On 3/1/06, Rodrigo Graeff <[EMAIL PROTECTED]> wrote:
> Estou tentando me informar melhor sobre os advisories envolvendo nfs e
> openssh porem elas nao existem no ftp geral do freebsd, alguem esta
> mais informado que eu e com tempo / saco de comentar sobre ?

Falae delphus,

Então, o do openssh afeta apenas o 5.3 e o 5.4, se você não tiver mais
5.x por aí pode ficar despreocupado.

II.  Problem Description

Because OpenSSH and OpenPAM have conflicting designs (one is event-
driven while the other is callback-driven), it is necessary for
OpenSSH to fork a child process to handle calls to the PAM framework.
However, if the unprivileged child terminates while PAM authentication
is under way, the parent process incorrectly believes that the PAM
child also terminated.  The parent process then terminates, and the
PAM child is left behind.

Due to the way OpenSSH performs internal accounting, these orphaned
PAM children are counted as pending connections by the master OpenSSH
server process.  Once a certain number of orphans has accumulated, the
master decides that it is overloaded and stops accepting client

III. Impact

By repeatedly connecting to a vulnerable server, waiting for a
password prompt, and closing the connection, an attacker can cause
OpenSSH to stop accepting client connections until the system restarts
or an administrator manually kills the orphaned PAM processes.

IV.  Workaround

The following command will show a list of orphaned PAM processes:

# pgrep -lf 'sshd.*\[pam\]'

The following command will kill orphaned PAM processes:

# pkill -f 'sshd.*\[pam\]'

To prevent OpenSSH from leaving orphaned PAM processes behind, perform
one of the following:

1) Disable PAM authentication in OpenSSH.  Users will still be able to
   log in using their Unix password, OPIE or SSH keys.

   To do this, execute the following commands as root:

# echo 'UsePAM no' >>/etc/ssh/sshd_config
# /etc/rc.d/sshd restart

2) If disabling PAM is not an option - if, for instance, you use
   RADIUS authentication, or store user passwords in an SQL database -
   you may instead disable privilege separation.  However, this may
   leave OpenSSH vulnerable to hitherto unknown bugs, and should be
   considered a last resort.

   To do this, execute the following commands as root:

# echo 'UsePrivilegeSeparation no' >>/etc/ssh/sshd_config
# /etc/rc.d/sshd restart

Quando ao do NFS, esse afeta 4.x, 5.x e 6.x:

II.  Problem Description

A part of the NFS server code charged with handling incoming RPC
messages via TCP had an error which, when the server received a
message with a zero-length payload, would cause a NULL pointer
dereference which results in a kernel panic.  The kernel will only
process the RPC messages if a userland nfsd daemon is running.

III. Impact

The NULL pointer deference allows a remote attacker capable of sending
RPC messages to an affected FreeBSD system to crash the FreeBSD system.

IV.  Workaround

1) Disable the NFS server: set the nfs_server_enable variable to "NO"
   in /etc/rc.conf, and reboot.

   Alternatively, if there are no active NFS clients (as listed by the
   showmount(8) utility), simply killing the mountd and nfsd processes
   should suffice.

2) Add firewall rules to block RPC traffic to the NFS server from
   untrusted hosts.

Renato Botelho
freebsd mailing list

Responder a