Mailing List ArchiveSupport open source code!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]tlug: No vulnerability known in SSH-1.2.26 (fwd)
- To: "Tokyo Linux Users' Group" <tlug@example.com>
- Subject: tlug: No vulnerability known in SSH-1.2.26 (fwd)
- From: Scott Stone <sstone@example.com>
- Date: Wed, 4 Nov 1998 11:12:58 +0900 (JST)
- Content-Type: TEXT/PLAIN; charset=US-ASCII
- Reply-To: tlug@example.com
- Sender: owner-tlug@example.com
Interesting. From ssh's author.. -------------------------------------------------- Scott M. Stone <sstone@example.com, sstone@example.com> Head of TurboLinux Development/Systems Administrator Pacific HiTech, Inc (USA) / Pacific HiTech, KK (Japan) ---------- Forwarded message ---------- Date: Mon, 2 Nov 1998 10:33:29 +0200 From: Tatu Ylonen <ylo@example.com> To: BUGTRAQ@example.com Subject: No vulnerability known in SSH-1.2.26 -----BEGIN PGP SIGNED MESSAGE----- As the original author of SSH I want to comment on the rumored vulnerabilities. I have personally looked into the claimed vulnerabilities, including the ones reported by IBM, and do not have any reason to assume that there would be any vulnerability in ssh-1.2.26. NO SUCH VULNERABILITY IS KNOWN. I repeat, I KNOW OF NO VULNERABILITY IN SSH-1.2.26. The IBM-ERS report on ssh vulnerability turned out to be false alert. They could not reproduce it after they recompiled their ssh and linux kernel. I have personally checked all places where ssh displays debugging messages, log messages, or otherwise uses functions like sprintf. I was unable to find any vulnerabilities. I have talked to people at both CERT and the IBM emergency response service and none of them seems to have any knowledge of any vulnerability in SSH. In summary, to my best knowledge, ssh-1.2.26 can be safely used. Please communicate this information to the relevant people. Brief history of events: - On October 28, the rootshell.com home page was defaced by hackers. After the host was brought up to date, their front page contained information that listed the services that had been active, and mentioned that entry may have been made with ssh. (Note that this does not by itself indicate anything; password or other authentication may have been obtained at the other end) - On October 29, a message about the rootshell case is posted to bugtraq and possibly other mailing lists. Many people took this as indication of a vulnerability in ssh. - We looked at the rootshell case, and found no cause for alarm, but decided to be watching. - On October 30, IBM sent an draft advisory reporting a buffer overflow vulnerability that could be used to gain root access to any host running ssh from anywhere on the Internet. The draft advisory was sent to at least CERT, FIRST, ssh-bugs, and a few other places. - On october 30, several major computer manufacturers and their offices around the world were advising their customers to follow the situation, and possibly disable ssh for now. Some CERTs around the world issued preliminary alerts to their most important sites. - I learn of the IBM advisory on October 31 at 2 AM. By 6 AM I've talked to both CERT and IBM Emergency Response Team, checked the code claimed to be at fault (finding no problem), and no-one seems to have any concrete information, and we conclude there is no cause for immediate alarm. - By November 1, the IBM researchers who found the vulnerability in the IBM draft advisory have been reached. One of them says he never saw an exploit, and the other first said he had an exploit and he was going to send it over shortly, and the next day he said that he could no longer reproduce the problem after recompiling ssh. He does not appear to have an exploit after all. - I've personally gone through all places where ssh1 passes information to sprintf, log_msg, or any other functions using sprintf. I found no security problems. I found one place where an argument to a format string was missing, but it is probably not exploitable, and one place where one byte less was allocated for a string than was used (only appears on Solaris). Neither of these have security consequences or are cause for alarm. - On November 1, the IBM announcement for which IBM has already issued a cancellation is widely distributed by rootshell through their announcement list. - Now at Morning November 2, I'm convinced (>99% sure) that both the rootshell issue and the IBM draft advisory were false alerts. We are also trying to track down the linux compilation problem that may have caused the false alert behind the IBM advisory. We will issue an announcement as soon as possible if real vulnerability is found. For more information, please keep tracking http://www.ssh.fi/sshprotocols2. Best regards, Tatu Ylonen <ylo@example.com> - -- SSH Communications Security http://www.ssh.fi/ SSH IPSEC Toolkit http://www.ipsec.com/ Free Unix SSH http://www.ssh.fi/sshprotocols2/ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNj1tbqkZxfGWH0o1AQEaLwP+LPhkCOGFs30gfbyjMLLMkNp03OOfpALJ uwqBvLPIntIWhHbjq1GF9D3hekyQ3PdiC+5SEBfFBj1xlAg1SPROJ2JV5d2QHuPm B39j3YuQSJT5j/QXN0nkbP7ll9UoPJ9eMWBQvd5Hgf//eAk6ccns4fUqensMypeR 9J3O2JQG6ow= =gesm -----END PGP SIGNATURE----- ---------------------------------------------------------------- Next Nomikai: 20 November, 19:30 Tengu TokyoEkiMae 03-3275-3691 Next Technical Meeting: 12 December, 12:30 HSBC Securities Office ---------------------------------------------------------------- more info: http://tlug.linux.or.jp Sponsors: PHT, HSBC Securities
Home | Main Index | Thread Index
- Prev by Date: Re: tlug: Re: Lilo hosed
- Next by Date: Re: tlug: jpine 4.05?
- Prev by thread: tlug: FAQ update
- Next by thread: tlug: Presentations with LaTeX
- Index(es):
Home Page Mailing List Linux and Japan TLUG Members Links