[FUG-BR] Security Advisories
Renato Botelho
garga em FreeBSD.org
Qua Mar 1 13:46:55 BRT 2006
On 3/1/06, Rodrigo Graeff <delphus em gmail.com> wrote:
> Estou tentando me informar melhor sobre os advisories envolvendo nfs e
> openssh porem elas nao existem no ftp geral do freebsd, alguem esta
> mais informado que eu e com tempo / saco de comentar sobre ?
Falae delphus,
Então, o do openssh afeta apenas o 5.3 e o 5.4, se você não tiver mais
5.x por aí pode ficar despreocupado.
II. Problem Description
Because OpenSSH and OpenPAM have conflicting designs (one is event-
driven while the other is callback-driven), it is necessary for
OpenSSH to fork a child process to handle calls to the PAM framework.
However, if the unprivileged child terminates while PAM authentication
is under way, the parent process incorrectly believes that the PAM
child also terminated. The parent process then terminates, and the
PAM child is left behind.
Due to the way OpenSSH performs internal accounting, these orphaned
PAM children are counted as pending connections by the master OpenSSH
server process. Once a certain number of orphans has accumulated, the
master decides that it is overloaded and stops accepting client
connections.
III. Impact
By repeatedly connecting to a vulnerable server, waiting for a
password prompt, and closing the connection, an attacker can cause
OpenSSH to stop accepting client connections until the system restarts
or an administrator manually kills the orphaned PAM processes.
IV. Workaround
The following command will show a list of orphaned PAM processes:
# pgrep -lf 'sshd.*\[pam\]'
The following command will kill orphaned PAM processes:
# pkill -f 'sshd.*\[pam\]'
To prevent OpenSSH from leaving orphaned PAM processes behind, perform
one of the following:
1) Disable PAM authentication in OpenSSH. Users will still be able to
log in using their Unix password, OPIE or SSH keys.
To do this, execute the following commands as root:
# echo 'UsePAM no' >>/etc/ssh/sshd_config
# /etc/rc.d/sshd restart
2) If disabling PAM is not an option - if, for instance, you use
RADIUS authentication, or store user passwords in an SQL database -
you may instead disable privilege separation. However, this may
leave OpenSSH vulnerable to hitherto unknown bugs, and should be
considered a last resort.
To do this, execute the following commands as root:
# echo 'UsePrivilegeSeparation no' >>/etc/ssh/sshd_config
# /etc/rc.d/sshd restart
Quando ao do NFS, esse afeta 4.x, 5.x e 6.x:
II. Problem Description
A part of the NFS server code charged with handling incoming RPC
messages via TCP had an error which, when the server received a
message with a zero-length payload, would cause a NULL pointer
dereference which results in a kernel panic. The kernel will only
process the RPC messages if a userland nfsd daemon is running.
III. Impact
The NULL pointer deference allows a remote attacker capable of sending
RPC messages to an affected FreeBSD system to crash the FreeBSD system.
IV. Workaround
1) Disable the NFS server: set the nfs_server_enable variable to "NO"
in /etc/rc.conf, and reboot.
Alternatively, if there are no active NFS clients (as listed by the
showmount(8) utility), simply killing the mountd and nfsd processes
should suffice.
2) Add firewall rules to block RPC traffic to the NFS server from
untrusted hosts.
[]s
--
Renato Botelho
_______________________________________________
freebsd mailing list
freebsd em fug.com.br
http://lists.fug.com.br/listinfo.cgi/freebsd-fug.com.br
Mais detalhes sobre a lista de discussão freebsd