[62196] in North American Network Operators' Group
RE: new openssh issue
daemon@ATHENA.MIT.EDU (Ingevaldson, Dan (ISS Atlanta))
Tue Sep 16 16:43:05 2003
Date: Tue, 16 Sep 2003 16:35:33 -0400
From: "Ingevaldson, Dan (ISS Atlanta)" <dsi@iss.net>
To: <Valdis.Kletnieks@vt.edu>,
"Richard A Steenbergen" <ras@e-gerbil.net>
Cc: "William Allen Simpson" <wsimpson@greendragon.com>,
<nanog@nanog.org>
Errors-To: owner-nanog-outgoing@merit.edu
As promised, our advisory:
http://xforce.iss.net/xforce/alerts/id/144
Regards,
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
Daniel Ingevaldson
Engineering Manager, X-Force R&D
dsi@iss.net=20
404-236-3160
=20
Internet Security Systems, Inc.
The Power to Protect
http://www.iss.net=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
-----Original Message-----
From: Ingevaldson, Dan (ISS Atlanta)=20
Sent: Tuesday, September 16, 2003 4:01 PM
To: Valdis.Kletnieks@vt.edu; Richard A Steenbergen
Cc: William Allen Simpson; nanog@nanog.org
Subject: RE: new openssh issue=20
ISS X-Force discovered this vulnerability and our advisory will be
released shortly. We were working to determine the full scope of the
vulnerability before we notified the vendor. Unfortunately, someone
else found the flaw and began to cause discuss it using specifics. That
caused us to push forward our disclosure. Typically, when we do X-Force
Advisories, we have developed an in-house, functional exploit (not proof
of concept) in order to verify the exact nature and scope of the issue.
We have not done so in this case. Right now it is undetermined if the
issue is exploitable on *any* platform. It may turn out that it may be
exploitable on every platform.
This issue is serious enough that it should be addressed on all
platforms as quickly as possible. I'll forward our Advisory to the list
when it is public.
Regards,
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
Daniel Ingevaldson
Engineering Manager, X-Force R&D
dsi@iss.net=20
404-236-3160
=20
Internet Security Systems, Inc.
The Power to Protect
http://www.iss.net=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
-----Original Message-----
From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu]=20
Sent: Tuesday, September 16, 2003 3:50 PM
To: Richard A Steenbergen
Cc: William Allen Simpson; nanog@nanog.org
Subject: Re: new openssh issue=20
On Tue, 16 Sep 2003 15:33:03 EDT, Richard A Steenbergen said:
> > patched, but does anybody know whether there's a problem with the=20
> > criscos? (as in "how do I configure my router for that?" ;-)
>=20
> Or better yet, the OpenSSH running on Junipers? Nothing on Juniper's
> site
> about a vulnerability so far.
A posting to full-disclosure quotes Theo as saying HP and Cisco are
affected, and I don't see any reason that Juniper would *NOT* be, given
the common code base of the OpenSSH implementations. I'm not going to
say the routers are vulnerable, but I *would* say that ACLs blocking
port 22 to the router might be a good idea.....
