[Ti] more 10.2.8 and car analogies
Jesse Brown
jesse.brown at mac.com
Thu Oct 2 07:36:56 PDT 2003
On 10/2/03 9:21, "Chris Olson" <chris at astcomm.net> wrote:
> Oh, really? YOU'RE the one that's uninformed. I don't give a rats
> arse whether or not you enable "remote login". The vulnerability
> involves a buffer mismanagement problem whereby an attacker can gain
> root access to the machine via the sshd user process.
The Buffer Management bug you refer to has not been proven to be exploitable
but a patch was released anyway to ensure any discovered holes are plugged.
In any case, gaining root access is not the issue with the buffer management
bug.
<http://www.openssh.com/txt/buffer.adv>
More information was available in the Cert Advisory:
<http://www.cert.org/advisories/CA-2003-24.html>
> Mac OS X 10.2.8 contains the patches to address CVE CAN-2003-0693,
> CAN-2003-0695, and CAN-2003-0682. On Mac OS X versions prior to 10.2.8, the
> vulnerability is limited to a denial of service from the possibility of
> causing sshd to crash. Each login session has its own sshd, so established
> connections are preserved up to the point where system resources are
> exhausted by an attack.
>
> To deliver the update in a rapid and reliable manner, only the patches for
> CVE IDs listed above were applied, and not the entire set of patches for
> OpenSSH 3.7.1. Thus, the OpenSSH version in Mac OS X 10.2.8, as obtained via
> the "ssh -V" command, is:
> OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090609f
Combine this with Port 22 off by default and you do not have a major
security issue.
Also I took the time to read up a little on this type of exploit and it's
not clear to me (or the folks who wrote and maintain openSSH) how someone
could actually accomplish an attack of this sort.
If you have a need for real-time security on this issue then you could
always download the entire OpenSSH 3.7.1 package and install it now, thereby
eliminating the problem. Otherwise, I don't think the average home/small
office user is going to have a problem.
--
Jesse
"Life is hard. It's even harder if you're stupid." -- John Wayne
More information about the Titanium
mailing list