back to article FreSSH bugs undiscovered for years threaten OpenSSH security

Researchers can disclose two brand-new vulnerabilities in OpenSSH now that patches have been released. Qualys discovered the bugs in January, per its disclosure timeline. These vulnerabilities allow miscreants to perform machine-in-the-middle (MitM) attacks on the OpenSSH client and pre-authentication denial-of-service (DoS) …

  1. Adam Trickett
    Linux

    updates

    All my running boxes have just been updated. A few sleeping boxes yet to do.

    The treadmill continues...

    1. Guy de Loimbard Silver badge

      Re: updates

      If you work in this field, I think you should have a reasonably confident expectation that you have some job security....

      Treadmill indeed my friend!

    2. Anonymous Coward
      Anonymous Coward

      Re: updates

      The treadmill continues...

      That's probably overly complacent. Bugs in "treadmill" will no doubt require you to upgrade to treadmill++ at some point.

      1. sev.monster Silver badge

        Re: updates

        If you upgrade to our new Treadmill Pro Silver Subscription, you also get a free T-shirt! Only $9.99/mo! (limit one per customer)

        1. molletts

          Re: updates

          Careful examination of the copious small print reveals that the free T-shirt is, in fact, the only benefit of the Treadmill Pro Silver Subscription when compared with the basic version and that there is a minimum contract period of 5 years...

          (Oh, crap! I should have posted this anonymously! Their lawyers will be all over me - I had to sign an NDA before I could view the T&Cs of the contract!)

  2. Apocalypso - a cheery end to the world
    Joke

    FreSSH ... regreSSHion

    <https://www.thefreedictionary.com/words-containing-ssh>

    According to the above there are 262 words containing SSH so only 261 more bugs allowed and then it can be declared bug free!

    1. Korev Silver badge
      Coat

      Re: FreSSH ... regreSSHion

      SSH be quiet!

  3. O'Reg Inalsin

    Memory based bug or not?

    1. that one in the corner Silver badge

      > Memory based bug or not?

      The explanation referenced by TFA shows that the answer to your question is:

      NOT!

      (Well, assuming by "Memory based bug" you meant buffer overflow or the like, as is all the rage at the moment; the problem is in the logic of setting variables that are used as success/failure return values, and as those variables are, indeed, in memory (in fact, on the stack!) then you could push the definition to breaking point and say "the error occurs in setting a value in memory"!)

      1. O'Reg Inalsin

        Good read, thanks! So one of the bugs is that `verify_host_key` return an non-zero number to indicate an error, but `verify_host_key_callback`, which calls `verify_host_key` only checks for errors equal to -1, meaning that errors with values >0 are ignored.

        Two things I learned from the recent comments on the reg article on RUST, Tovalds, and Hector Martin - After clash over Rust in Linux, now Asahi lead quits distro, slams Linus' kernel leadership

        - one reason for rejecting C++ in the linux kernel was that C++ makes extensive use of exceptions to indicate errors. My POV wrt this bug: While exception certainly carries some risks,, it is also true that exceptions would have avoided this particular bug, just because exceptions are so explicit and simple and all errors can be handled at a single point, instead of having to possibly go through several levels of return value transformations that don't offer extra value.

        - the advantage of not having to define strict internal interfaces because it allows more flexibility and speeds up development. My POV wrt this bug: Well, I probably don't need to say any more about how that failed here.

        1. Lee D Silver badge

          You know what would also have avoided this bug?

          Using a type for error returns.

          1. Snake Silver badge

            But they didn't. And nobody caught on to that for years.

            1. Alan Brown Silver badge

              And doubtless there are thousands of packages with the same coding error to be discovered.

              Once upon a time it used to be standard practice to run lint checks on code before distributing it

  4. Roger Kynaston

    Hrmm

    I'll be interested to see how quickly Tim (baked apple) Cook gets moving.

    1. DS999 Silver badge

      Re: Hrmm

      They aren't that important that you need to "get moving" all that quickly. When you need to drop everything and patch is when there's a remote exploit. A client only MITM attack (one that's quite difficult to make happen without the hacker having access to the client) and a simple DoS (which are basically impossible to really protect yourself from) don't rate very high on the "hair on fire" scale.

  5. Bebu sa Ware
    Windows

    Time to start using SSH certificates?

    Signing host keys would remove the need to consult known_ hosts or the user or DNS - known_hosts marginally the least dodgy of the three IMHO. :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like