[2580] in Release_7.7_team
Re: Emergency Athena 8.4.20 patch release right now
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Feb 9 12:24:04 2001
Message-Id: <200102091723.MAA06609@egyptian-gods.MIT.EDU>
To: Christine Moulen <orbitee@MIT.EDU>
Cc: release-team@MIT.EDU
In-Reply-To: Your message of "Fri, 09 Feb 2001 09:25:06 EST."
<4.2.2.20010209092023.02f3b5c0@po11.mit.edu>
Date: Fri, 09 Feb 2001 12:23:56 -0500
From: Greg Hudson <ghudson@MIT.EDU>
> Would you know where I can get non-Athena-specific information on
> this security hole? We have a couple of non-Athena Solaris servers
> running sshd, and I run sshd on a Linux machine at home. I don't
> know whether they'd be affected.
They probably are. See one of the following URLs for more information:
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98167297313258&w=2
The essential patch looks like this:
*** third/ssh/deattack.c.old Tue Mar 9 00:13:13 1999
--- third/ssh/deattack.c Thu Feb 8 17:48:29 2001
***************
*** 82,84 ****
static word16 *h = (word16 *) NULL;
! static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
register word32 i, j;
--- 82,84 ----
static word16 *h = (word16 *) NULL;
! static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE;
register word32 i, j;
There is also a more theoretical sshd attack (in that it would require
about a million connections to your sshd to carry out) addressed in
8.4.20. See the following URL for more information:
http://www.mit.edu:8008/menelaus.mit.edu/bt/19064
The patch we applied for that attack was:
--- /mit/source-8.4/third/ssh/rsaglue.c Mon Mar 8 12:43:18 1999
+++ rsaglue.c Wed Feb 7 17:57:02 2001
@@ -249,7 +249,15 @@
mpz_clear(&aux);
if (value[0] != 0 || value[1] != 2)
- fatal("Bad result from rsa_private_decrypt");
+ {
+ static time_t last_kill_time = 0;
+ if (time(NULL) - last_kill_time > 60 && getppid() != 1)
+ {
+ last_kill_time = time(NULL);
+ kill(SIGALRM, getppid());
+ }
+ fatal("Bad result from rsa_private_decrypt");
+ }
for (i = 2; i < len && value[i]; i++)
;