|
Over the past 24 hours we've had a number of readers tell us that there is an OpenSSH exploit in active use. We cannot confirm its existence, other than a DOS exploit for OpenSSH that recently showed up on Milw0rm. If you have any concrete evidence of this (not rumors or URLs to blogs where people are discussing that there might be a problem) please let us know via our contact form. Again, no rumors and no links to discussions of rumors please. We need reports of active exploitation or other evidence that this a real issue. Marcus H. Sachs |
Marcus 301 Posts ISC Handler Jul 7th 2009 |
| Thread locked Subscribe |
Jul 7th 2009 1 decade ago |
|
Hy all,
I have received, since sunday morning, at least 35 alerts comming from one of my Debian server hosting Debian 5.0, related to ssh access attempts ... It would be nice to give more update on such attacks ... How could be try to capture the worm/exploit ? Best regards, Jean |
Jean 5 Posts |
| Quote |
Jul 7th 2009 1 decade ago |
|
Actually, 4.3 *is* the latest RHEL/CentOS SSH version. openssh-server-4.3p2-29.el5 has been backported by RH engineers to supposedly patch all of the bugs that have since been disclosed up until the latest OpenSSH versions released by the OpenBSD project people. For enterprise stability purposes (which is why Gov and large businesses buy Red Hat) the versions and features are kept approximately the same as the original RHEL distribution release, but bugs are cleaned up. So if this vulnerability is valid, then possibilities include:
1. All OpenSSH versions are vulnerable 2. Unknown vulnerability was unwittingly patched as part of a version feature upgrade with newer-than-4.3 OpenSSH versions 3. Red Hat engineers failed to properly fix bugs with their backporting efforts. - n3kt0n |
Anonymous |
| Quote |
Jul 7th 2009 1 decade ago |
|
Is this rumor worth shutting down SSH access to customers? At what point can anyone able to create semi-plausible log snippets create a DOS.
>:( |
wade 3 Posts |
| Quote |
Jul 8th 2009 1 decade ago |
|
Presuming there is a threat to openssh-server-4.3p2-29.el5 does anyone know which dependencies would need to met to update to 5.2p1?
|
Steven 3 Posts |
| Quote |
Jul 8th 2009 1 decade ago |
|
perhaps this exploit is only valid for poorly configured sshd configurations. hardening ssh and using something like fail2ban would certainly be advisable.
|
Steven 5 Posts |
| Quote |
Jul 8th 2009 1 decade ago |
|
Such stories when spread make people/admin's panic even if there isn't any proof to such an issue.
To calm down I encourage people/admin's to use a port-knocking system specially on their SSH service, at least for the meantime. |
Anonymous |
| Quote |
Jul 8th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
