North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: new openssh issue
As promised, our advisory: http://xforce.iss.net/xforce/alerts/id/144 Regards, =============================== Daniel Ingevaldson Engineering Manager, X-Force R&D firstname.lastname@example.org 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net =============================== -----Original Message----- From: Ingevaldson, Dan (ISS Atlanta) Sent: Tuesday, September 16, 2003 4:01 PM To: Valdis.Kletnieks@vt.edu; Richard A Steenbergen Cc: William Allen Simpson; email@example.com Subject: RE: new openssh issue ISS X-Force discovered this vulnerability and our advisory will be released shortly. We were working to determine the full scope of the vulnerability before we notified the vendor. Unfortunately, someone else found the flaw and began to cause discuss it using specifics. That caused us to push forward our disclosure. Typically, when we do X-Force Advisories, we have developed an in-house, functional exploit (not proof of concept) in order to verify the exact nature and scope of the issue. We have not done so in this case. Right now it is undetermined if the issue is exploitable on *any* platform. It may turn out that it may be exploitable on every platform. This issue is serious enough that it should be addressed on all platforms as quickly as possible. I'll forward our Advisory to the list when it is public. Regards, =============================== Daniel Ingevaldson Engineering Manager, X-Force R&D firstname.lastname@example.org 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net =============================== -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, September 16, 2003 3:50 PM To: Richard A Steenbergen Cc: William Allen Simpson; email@example.com Subject: Re: new openssh issue On Tue, 16 Sep 2003 15:33:03 EDT, Richard A Steenbergen said: > > patched, but does anybody know whether there's a problem with the > > criscos? (as in "how do I configure my router for that?" ;-) > > Or better yet, the OpenSSH running on Junipers? Nothing on Juniper's > site > about a vulnerability so far. A posting to full-disclosure quotes Theo as saying HP and Cisco are affected, and I don't see any reason that Juniper would *NOT* be, given the common code base of the OpenSSH implementations. I'm not going to say the routers are vulnerable, but I *would* say that ACLs blocking port 22 to the router might be a good idea.....