In a posting to bugtraq, Theo de Raadt says that using privilege separation, this new vulnerability cannot be exploited.
The SuSE security team is working on creating OpenSSH updates with privilege separation enabled, and testing this functionality. We will release updated RPMs on FTP as they become available.
In the meanwhile, we suggest that
- if you do not need external access to your SSH daemons, turn off the SSH service on these machine completely, or block external access at the firewall.
- if you do need extern access to your SSH daemons, make sure you restrict the hosts that it will talk to by setting appropriate firewall rules.
If, for some reason, you cannot configure your firewall to block external SSH access, you can also restrict access through /etc/hosts.allow; the following will allow connections from hosts with IP addresses 22.214.171.124 and 126.96.36.199 while disallowing any other connections.
sshd : 188.8.131.52 : allow
sshd : 184.108.40.206 : allow
sshd : ALL : deny
It is not clear however whether this is really effective because we do not know anything about the vulnerability at all.
Olaf Kirch from SuSE Security team noted the following on suse-security-announce mailing list:
ISS and the OpenSSH team just released advisories concerning the OpenSSH vulnerability. These advisories state that the vulnerability exists only if the package has been compiled with support for S/Key or BSDAUTH authentication. Inspecting the patches included in the OpenSSH advisory however show that there is a second vulnerability that can be exploited when interactive keyboard mode is enabled (via the PAMAuthenticationViaKbdInt option in sshd_config).
Neither S/Key or BSDAUTH were enabled in previous RPMs released by SuSE (i.e. the OpenSSH 2.9.9p2 RPMs previously released on March 6, and the OpenSSH 3.0.2p1 RPMs released with SuSE Linux 8.0). Support for interactive keyboard mode is compiled in, and is off by default in recent RPMs. However, it can be enabled by the administrator.
Which means that, in the default configuration, SuSE Linux users are not affected by this vulnerability.
We will release another set of RPMs that fix this vulnerability soon.
03.07.2002 - OpenSSH kbd-interactive Buffer Overflow
by Global InterSec Research
It is the current belief of many that exploiting the recently disclosed vulnerabilities in OpenSSH's challenge-response routines is reliant upon a system's use of BSD's authentication mechanisms and therefore restricts the platforms on which this vulnerability may be exploited.
This is almost certainly due to various advisories posted to various fora by unnamed security companies.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.