Sun flubs another SSH patch

June 17, 2008

I haven't been involved with Solaris 9 for a while now, so I have no idea if they've fixed the Solaris 9 SSH patch problem by now (although I certainly hope they have). But I was recently heartened to discover that Sun is perfectly capable of fumbling Solaris 10 SSH patches as well.

Sun recently released patch 126134-03, 'sshd patch', for Solaris 10 x86, in order to fix CVE-2008-1483, where the fun semantics of IPv6 versus IPv4 let an attacker hijack forwarded X sessions. Unfortunately if you install this patch on a system without IPv6 enabled, you lose the ability to forward X at all.

(Instead, sshd syslogs the message error: Failed to allocate internet-domain X11 display socket. What it really means is that it failed to allocate any IPv6 listening sockets because you don't have IPv6 enabled, and it refuses to fall back to IPv4.)

It is difficult for me to understand how Sun managed to screw this one up. The bug is not unique to Sun's version of SSH and other operating systems managed to get the fix correct, and the problem is uncovered in literally ten seconds of testing on one of the most common customer configurations of Solaris 10 x86. Somehow Sun either let it slip through anyways or decided that it didn't matter and they would release the patch with known issues and without any sort of warning (and I am not sure which option would be worse).

Unfortunately, there's a bigger issue here than Sun continuing their history of screwing up ssh; it is that this makes it clear that you cannot trust Sun security patches. Untrustworthy security patches are only slightly better than no security patches, and arguably they're worse; at least with no security patches you know clearly where you stand.

PS: if you want workarounds, the ones here might work.


Comments on this page:

From 128.100.48.224 at 2008-06-19 10:15:15:

"The bug is not unique to Sun's version of SSH and other operating systems managed to get the fix correct"

Did you actually test other systems without IPv6? This seems to be a OpenSSH bug, not a Sun SSH bug. The Linux box I tested, fully patched, no IPv6, fails the same way.

% ssh -X user@rhel5.linux
[rhel5]% echo $DISPLAY
[rhel5]% xdpyinfo
xdpyinfo: unable to open display "".

[rhel5]# tail /var/log/secure
sshd[6138]: error: Failed to allocate internet-domain X11 display socket.

By cks at 2008-06-19 17:31:13:

X forwarding definitely works on our Ubuntu 6.06 machines, which both have a patch for CVE-2008-1483 and have IPv6 turned off explicitly (because of past problems). X forwarding works for me when I clubbed a currently patched RHEL 5 test machine into turning off IPv6 (I had to take out the ipv6.ko loadable module file itself), but note that Red Hat claims RHEL 4 and 5 is not vulnerable to this CVE due to other changes and so did not issue an update for it.

My Fedora machines all have IPv6 turned on (it's the default, even on RHEL 5) so I can't test on it, but again Red Hat claims they're not vulnerable and thus not patched.

In short: if X forwarding doesn't work on RHEL 5, I think you're seeing another issue.

Written on 17 June 2008.
« Why people persist in sending files by email
A simple request for vendor websites »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Jun 17 00:13:22 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.