OpenSSH flaw #23515 - what is the workaround, and is there an
exploit ?
Don Bowman
don at sandvine.com
Tue Sep 16 11:54:13 PDT 2003
From: Josh Brooks [mailto:user at mail.econolodgetulsa.com]
>
> 1. What is the workaround for this issue ? Be creative. Not
> everyone can
> update their userland in a normal fashion - and no, I won't
> sit here and
> justify that statement. Think embedded systems.
>
> 2. Is there really an exploit in the wild ? Any comments appreciated.
[from the yesterday posting to full-disclosure,
which has been fixed in cvs as
http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1.
1.1.6&r2=1.1.1.7&f=h]
from the discussions on the exploit, it sounds like it needs
to hit you fairly often. You can set sshd to only start so
often [since they won't be able to authenticate presumably
they won't login].
You can use e.g. ipfw, hosts.allow to restrict access
to your subnets or whatever.
if privilege separation is used perhaps this helps, the
full disclosure list hadn't reached consensus on this yet.
Use the 'AllowUsers' to specify which users can access.
Not sure if this would help.
Try using 'VerifyReverseMapping' on the hopes that an
attacker wouldn't set this up?
More information about the freebsd-hackers
mailing list