People using OpenSSH CLIENT read here
-
SSH keys are an alternative to passwords: you generate a public and private key pair, give the remote server your public key, and keep the private key on your own computer. Then when you next login, the SSH server and client use the keys to identify and authorize you. If someone swipes your private key, they can log in as you – it's as if they stole your password.
"When there's a serious security bug in the remote access tool used by 70-plus per cent of the servers in the world, people sit up and take notice," said Kenn White, co-director of the Open Crypto Audit Project.
The bug lies in versions 5.4 to 7.1 of the OpenSSH client, specifically in a little-known default-enabled feature called roaming that allows you to restart an SSH session after the connection has been interrupted. The roaming code contains an information sharing flaw (CVE-2016-0777) and a mildly harmless buffer overflow (CVE-2016-0778) blunder.
Fixed quote because it was belgium impossible to read as a code block. - abarker
-
That'll teach ya.
-
Haven't people been told to disable the roaming feature in the past?
Not that I use an OpenSSH client. Server maybe, but not client.
-
This bug, while important, is being blown so far out of proportion I think it's leaving our universe.
-
is being blown so far out of proportion I think it's leaving our universe.
FINALLY! our experiments on superluminal tranmision of information has bourne fruit!
now we just have to figure out how to modulate the outrage to encode actual usable data.
-
I use putty. Do I have to care about this?
-
Shouldn't think so.
I use OpenSSH but AFAIK only ever to connect to servers I control, so I think I'm OK as well.
-
No...PuTTY is not OpenSSH (or OpenSSH-based).
-
-
This is pretty much my stance (though I use putty, I also only connect to servers I have absolute control over)
But theoretically it could be an issue for shared hosting godaddy accounts, since they allow shell with gov. id?
I'm sure it affects someone.
I guess an argument can be made that if your server gets compromised and elevated to remote code execution, they could create something to gather your legitimate SSH keys.
-
bourne fruit
I haven't seen that one. When did that come out, and should I assume it's a non-canonical side story about Jason's love affair with Ward during the Treadstone training?
-
.....
nonsequitur is non sequitur?
-
It's spell-sequitur. You of all people should be familiar with it by now.
-
The word you're looking for is "born". "Bourne" is the name of a movie
trilogyquadrilogyhey-we-found-some-more-IP-to-milk-ogy mostly starring Matt Damon.
-
What were the Bourne Shell spinoffs about again?
Filed under: Bourne Again Shell is a silly name for a sequel
-
The word you're looking for is "born".
-blink- it is?
Matt Damon.
-drool-he has a sexy butt....
could do with more assets in the brain area though.....
-
-
-
http://www.undeadly.org/cgi?action=article&sid=20160114142733
From what I've read so far:
- If your key is password-protected, attackers can only read (parts of) your encrypted key.
- If you only connect to known servers (and have host key checking enabled), you don't have to worry.
- If you start an interactive SSH session, you will be warned before the buggy feature is enabled.
- I haven't seen any proof that the memory region that can be read is likely to contain the key.
So: It's bad, but not as bad as it initially sounds.
-
No, that's a BabyBjörn.
-
The word you're looking for is "born".
Actually, in that usage, the correct (and no doubt otherwise archaic) spelling is "borne fruit".
-
The word you're looking for is "born".
That makes about as much sense as "Bourne fruit". Congratulations, you win at corrections.
-
-
Who would connect to random ssh servers? and why? (serious question)
-
Who would connect to random ssh servers? and why? (serious question)
People* who disable host key checking and therefore don't notice a MITM attack? Other than that: No idea.
*Idiots
-
That'll teach ya.
To fix security bugs? Yes. Yes it will.
I agree with Blakeyrat, we should all hail open source software.
-
Random servers, probably only people with malicious intent, or maybe security researchers/gov ghosts?
Known servers that got compromised, probably a much higher percentage.
-
*Idiots
... And every support engineer remotely fixing a problem for a client.Haven't done that kinda work in a while, and I don't think I've ever used client keys for authentication. But damn! How many more OpenSSH bugs are there going to be.
-
That's true, but those seem like a gray area on ownership / trust server, because that scenario is basically someone compromising a legitimate server. (Taken with salt)
(Thinking of services like Avaya dialer)
-
(Thinking of services like Avaya dialer)
I don't know what that is, or how it works. But if it's anything like the Avaya phone I have on my desk at work, even if I use it for 4 years, genuinely attempting to understand how it works, It'll still end up hanging up on every second person I try to transfer to someone else. And if someone pwns my desk phone, I don't care. I just hope it's a DOS attack.
-
That pretty much sums it up.
It's a modified Linux kernel with an Oracle database that has a bunch of t1 lines hooked into the server to allow for large scale phone dialing, typically used in collection companies.
Software ultimately passes the call to an agents desk phone (agents typically have Windows machines, so the software connects remotely to the server that manages inbound/outbound call availability, usually provided by a third party, though avaya has their own solutions too)
-
And if automated outbound call-centers were to somehow stop working this would be bad for society how?
I'm sure our sales / loans people have a that exact system. But i certainly feel there is a special place in hell for the engineer who first thought up the "predictive dialer". Not only does it make the recipient wait until there's someone free to take their call. The poor CSR is doesn't even get to catch his breath while dialing the next number, before having another irate
calleranswerer to deal with.
-
The poor CSR is doesn't even get to catch his breath while dialing the next number, before having another irate caller answerer to deal with.
Won't have to wait for me... As soon as I get dead air while being switched - click. You have 1 "Hello?" (maaaaybeeee 2) before I hang up. And with caller id, that's more likely to be "lift phone, replace" (home land line)
-
But damn! How many more OpenSSH bugs are there going to be.
There have actually been remarkably few OpenSSH security fails. Perhaps you're confusing it with OpenSSL, a different product developed by a different team, which has been a bit of a fail minefield.
-
Perhaps you're confusing it with OpenSSL, a different product developed by a different team, which has been a bit of a fail minefield.
strncpy(d, s, strlen(s))
is a special kind of stupid. even when it’s right, it looks wrong. replace with auditable code and eliminate many strlen calls to improve efficiency. (wait, did somebody say FASTER?) ok beck
-
Not sure if it's the firewall where I work, but I can't open that page.
-
Not sure if it's the firewall where I work, but I can't open that page.
Not a lot more on the page to be honest, copy at https://archive.is/s4cvT
The link to the diff on it the page itself is broken though (What's a
301
redirect?) - it should point to (currently) http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/d1_srvr.c.diff?r1=1.11&r2=1.12&f=h
-
Did they... just hoist the length to a global variable and continue calling strlen to populate it anyway?
-
to a global variable
Function-local. So strlen() only gets called at most once instead of up to 3 times.
-
strncpy(d, s, strlen(s))
"How do I shut up all those 'strcpy is unsafe' warnings without actually fixing my shit"?
-
@PJH said:
strncpy(d, s, strlen(s))
"How do I shut up all those 'strcpy is unsafe' warnings without actually fixing my shit"?
make 2>&1 | grep -v strcpy
-
"How do I shut up all those 'strcpy is unsafe' warnings without actually fixing my shit"?
Modify the source?
-
At least they didn't
#define strcpy(dst,src) strncpy(dst,src,strlen(src)+1)
.
-
The bad ideas thread is