best thing Computers ever invented. If it weren't for them, how many of us would be working? How many of us would be pushed to go beyound the point we are at? How many of us would even care about computers, technology and what it can or can not do? The end user is what makes computers great.
So getting back to the end user who posted the message that started this thread, I only have this to say. 'Darren, go post your messages else where.' ;)
-- Cindy
Comments
By Ivan Wagner () wagner17@mandalore.com on mailto:wagner17@mandalore.com
The funny thing is end users do NOT have the same opinion about us. We are just an annoyance who place unnecessary limitations on them for arbitrary reasons and non-business reasons.
> So getting back to the end user who posted the message that started this thread, I only have this to say. 'Darren, go post your messages else where.' ;)
Ouch! That's harsh.
By Chris () on http://www.dejection.org.uk/
Comments
By Anonymous Coward () on
By Lars Hansson () on
But, to elaborate, in case you havent noticed,
noone is getting paid for this and noone is forcing
you to use OpenSSh if you dont like it.
It's not a commercial product, you havent paid a damn
penny for it so either stop whining and do something
or just shut the hell up.
Comments
By Anonymous Coward () on
By niekze () niekze@nothingkillsfaster.com on mailto:niekze@nothingkillsfaster.com
Sure. No problem.
(to the rest of you: why do you respond with such fury and anger to a post that was *obviously* a troll? Go outside people. Get some sunshine. Breathe in some fresh air. *Relax*. Some of you tell this person that he/she no one is forcing him/her to use OpenSSH. My cable provider sucks, but I don't have to use it. Does that mean I cannot voice concerns about it? Of course not. Likewise, even if I get something at no cost, I can still voice concerns about whatever it is that I am getting. Down in this thread, Cindy_Montreal complains about "they" are wasting our time, bandwidth etc. Yet, she agrees with the message she responded to that pretty much said: if you don't like it, you don't have to use it. Is that hypocracy I smell? Why yes, it is! She doesn't have to read those posts. She can remove herself from such waste of time and bandwidth easily: don't use the internet. Of course, you could call me a hypocrite for bitching at the people who are bitching at the person bitching. But, like the original bitcher, you all have the right to bitch as well and I don't mean to imply otherwise. This person is just trying to upset you all. It seems this person has done *extremely* well. After the quite obvious comment that such a person does not have to use the idea/product/service that they bitch about, I find the 'martyr developers' line to usually follow. "They aren't getting paid," "their idea/product/service is free," and so on. No one is forcing the developers to do this for free. THE DEVELOPERS AREN'T NAILED TO THE CROSS EVERYTIME SOMEONE VOICES A NEGATIVE OPINION. They're (somewhat) normal people, just like the rest of us. But back to my original point, just relax. OpenSSH has flaws, as does any software project, and people will complain. The fact that it's free doesn't indemnify the developers against such cricism. Really, it is quite simple. Ignore the trolls and if someone asks a stupid question that you've answered nicely 5,000 times, answer it nicely for the 5,001st time or just don't answer. Of course, you can make an ass out of yourself and get very upset and yell and scream and kick the dog, but what does that accomplish besides raising your blood pressure? It's just software. Though this is *incredibly* off-topic, listen to my advice and simply *relax*. You'll find that everything isn't as serious as you previously thought and the trolls will eventually get bored. Plus, it's better for your health.)
Comments
By frisco () on http://www.blackant.net/
responding to trolls lets me vent. if i didn't vent i'd end up yelling at my boss, my girlfriend, or my bartender and then i'd really be in trouble.
the way i see it, i *love* the trolls. they keep me employed, laid, and getting free beers at the bar.
-f
Comments
By Anonymous Coward () on
employed??
laid??
getting free beer?
tell me more ;*(
By mike () mike@sfobug.org on http://www.sfobug.org
Good advice.
-Mike
--
mike@sfobug.org
San Francisco OpenBSD Users Group
By Peter Hessler () spambox@theapt.org on http://www.sfobug.org
By Anonymous Coward () on
Marketing BULLSHIT!
If now, why not more info.....
Comments
By Anonymous Coward () on
(no edit of /etc files,..., not enabling more services,....)
So yes I would also say it is marketing bullshit the OpenBSD claim:
"Four years without a remote hole in the default install!"
If it is true at all, who knows
(Theo didn't commet a question regarding this on misc@ - so maybe he will not confirm that it is indeed false)
By Anonymous Coward () on
By Anonymous Coward () on
has that been fixed in 3.0 and 3.1?????
Comments
By ThomasJ () on
# http://www.openbsd.org/errata.html#kernexec
# Vendor status:
# OpenBSD was informed on 9 June 2001
So, yes.
And BTW this is a LOCAL exploit.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
How much clearer do we have to be? Would you like someone to explain Remote a little more thoroughly? How about ROOT? What about Compile?
At which point in the following scenario does my computer become vulnerable to a remote root exploit.
-Install OpenBSD from CD.
-configure internet connection.
-Go to openbsd.org using lynx.
-Look for security announcements.
-Download necessary patches or the one uberpatch.
-Install patches.
- restart daemon or service
Hard to understand for a novice but at NO time was I EVER vulnerable to a remote root exploit.
That is just a huge relief to me especially compared to other operating systems I have to deal with in my lab.
What kind of info do you want?
- exploit found
- notice given
- download patch from openbsd.org
- compile
- restart daemon or service
- problem solved
If you need more handholding than this, you and your company can continue paying tens of thousands of dollars for Microsoft books, certifications, applications, and operating systems. The rest of us will pay all of $40US for the privilege of using OpenBSD.
How about trolling around on /. with people your own age and maturity level? I have work to do.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
>What kind of info do you want?
The "four years without a remote hole in the default install" claim needs som more explaining like:
- Preconditions (need patching)
Is this claim only valid for boxes that get patched when a new patch is released on the errata page.
- Starting from? (date and year)
If it is true, then it should be updated to five years (afaik). But did a exploit turne up so that it is still four years and not 5?
- Only valid for the current release over time?
When 3.1 is released does exploits found in 3.0/2.9/.... still count? Or is it only bugs found in 3.1 that counts?
- Last remote hole fixed, when....
Just for documentation purpose and show people that they take security serious and the claim is indeed true.
Info that should be available from www.openbsd.org after my opinion.
By Anonymous Coward () on
Four years without a remote hole in the default install.
Four years: a time frame
remote hole: a vulnerability exploited remotely
default install: an installation with no modifications
When you put it together what does it all mean?
Perhaps it has been four years since a remotely exploitable vulnerability has been found in the default installation?
If you claim this to be false, please provide evidence to the contrary. Otherwise, please slither from whence you came since you have nothing to offer anyone here.
Comments
By Anonymous Coward () on
http://www.deadly.org/commentShow.php3?sid=20020427144326&pid=321
If not, then think about it for a moment.
Mabye you will find that we actually don't now mutch about this claim.
If you do pleas provide evidence and answers.
Comments
By Anonymous Coward () on
>- Preconditions (need patching)
>Is this claim only valid for boxes that get patched when a new patch is released on the errata page.
No. The default install would include no patches. You can also look at the patch history and note that the patches have only been issued to secure local problems or remote problems in programs that are not enabled/accessible by default. If patches were required, they would have noted it.
>- Starting from? (date and year)
>If it is true, then it should be updated to five years (afaik). But did a exploit turne up so that it is still four years and not 5?
Well, if it has really been five years, then they might just be taking their sweet time about it. I don't think that number is supposed to indicate an exact time. It's a general statement, and therefore only requires a general time frame.
And if an exploit turned up, the phrase would be missing from the front page all together. Last year (iirc) a local exploit was found (and now there have been several) and the statement about X years for a local exploit was taken down.
>- Only valid for the current release over time?
>When 3.1 is released does exploits found in 3.0/2.9/.... still count? Or is it only bugs found in 3.1 that counts?
Older releases would be included. Take any release (at any patch level) and the statement should hold true. The only time the phrase would be reset is if a patch were to come out that fixed a remotely exploitable bug in a recent version (3.0). Otherwise, look back four years and you can feel safe about the default install of OpenBSD. The fact is, it has been four years since a remotely exploitable bug has been found in the software that is enabled in the default install. I don't know how you can get it any simpler than that.
>- Last remote hole fixed, when....
>Just for documentation purpose and show people that they take security serious and the claim is indeed true.
If you have any question about whether the OpenBSD team is pro-actively secure, you are not reading enough documentation. If you ask just about anyone what the purpose of OpenBSD is, they will tell you (incorrectly) that it is security (and it's not... they are pro-actively secure and pride themselves on correctness). And why is that? Could it be that OpenBSD touts open encryption, use of encryption in most if not all areas where it can be used, and code correctness so that developers have a greater chance of leaving out bugs? Just read a bit on the web and it should become clear that OpenBSD is does take security seriously.
And as to your doubts about whether the claim is true? Download the source and look through it yourself. Find the bugs. Try to exploit the default install from any version in the past four years and see what you come up with. Look at the patch history and see what has been fixed (and when). Use that as a way to descredit the remark. The information you seek is right in front of your face.
>Info that should be available from www.openbsd.org after my opinion.
The information is already there. You just don't know what you are looking at. First, understand what the phrase means, then check your history. It seems like you are taking something simple and trying to take it to a much higher level than it needs.
By Anonymous Coward () on
www.guninsky.com/openbsdrace.html
We all have the greatest respect for your talents but...
You pointed out a LOCAL root exploit. A LOCAL root exploit is infinitely easier
to take advantage of than a remote root exploit. Once a very experienced
computer professional like yourself has LOCAL access to a network, maintaining
security becomes a very difficult task indeed.
Since you seem to have a vested interest in the subject, here's the challenge.
Buy, beg, or steal every cd put out by the openbsd team over the last several years.
Buy, beg, or steal enough hardware to install every version of openbsd on every platform.
Network settings are taken care of during install.
Leave the install as is. 'default install'
Now remember the line.
"Four years without a remote hole in the default install"
Hire a team of people to start looking for REMOTE root exploits. Compare your findings to
the list of bugs on the openbsd.org web site.
Report your findings back to us. Report your findings on the web.
Report your findings to CNN.
Call Bill Gates and give him the wonderful news.
If you find a remote root exploit in any of these installs
you will receive a huge thank you from the openbsd community.
We want to know as badly as you do when there is a problem.
If you are upset that the default install does not have
a bunch of 3rd party apps running,
well then you are missing the point.
For me, the default install of OpenBSD is a foundation
on top of which I build my network. A foundation that I can trust.
Anything I do after the default install is MY problem.
It becomes MY responsibility to maintain the level of security that
I feel comfortable with.
At what point does an install of OpenBSD become vulnerable to a remote root exploit?
Enable httpd ?
Set up and run Postgres ?
Enable and configure pf ?
You tell us.
Report your findings and we will all be grateful. Really.
Funny thing is, even if you find a few remote root exploits I will be more than happy sticking by an OS that can claim,
'Three remote holes in the default install in the last 5 years'
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
This may say somthing about it
17 different OS's since 04/2000
18510 time(s) a "Windows" Host has been defaced, which is 58.329% of all archived defacements
22 time(s) a "OpenBSD" Host has been defaced, which is 0.069% of all archived defacements
864 time(s) a "FreeBSD" Host has been defaced, which is 2.723% of all archived defacements
Note: Stupied administrators can make even the most secure OS unsecure.
Comments
By Unknown Bovine Keeper () on
Even if these 22 were root compromises, I'll still take OpenBSD and it's approach to security and fixing problems over any other OS. Nothing's perfect but OpenBSD gets much closer than most in my book.
By Anonymous Coward () on
I would trust a decent FreeBSD/Windows admin to lock down a box rather than a wet-behind-the-ears admin flapping his OpenBSD CDs about.
Comments
By Cow in a Sled () on
I look at it this way, the best-locked-down Windows box has a better chance of getting hacked, over the default OpenBSD, because of Theo and crew paying attention to the stuff.
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Me, I'd love to see stats on the *fraction* of servers compromised by OS alongside the actual number of servers compromised. Might give a better idea of relative risk.
By Yet another AC () on
By Chris () on
I'd just like to ask a SIMPLE question here. I not a lot of people are having a go at OpenBSD for a lot of things, but I ask why?
Has anyone here been remote or locally compromised? If so HOW? Was it your fault for not doing something correctly or was it an obscure buffer overflow in ssh or something like that... ? Be honest.
Personally, sit down, think things over logically and work out the issues, how it affects and see if anyone else has the problem BEFORE bitching. Then work to RESOLVE the problem and share the good. Complaining doesnt help, whereas constructive comments and bug reports do :-)
I say they OpenBSD team are doing a damn good job. Full stop.