Summary
The remote host is missing an update to ssh
announced via advisory DSA 134-1.
Solution
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20134-1
Insight
Theo de Raadt announced that the OpenBSD team is working with ISS on a remote exploit for OpenSSH (a free implementation of the Secure SHell protocol). They are refusing to provide any details on the vulnerability but instead are advising everyone to upgrade to the latest release, version 3.3.
This version was released 3 days ago and introduced a new feature to reduce the effect of exploits in the network handling code called privilege separation. Unfortunately this release has a few known problems: compression does not work on all operating systems since the code relies on specific mmap features, and the PAM support has not been completed. There may be other problems as well.
The new privilege separation support from Niels Provos changes ssh to use a separate non-privileged process to handle most of the work. This means any vulnerability in this part of OpenSSH can never lead to a root compromise but only to access to a separate account restricted to a chroot.
Theo made it very clear this new version does not fix the vulnerability, instead by using the new privilege separation code it merely reduces the risk since the attacker can only gain access to a special account restricted in a chroot.
Since details of the problem have not been released we were forced to move to the latest release of OpenSSH portable, version 3.3p1.
Due to the short time frame we have had we have not been able to update the ssh package for Debian GNU/Linux 2.2 / potato yet.
Packages for the upcoming 3.0 release (woody) are available for most architectures.
Please note that we have not had the time to do proper QA on these packages
they might contain bugs or break things unexpectedly. If you notice any such problems please file a bug-report so we can investigate.
This package introduce a new account called `sshd' that is used in the privilege separation code. If no sshd account exists the package will try to create one. If the account already exists it will be re-used. If you do not want this to happen you will have to fix this manually.
Severity
Classification
-
CVE CVE-2002-0639, CVE-2002-0640 -
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities