openssh < v3.7 vulnerablility
- Thread starter Blaqb0x
- Start date
kilowatt
mach-o mach-o man
You have three options:
1) Patch existing source code:
If you have source installed for OpenSSH, you can apply this patch and recompile.
This is an unlikely situation on Mac OS X.
2) Download, compile, and reinstall.
This is the simplest. Download OpenSSH 3.7p1. Decompress, and make as usual (as you suggested).
3) Wait for Apple to issue an update.
If you're going to take this route, at least do the following:
If you're connected directly to the internet with your OS X box (no router or firewall), edit the file /etc/sshd_config and change the default port (so people who scan networks for ssh to exploit won't likely find you).
My file contains:
Which will make sshd only answer on port 9022.
So, shell to the host like this:
$ ssh -p9022 hostname
If you're behind a firewall, and have a bit of a network, just add a port like this:
And only route port 9022 externally. This way, you don't have to specify a port number when you're just ssh'ing around in your private network.
Of course, you'll have to restart sshd once you make a change to the config file. You can just toggle it off and on in the System Preferences if you like.
1) Patch existing source code:
If you have source installed for OpenSSH, you can apply this patch and recompile.
This is an unlikely situation on Mac OS X.
2) Download, compile, and reinstall.
This is the simplest. Download OpenSSH 3.7p1. Decompress, and make as usual (as you suggested).
3) Wait for Apple to issue an update.
If you're going to take this route, at least do the following:
If you're connected directly to the internet with your OS X box (no router or firewall), edit the file /etc/sshd_config and change the default port (so people who scan networks for ssh to exploit won't likely find you).
My file contains:
Code:
#Port 22
Port 9022Which will make sshd only answer on port 9022.
So, shell to the host like this:
$ ssh -p9022 hostname
If you're behind a firewall, and have a bit of a network, just add a port like this:
Code:
Port 22
Port 9022And only route port 9022 externally. This way, you don't have to specify a port number when you're just ssh'ing around in your private network.
Of course, you'll have to restart sshd once you make a change to the config file. You can just toggle it off and on in the System Preferences if you like.
kilowatt
mach-o mach-o man
BTW, openssh has a seccond-generation patch - its the aformentioned patch, and some new stuff.
I'll be patching my systems with the patch from openbsd.org.
I'm very surprised apple still has not released an update.
I'll be patching my systems with the patch from openbsd.org.
I'm very surprised apple still has not released an update.
scruffy
Notorious Olive Counter
kilowatt - unfortunately your suggestion of obfuscating the service by changing the port doesn't work all that well anymore - the latest release of nmap (released by coincidence the same day as the openssh vulnerability became known) now actually connects to each open port & determines what is running on it, rather than just going by well known ports
kilowatt
mach-o mach-o man
The latest version of nmap doesn't typically scan EVERY port. Especially ports over 2000. nmap scans only 'known' ports. Unless you tell it otherwise, in which it takes forever to scan one ip address. Anyone with malicious intent is more likely, imo, to run something like this:
nmap -F -p22 -P0 10.1-254.1-254.1-254
Unless someone really is out to hate your server (eg, they've been waiting for their chance). Then, you're probably screwed anyway.
Thats interesting about nmap attempting to identify the service running - pretty intelligent, imo.
On my OpenBSD server however, when you scan it with nmap, it shows only one open port (sendmail). Everything else is so non-standard that it avoids most scans.
nmap -F -p22 -P0 10.1-254.1-254.1-254
Unless someone really is out to hate your server (eg, they've been waiting for their chance). Then, you're probably screwed anyway.
Thats interesting about nmap attempting to identify the service running - pretty intelligent, imo.
On my OpenBSD server however, when you scan it with nmap, it shows only one open port (sendmail). Everything else is so non-standard that it avoids most scans.
WeeZer51402
Registered
what exactly is the vulnerability in open ssh...is it a DOS?
Koelling
I Think Different
I need some help. Does it seam to anyone else that the new 10.2.8 update doesn't update sshd? When I turn on remote login my process viewer says /usr/sbin/sshd. When I check the version (/usr/sbin/sshd -v) it says 3.4.
so I thought I'd be cool and download the source from openssh.org which compiled flawlessly. Now I'm not sure how to get OSX to open this version located in /usr/local/sbin/sshd.
Does anyone know what I need to do to run this 3.7 version?
so I thought I'd be cool and download the source from openssh.org which compiled flawlessly. Now I'm not sure how to get OSX to open this version located in /usr/local/sbin/sshd.
Does anyone know what I need to do to run this 3.7 version?
kilowatt
mach-o mach-o man
Sounds like you have already built and installed a new sshd. What I would do in this situation, is back up apple's provided sshd, and symlink your version over top of where apple's is
for example:
That pretty much covers all the bases. Now just kill and restart sshd, or just reboot.
On OpenBSD, my patch didn't change the sshd version at all. What it did is go through the source code, and change the part that was exploitable. So, while you don't have whatever features are in sshd version 3.7.1 or whatever, you are still patched.
for example:
Code:
# mv /usr/sbin/sshd /usr/sbin/sshd.apple.old
# ln -s /usr/local/sbin/sshd /usr/sbin/sshdThat pretty much covers all the bases. Now just kill and restart sshd, or just reboot.
On OpenBSD, my patch didn't change the sshd version at all. What it did is go through the source code, and change the part that was exploitable. So, while you don't have whatever features are in sshd version 3.7.1 or whatever, you are still patched.
hulkaros
The Incredible...
If I read this correctly:
http://docs.info.apple.com/article.html?artnum=61798
Apple with 10.2.8 fixed the <3.7 vulnerability...
http://docs.info.apple.com/article.html?artnum=61798
Apple with 10.2.8 fixed the <3.7 vulnerability...