Bug 510118 (openssh-rumor, openssh-rumour)

Summary: OpenSSH 0day rumor
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: atodorov, dgoodwin, djuran, dkovalsk, fche, flint42, iaslanidis, jchadima, jlieskov, mjc, nstrug, pamadio, pvn, ralph, rdassen, security-response-team, sgrubb, Stuart.Kirk, tmraz, vdanen, woodard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-22 01:02:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2009-07-07 18:42:18 UTC 
There are currently rumors of an OpenSSH 4.3 0day flaw being exploited in the wild.

http://www.webhostingtalk.com/showthread.php?t=873301
http://secer.org/hacktools/0day-openssh-remote-exploit.html
http://twitter.com/#search?q=openssh
http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0028.html
http://isc.sans.org/diary.html?storyid=6742
http://lwn.net/Articles/340360/
Comment 6 Josh Bressers 2009-07-08 13:08:58 UTC 
The Red Hat Security Response team is aware of the unconfirmed rumour regarding a OpenSSH vulnerability.  We are continuing to monitor the situation for more information and to establish any real facts surrounding this issue.  Should it be found that there is an unfixed critical vulnerability of this type we will of course act immediately to address it.
Comment 7 Josh Bressers 2009-07-08 13:11:17 UTC 
OpenSSH upstream author Damien Miller has a good commentary regarding this issue:
http://marc.info/?l=openssh-unix-dev&m=124705272824524&w=2
Comment 8 Josh Bressers 2009-07-08 13:19:55 UTC 
*** Bug 510199 has been marked as a duplicate of this bug. ***
Comment 13 Mark J. Cox 2009-07-09 14:15:45 UTC 
Some more links:

SANS have classified this issue as a hoax:
http://isc.sans.org/diary.html?storyid=6760

Commentary from OpenSSH developer Damien Miller
http://www.itwire.com/content/view/26175/1090/
Comment 14 J.H.M. Dassen (Ray) 2009-07-13 09:10:22 UTC 
And more followup coverage:

"OpenSSH zero day exploit rumours not confirmed",
	http://www.heise.de/english/newsticker/news/141817

"OpenSSH update" (repost of Damien Miller's comments),
	http://lwn.net/Articles/340483/
Comment 15 Eugene Teo (Security Response) 2009-07-15 07:11:16 UTC 
WARNING: Besides the rumour, there is a fake 0pen0wn.c exploit being circulated around. Do not run it!

Thierry wrote an interesting blog post about it at:
http://blog.zoller.lu/2009/07/0pen0wnc-shellcode-dissasembled.html

It is a good practice not to run any exploit until you understand what the shellcode/payload does :)