 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.51521 |
| Category: | Conectiva Local Security Checks |
| Title: | Conectiva Security Advisory CLA-2002:500 |
| Summary: | NOSUMMARY |
| Description: | Description: The remote host is missing updates announced in advisory CLA-2002:500. OpenSSH[1] is a very popular and versatile tool that uses encrypted connections between hosts and is commonly used for remote administration. The OpenSSH development teem announced[2] that there is a serious remote vulnerability in this service and that there is no fix for this problem at this time. No further details have been released about the vulnerability. OpenSSH 3.3, however, implements by default a new feature called PrivilegeSeparation that, according to the authors, prevents this and future vulnerabilities, or at least mitigates their impact severely. The OpenSSH team is strongly recommending that, even though this version does not fix the issue, all users upgrade as soon as possible due to this new security feature. The PrivilegeSeparation[6] feature creates a new sshd process that handles the network traffic and interacts with the remote user. This process is unprivileged, running under an sshd userid and chrooted in an emtpy directory called /var/emtpy. This is a new feature of OpenSSH and there are some pending issues (specially regarding PAM) that are being addressed: - authentication via KeyboardInteractive does not work with PrivilegeSeparation yet. This affects, for example, Kerberos5 logins with the SSH1 protocol - by default data compression (UseCompression yes in sshd_config) cannot be used with PrivilegeSeparation in 2.2 kernels. The packages provided with this update, though, have a patch done by Solar Designer (developer from the Openwall[4] project) to address this and allow compression and PrivilegeSeparation in 2.2 kernels. But this issue is still being addressed by the OpenSSH developers. - expired passwords do not work with PrivilegeSeparation yet. Previously the user got the chance to change his/her expired password after logging in. With PrivilegeSeparation, the user is instantly denied access if his/her password has expired. Again, it is important to note that the 3.3p1 version still has a vulnerability, but that the use of PrivilegeSeparation greatly mitigates its impact and is therefore a recommended upgrade. The OpenSSH team is working hard to address these remaining issues with PrivilegeSeparation on several platforms, including GNU/Linux, and also in fixing the vulnerability. There will be other releases in the following days. In the meantime, the use of PrivilegeSeparation in this new OpenSSH release is strongly recommended. Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade' http://www.openssh.com http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102495293705094&w=2 http://lwn.net/Vulnerabilities/3290/ http://www.openwall.com/Owl/ http://distro.conectiva.com.br/pipermail/seguranca/2002-June/002864.html http://www.citi.umich.edu/u/provos/ssh/privsep.html http://www.securityspace.com/smysecure/catid.html?in=CLA-2002:500 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002002 Risk factor : High |
| Copyright | Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |