[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] OpenSSH root vulnerability
- Subject: [ale] OpenSSH root vulnerability
- From: glasher at nycap.rr.com (Glenn C. Lasher Jr.)
- Date: Sun, 10 Mar 2002 11:24:48 -0500 (EST)
Thanks for posting this. I saw it on /. also, but I didn't think to act
on it when I saw it. I have now upgraded all of my machines to 3.1.
On Thu, 7 Mar 2002, Transam wrote:
> Recent versions of OpenSSH -- including the newest -- have a just reported
> vulnerability that allow local users to make themselves root. If one uses
> OpenSSH to connect into a malevolent or compromised SSH server then root
> access to the client system can be gained as well. The possibility of
> a remote root vulnerability on any OpenSSH server system has not been
> ruled out.
> If you are not sure what version of SSH you are using and you are running
> on the server side, just do
> telnet yourself.com 22
> If you see
> or anything similar that includes "OpenSSH" then you are in danger.
> On the client side you can do
> ssh -V
> Either of these techniques also are supported for the non-Open version too.
> Consider using /etc/hosts.allow or IP Chains or IP Tables to limit
> access to your SSH server to trusted systems or simply turn off the
> server if not needed. Frankly, the Open version of SSH has suffered
> a lot of serious security vulnerabilities in the past 18 months or so
> and I must recommend against it in favor of the commercial version at
> http://www.ssh.com. Note that this latter version is free on Linux and
> they were the people who created SSH. They also have a nifty GUI-based
> Windows and Mac client that I am told is rather nice and only USD 99.
> This problem has been patched in OpenSSH 3.1, which has been released
> today (March 7, 2002). It appears that neither Red Hat nor Slackware
> have yet integrated this patch into their trees.
> * Flaw weakens Linux security software
> March 1st, 2002
> Programmers have found a vulnerability in Linux that could allow
> protective firewall software to grant malicious computer users access to
> protected networks. The flaw, which affects versions 2.4.14 through
> 2.4.18-pre9 of the Linux kernel, is in a component of the Netfilter
> firewall software.
> A Datamation Magazine survey of IT execs & SysAdmins picks the best
> software and hardware. This mag is not specific to any platform or
> hardware. The best product of 2001 was RH 7.2 as a Desktop. No
> Microsoft product even made the list. Point this out to your higher
> ups and associates:
> Bob Toxen
> transam at cavu.com [Bob's ALE Bulk email]
> bob at cavu.com [Please use for email to me]
> http://www.cavu.com [Network&Linux/Unix security consulting]
> http://www.realworldlinuxsecurity.com/ [My 5* book:"Real World Linux Security"]
> http://www.cavu.com/sunset.html [Sunset Computer]
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.
glasher at nycap.rr.com
You've been programmed by the Illuminati not to see the word "".
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.