Subject: ssh announces 'Debian' and package version in its banner.
Date: Fri, 22 Mar 2002 18:52:04 +0100 (CET)
Package: ssh
Version: 3.0.2p1-8
Severity: grave
ssh now announces 'Debian' in its banner, as well as the package exact
version number. This is a severe security problem to know outsiders know
exactly which distribution and packages I use, even more since ssh
suffered from several critical security problems recently.
Please leave the original version number untouched.
$ scanssh 172.16.6.0/24 | grep SSH
172.16.6.71 SSH-1.99-OpenSSH_3.0.2p1 Debian 1:3.0.2p1-8
172.16.6.72 SSH-2.0-OpenSSH_3.0.2p1 Debian 1:3.0.2p1-6
$
Cordialement,
--
Vincent RENARDIAS
Directeur Technique
StrongHoldNET / http://www.strongholdnet.com
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its banner.
Date: Fri, 22 Mar 2002 22:17:41 +0000
severity 139505 wishlist
merge 130876 139505
thanks
Vincent Renardias wrote:
>Package: ssh
>Version: 3.0.2p1-8
>Severity: grave
>
>ssh now announces 'Debian' in its banner, as well as the package exact
>version number. This is a severe security problem to know outsiders know
>exactly which distribution and packages I use, even more since ssh
>suffered from several critical security problems recently.
>
>Please leave the original version number untouched.
This has already been discussed at some length in bug #130876. See
especially
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=130876&msg=54, where
the ssh maintainer notes that he'd accept an offer to create and
maintain a patch creating a configuration option to allow this to be
changed.
Some people do find this behaviour useful as a means of letting network
administrators know that their machine is *not* vulnerable, since a
given Debian version has usually had more security patches applied to it
than the bare OpenSSH version advertised in the standard ssh banner.
--
Colin Watson [[email protected]]
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its
banner.
Date: Mon, 25 Mar 2002 15:12:47 +0100 (CET)
severity 139505 grave
thanks
1/ A bug that lets anyone on Internet know precisely which ssh package
version I'm running can hardly be considered as 'wishlist'.
2/ How comes this modification was introduced in the 1st place?! Doesn't
the Debian policy tell not to make unnecessary modification in the
upstream code? (And it seems to have been introduced recently)
3/ Network administrators who want to see if their network is vulnerable
or not should use 'dpkg -l ssh' (the "real" way to get an installed
package version).
4/ As rightfully said in bug report 130876, upstream is certainly unlikely
to accept such a dangerous (security-wise) patch. Therefore, just use the
upstream code as is.
On Fri, 22 Mar 2002, Colin Watson wrote:
> severity 139505 wishlist
> merge 130876 139505
> thanks
>
> Vincent Renardias wrote:
> >Package: ssh
> >Version: 3.0.2p1-8
> >Severity: grave
> >
> >ssh now announces 'Debian' in its banner, as well as the package exact
> >version number. This is a severe security problem to know outsiders know
> >exactly which distribution and packages I use, even more since ssh
> >suffered from several critical security problems recently.
> >
> >Please leave the original version number untouched.
>
> This has already been discussed at some length in bug #130876. See
> especially
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=130876&msg=54, where
> the ssh maintainer notes that he'd accept an offer to create and
> maintain a patch creating a configuration option to allow this to be
> changed.
>
> Some people do find this behaviour useful as a means of letting network
> administrators know that their machine is *not* vulnerable, since a
> given Debian version has usually had more security patches applied to it
> than the bare OpenSSH version advertised in the standard ssh banner.
>
> --
> Colin Watson [[email protected]]
>
--
Vincent RENARDIAS
Directeur Technique
StrongHoldNET / http://www.strongholdnet.com
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its banner.
Date: Mon, 25 Mar 2002 14:24:22 +0000
On Mon, Mar 25, 2002 at 03:12:47PM +0100, Vincent Renardias wrote:
> 1/ A bug that lets anyone on Internet know precisely which ssh package
> version I'm running can hardly be considered as 'wishlist'.
The Internet can already tell precisely what upstream version of ssh
you're running. Given that successive Debian versions introduce more
security patches as a general rule, how is this a problem?
Evidently you consider the upstream version in OpenSSH's standard banner
(from upstream) to be a security problem.
> 3/ Network administrators who want to see if their network is vulnerable
> or not should use 'dpkg -l ssh' (the "real" way to get an installed
> package version).
Network administrators do not necessarily have access to the machine
itself. The case in point was Debian users repeatedly being told by the
administrators of their network that they had an insecure ssh (and so
filing bugs or pestering [email protected]) when they actually didn't.
> 4/ As rightfully said in bug report 130876, upstream is certainly unlikely
> to accept such a dangerous (security-wise) patch.
That wasn't the context of the remark in #130876.
--
Colin Watson (not the openssh maintainer) [[email protected]]
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its
banner.
Date: Mon, 25 Mar 2002 15:26:54 +0100
Vincent Renardias <[email protected]> writes:
> 1/ A bug that lets anyone on Internet know precisely which ssh package
> version I'm running can hardly be considered as 'wishlist'.
Why not? Do you fear that your clients will notice if you do not patch
vulnerable OpenSSH servers?
> 2/ How comes this modification was introduced in the 1st place?! Doesn't
> the Debian policy tell not to make unnecessary modification in the
> upstream code? (And it seems to have been introduced recently)
The modification is a welcome improvement.
> 3/ Network administrators who want to see if their network is vulnerable
> or not should use 'dpkg -l ssh' (the "real" way to get an installed
> package version).
You know what the "network" in "network administrator" means, do you?
> 4/ As rightfully said in bug report 130876, upstream is certainly unlikely
> to accept such a dangerous (security-wise) patch. Therefore, just use the
> upstream code as is.
Why do you think this patch is dangerous?
--
Florian Weimer [email protected]
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its banner.
Date: Mon, 25 Mar 2002 14:48:47 +0000
On Mon, Mar 25, 2002 at 03:12:47PM +0100, Vincent Renardias wrote:
> 1/ A bug that lets anyone on Internet know precisely which ssh package
> version I'm running can hardly be considered as 'wishlist'.
It also can't really be considered grave, unless changing the version
string has introduced an exploit in itself. One might equally well
suggest that not including the Debian revision is a serious problem
since it creates the false impression that people are running a
vulnerable version of SSH.
--
"You grabbed my hand and we fell into it, like a daydream - or a fever."
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its
banner.
Date: Mon, 25 Mar 2002 16:00:32 +0100 (CET)
On Mon, 25 Mar 2002, Florian Weimer wrote:
> Vincent Renardias <[email protected]> writes:
>
> > 1/ A bug that lets anyone on Internet know precisely which ssh package
> > version I'm running can hardly be considered as 'wishlist'.
>
> Why not? Do you fear that your clients will notice if you do not patch
> vulnerable OpenSSH servers?
For one thing, this patch allows anybody to know that the target is
running Debian.
On many of my servers, that's the only way to know that I'm running an up
to date Debian (all the default service headers are changed, and TCP/IP
fingerprinting is defeated by appropriate firewalling), so this
"feature" is ruining my efforts to keep the server "anonymous".
> > 2/ How comes this modification was introduced in the 1st place?! Doesn't
> > the Debian policy tell not to make unnecessary modification in the
> > upstream code? (And it seems to have been introduced recently)
>
> The modification is a welcome improvement.
What's the next improvement planned ? Show the account list ? Add root's
password is the banner also ?
> > 3/ Network administrators who want to see if their network is vulnerable
> > or not should use 'dpkg -l ssh' (the "real" way to get an installed
> > package version).
>
> You know what the "network" in "network administrator" means, do you?
The network administrators have other tools for this purpose (Applicative
Firewalls, Vulnerability scanners like Nessus, etc...)
> > 4/ As rightfully said in bug report 130876, upstream is certainly unlikely
> > to accept such a dangerous (security-wise) patch. Therefore, just use the
> > upstream code as is.
>
> Why do you think this patch is dangerous?
I don't "think" it it dangerous, it IS dangerous. Revealing the exact
package version allows anybody to know:
- the OS (Linux),
- distribution (Debian),
- Path of installation of the most current tools,
- compilation options of ssh (kerberos support?, etc).
and that's definatly too much.
If this "feature" is SO usefull, why don't packages like Exim, Apache,
Sendmail, etc... also print their Debian package number in their banner ?
Still not convinced? Look at bugtraq archives (keywords: "information
disclosure"), and you'll see that even allowing to know something like the
web root directory is considered as a vulnerability.
Cordialement,
--
Vincent RENARDIAS
Directeur Technique
StrongHoldNET / http://www.strongholdnet.com
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its
banner.
Date: Mon, 25 Mar 2002 16:03:43 +0100 (CET)
On Mon, 25 Mar 2002, Mark Brown wrote:
> On Mon, Mar 25, 2002 at 03:12:47PM +0100, Vincent Renardias wrote:
>
> > 1/ A bug that lets anyone on Internet know precisely which ssh package
> > version I'm running can hardly be considered as 'wishlist'.
>
> It also can't really be considered grave, unless changing the version
> string has introduced an exploit in itself. One might equally well
> suggest that not including the Debian revision is a serious problem
> since it creates the false impression that people are running a
> vulnerable version of SSH.
No, it doesn't introduce a know exploit, but it may show in the future
which exploit to run against this machine.
It's enough to guaranty an inclusion in bugtraq's list of
vulnerabilities. Is this really what we want ?
Cordialement,
--
Vincent RENARDIAS
Directeur Technique
StrongHoldNET / http://www.strongholdnet.com
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its banner.
Date: Mon, 25 Mar 2002 15:06:51 +0000
On Mon, Mar 25, 2002 at 04:03:43PM +0100, Vincent Renardias wrote:
> On Mon, 25 Mar 2002, Mark Brown wrote:
> > On Mon, Mar 25, 2002 at 03:12:47PM +0100, Vincent Renardias wrote:
> > > 1/ A bug that lets anyone on Internet know precisely which ssh package
> > > version I'm running can hardly be considered as 'wishlist'.
> >
> > It also can't really be considered grave, unless changing the version
> > string has introduced an exploit in itself. One might equally well
> > suggest that not including the Debian revision is a serious problem
> > since it creates the false impression that people are running a
> > vulnerable version of SSH.
>
> No, it doesn't introduce a know exploit, but it may show in the future
> which exploit to run against this machine.
Please tell me how it shows this any more than the upstream version in
the standard banner.
> It's enough to guaranty an inclusion in bugtraq's list of
> vulnerabilities.
Please tell me how it guarantees this any more than the upstream version
in the standard banner.
--
Colin Watson [[email protected]]
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its banner.
Date: Mon, 25 Mar 2002 17:08:24 +0000
On Mon, Mar 25, 2002 at 04:00:32PM +0100, Vincent Renardias wrote:
> On Mon, 25 Mar 2002, Florian Weimer wrote:
> > Vincent Renardias <[email protected]> writes:
> > You know what the "network" in "network administrator" means, do you?
> The network administrators have other tools for this purpose (Applicative
> Firewalls, Vulnerability scanners like Nessus, etc...)
You realise that many of the vulnerability testers actually just probe
the version number?
> Still not convinced? Look at bugtraq archives (keywords: "information
> disclosure"), and you'll see that even allowing to know something like the
> web root directory is considered as a vulnerability.
One could apply the same argument equally well to any disclosure of the
version number, including that done by default by SSH. If you're going
to get worked up about something get worked up about that.
--
"You grabbed my hand and we fell into it, like a daydream - or a fever."
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its
banner.
Date: Mon, 25 Mar 2002 18:12:42 +0100 (CET)
On Mon, 25 Mar 2002, Mark Brown wrote:
> On Mon, Mar 25, 2002 at 04:00:32PM +0100, Vincent Renardias wrote:
> > On Mon, 25 Mar 2002, Florian Weimer wrote:
> > > Vincent Renardias <[email protected]> writes:
>
> > > You know what the "network" in "network administrator" means, do you?
>
> > The network administrators have other tools for this purpose (Applicative
> > Firewalls, Vulnerability scanners like Nessus, etc...)
>
> You realise that many of the vulnerability testers actually just probe
> the version number?
yes, and the default banner of SSH is enough for this purpose; no use to
add any extra information.
> > Still not convinced? Look at bugtraq archives (keywords: "information
> > disclosure"), and you'll see that even allowing to know something like the
> > web root directory is considered as a vulnerability.
>
> One could apply the same argument equally well to any disclosure of the
> version number, including that done by default by SSH. If you're going
> to get worked up about something get worked up about that.
SSH version number (default banner) is okay-ish. Adding deliberatly the
distribution name & ssh package version is giving away too much
informations.
Cordialement,
--
Vincent RENARDIAS
Directeur Technique
StrongHoldNET / http://www.strongholdnet.com
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its
banner.
Date: Thu, 28 Mar 2002 13:00:50 +0000 (GMT)
> Vincent Renardias <[email protected]> writes:
> > On Mon, 25 Mar 2002, Mark Brown wrote:
> > On Mon, Mar 25, 2002 at 04:00:32PM +0100, Vincent Renardias wrote:
> > > On Mon, 25 Mar 2002, Florian Weimer wrote:
> > > > Vincent Renardias <[email protected]> writes:
> > > > You know what the "network" in "network administrator" means, do you?
> > > The network administrators have other tools for this purpose (Applicative
> > > Firewalls, Vulnerability scanners like Nessus, etc...)
> > You realise that many of the vulnerability testers actually just probe
> > the version number?
> yes, and the default banner of SSH is enough for this purpose; no use to
> add any extra information.
Why do you claim this, when the Debian version often has different (and
usually less) security problems than upstream with the same upstream
version number (thanks to the stable security update policy).
> > > Still not convinced? Look at bugtraq archives
(keywords: "information
> > > disclosure"), and you'll see that even allowing to know something like the
> > > web root directory is considered as a vulnerability.
> > One could apply the same argument equally well to any disclosure of the
> > version number, including that done by default by SSH. If you're going
> > to get worked up about something get worked up about that.
> SSH version number (default banner) is okay-ish. Adding deliberatly the
> distribution name & ssh package version is giving away too much
> informations.
How does adding this information actually make the system more insecure
than it already is?
--
Jonathan Amery. 'Be still, and acknowledge that I am God,
##### supreme over nations, supreme over the world.'
#######__o Yahweh Saboath is with us,
#######'/ our citadel, the God of Jacob. - Ps46:10-11 (NJB)
Acknowledgement sent
to Baiba Felce <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <[email protected]>.
(Wed, 14 Oct 2020 09:27:02 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.