Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
BSD Operating Systems

OpenBSD: 4 Years Exploit Free 51

Teknoenie writes: "Upon a recent visit to the OpenBSD website http://www.openbsd.org i noticed a nifty change. 4 years without a remote exploit in default install. I have to dish out a big congrats to the OpenBSD team. Great job guys." It seems good to mention as well that now's a good time to order OpenBSD 2.9 if you're so inclined, since it's scheduled to ship in three weeks.
This discussion has been archived. No new comments can be posted.

OpenBSD: 4 Years Exploit Free

Comments Filter:
  • by Anonymous Coward
    chris88 wrote:
    > I know of at least one remote SSH vulnerability that led to a root
    > exploit in any OpenBSD version before 2.8.

    teknoenie wrote:
    > is this something that can be proven to the openbsd team.

    Yes.

    OpenBSD 2.7 was vulnerabile about remote root exploit with the default install. Please look at this advisory [bindview.com] and compare it with the fix by openbsd [freebsd.org].

    cperciva wrote:
    > I'm not sure about this, but I think what they mean is that there
    > have been no vulnerabilities discovered before they were fixed

    Actually above exploit is fixed by NetBSD people before OpenBSD. You can confirm this by the cvs log [freebsd.org].

    bolverk wrote:
    > Well, we can force ssh _clients_ to do X11 forwarding... not a root
    > flaw, and not remote... so on to the next.

    The above problem is a remote root flaw. Due to the reason I don't know, this flaw is not listed in OpenBSD's security page. Perhaps OpenBSD people don't have an ability to know their security information unlike they claimed?

    Anyway, the "4 Years Exploit Free" message is just wrong.

  • by Anonymous Coward
    > The point is that this was fixed in OpenBSD before the advisory was released.

    If that is the point that "4 years exploit free" means, then FreeBSD and NetBSD should be better than OpenBSD, because they are 8 years exploit free (i.e. security holes are fixed in FreeBSD-current and NetBSD-current before advisories are released).

  • Just because we havent heard of any exploits for OpenBSD, doesnt mean they dont exist.

    I am just weary of the fact that there may be script kiddies out there with exploits for things that noone has found yet. This brings up the possibility of all OpenBSD releases being affected, purely because we dont know whats being exploited, and unless there are some extremely savvy systems administrators out there triple-checking their filesystems, and 24-hour surveilance ( overtime + ( time + 1/2 )! ), i doubt we'd know how.

    Just food for thought, for the masses..
  • Score: -1 (Flamebait)

    I really doubt that OpenBSD by default turns on any services that are useful...this is like saying MS-DOS is 15 years without a remote root exploit.

    What I'd find interesting with OpenBSD: are there any remote non-root exploits, that can be escalated to root by a seperate exploit after normal user access is granted, in the last 4 years?
  • No, you get a decent workable machine with no extraneous crud in it.

    That's the key, You pick what's right for you, rather than the RedHat "Kitchen Sink" approach.

    It can run the vast majority of Linux, FreeBSD, NetBSD, and SVR4 binaries. OpenBSD just rocks.

    grubby
  • Oh for chrissakes, as someone who's had his ass kicked under suspicion of being homosexual (done once to a friend of mine who looked very similar to me as well), I never thought while reading that post that he meant "that homosexual fish".

    -lx
  • So the claim only holds true if you're running the most current and patched version? In that case, there hasn't been a remote root hole in FreeBSD for years either, because they patch things after the vulnerability is reported. If you're running a current version, you're not vulnerable. I think it's pretty clear that the 4 year claim isn't true, as much as I like OpenBSD. Install 2.7, there's a remote root hole. That happened in the last 4 years.

    -lx
  • First of all, really few need to have a disc
    that is bootable on a sparc, that contains a
    mac68k-kernel and have precompiled stuff for
    pmax'es. Most people need the x86 files, and
    those files are *easily* ftp:d from the main
    ftp server, put on any cd9660 and then used from
    the floppy install. There is no *real* need to
    have the original ISO's if you want to grab
    obsd-for-your-pc for free. Secondly, as many
    will point out, it would be nice if you helped
    the project out with few few bucks that a real
    cd will cost you. Still, if you want to leech
    openbsd for your single platform, you'd be silly
    to download all other platforms. Noone ever
    downloads debian for m68k on their pc's just
    to have "the latest", do they? =)
  • i mean, if you're a script kiddie using scanning software to track down your target, surely you're going to target an OS that you're likely to hit pretty often? (ie probably redhat or windows)



    There are lettle or no exploits not only because OpenBSD is less used than Linux or Solaris but mostly because the are not holes to exploit. Read their claim: "Four years without a hole in the default install"

  • Huh?

    OpenBSD 2.7 was the first to have OpenSSH (or _any_ SSH in the default install, and you said "prior to 2.8" so let's have a look at the errata [openbsd.org] page to see just how full of s--t you are.

    Well, we can force ssh _clients_ to do X11 forwarding... not a root flaw, and not remote... so on to the next.

    The non-default UseLogin feature can cause an exploit on other operating systems. Nope... no problem there.

    And... the installer fails to set things up so ssh works at all on the m68k installer. So please, do tell... what the hell are you blabbering about?

  • I hear that. But consider, do you brag to people at parties that you drive happily along the highway in your volvo exactly on the speed limit when everyone else is speeding? Or do you just shut the hell up and heave spite on your reckless friends with your silence? Btw, I have OpenBSD on my laptop. It owns for way more reasons than just the security.

  • That's the whole harddrive.
  • wow.. you must be a private detective.
  • It's like walking around in the street with a sign on your back saying "I havn't stolen anything in 4 years" or "I havn't shot a dog in 4 years".. so what? You're not supposed to. If you did (that's you Microsoft/Sun/Redhat/etc) you should feel guilty about it and never do it again, but I hardly see why someone who does the right thing should feel like they are something special.
  • The youngest OpenBSD hacker is a girl. Check that link [claranet.fr] .
  • linuxhelp.net has them. If you like it order one and support the effort, I do.
  • I love OpenBSD more than most people, (Shown Here [upnix.com] and Here [uptimes.net]) but I know of at least one remote SSH vulnerability that led to a root exploit in any OpenBSD version before 2.8. It bothers me greatly that they'd put something I see as quite untrue on their front page.
  • by joq ( 63625 ) on Tuesday May 08, 2001 @12:49AM (#239619) Homepage Journal

    IMO OpenBSD defines what security should be in all operating systems. Its OS is highly scrutinized prior to any version being released, and the team reacts quickly at the slightest whiff about a security issue.

    After hanging out in #openbsd (/nick rwxr--r-- && sil) on the efnet for the past year or so, I've determined that most of the "hardcore" developers are extremely dedicated to making Open as secure as possible for the love of security strictly. I've met no troll developers looking to brag about getting OpenBSD to the level it is now.

    Sadly however, many people tend to think that OpenBSD is a one man show (Theo) and turn their distaste for one person into an OpenBSD bashing session. Its ironic many will try to bash the OS for that "one" person, and fill a forum or email thread with useless words never once focusing on the fact that OpenBSD is unrootable on a default installation something which no other OS can claim.

    greets to all the guys who work on the OS at their leisure their work is appreciated.

    rwxr--r--
  • I'm not sure about this, but I think what they mean is that there have been no vulnerabilities discovered before they were fixed -- that is to say, I think that root exploit you are talking about was fixed during routine code auditing before anyone realized that it could be exploited.

    But I don't keep up to date on OpenBSD stuff so I may be totally wrong here.
  • by DeepDarkSky ( 111382 ) on Wednesday May 09, 2001 @09:08AM (#239621)
    It would obviously not be as controversial, but I think that's a female fish...
  • You aren't the only person who has to struggle. I have suffered from abuse from pretty much my first day at school. You should perhaps try being Welsh in England, and see how far that gets. OK, as an adult you only get comments, but I spent years suffering things like being tied to a radiator (whilst turned on) and then beaten. Or smacked in the face by people who I thought were friends, just because other kids would laugh at the crying sheep shagger I still find the jokes made about welsh people funny, if they are funny.

    Look, I've obviously touched a raw nerve here, but I really do think you are over-reacting. The comment was about the fish, using a word which has been hijacked from it's (also hijacked) current meaning. It was not about gays.

    I also think that gays should also be game as the butt of jokes in the same way that straights are to gay comedians.

    As to one of your earlier comments, I think you will find that there was quite a high percentage of gays amongst the Nazi party. I know that the SA was more gay than straight.

  • You really have some problems that need to be sorted out. For one, you need to get some perspective on things. You also need to be a bit less two-faced (I mean condemning violence against gays, and then daring me to have a go if I think I'm up to it).



  • I wasn't whinging. I was just pointing out to you that even though you think you are the most put upon person in the world, and a member of the most persecuted group in the world, the reality is that you aren't, and you most certainly aren't alone.

    Also, calling a fish gay is not bigotry. At least no more than welshing on a bet is, and I've never complained about people using that phrase.

  • Nice to see that you're decent enough to apologise ;-)

  • More than two decades without a remote exploit in default install.

    :)

    Similarly for MS-DOS ;).

    Link.
  • So, I needed to build a firewall. I did a netinstall of openbsd, enabled forwarding between interfaces. Enabled ipf, and poof I was done. That bare bones install was pretty damn nice.

    Anyway, a good portion of things auto installed in OSes tend to be out of date. I would rather install the most current version, then mess with the old version, or the weird custom version (apache on mandrake).

    I like bare bones installs.

    Oh, and the last Sendmail root exploit was linux only.
  • I forgot how picky I need to be with my words on slashdot. The last public sendmail exploit that I know of was linux only. I am not a zealot for any OS. I mostly work with Solaris, and Free, with some Open, but I never said they were the best for any job. I was responding to the whole barebones default install for Open, and how I thought that was a good thing. That is all I am saying. I am not saying that all linux sucks, and is bloated. I will say that some linux distributions install way to much by default, but that is a diffrent matter. And yes, I am a professional. So to sum up, default of OpenBSD is good, if you want more stuff, thats what the ports tree is for.
  • Maybe it wouldn't be politically correct, but would it be legal to re-distribute OpenBSD ISO's? For free? (I.e. one buys the disc and rips it and puts it on ftp)

    If so, why isn't anyone doing? (Political thing?)
  • do you think it would irritate you if whenever an american bigot wanted to describe something as really pathetic, they'd use the term garethwi (or whatever your name is) to describe it?

    i don't mind jokes. i do mind having my sexuality used as a general descriptor for everything that's seen as lame and pathetic in this world. there is a difference between humour and offensive bigotry

    or perhaps you think that it's ok that people like me should feel hurt and humiliated by someone's comments just so long as people like you find the joke funny?

    and i have a fucking life (now at least, i had to pretty much fight for it having grown up at a time when guys fucking guys was seen as pretty unthinkable).

    =me= unclench? haha! (they don't call me slack alice for nothing mate)

    =me= fuck off? brave words from a little boy on the other end of a network connection? i suggest you come here and make me fuck off if you really think you're up to it mate?

  • by saintlupus ( 227599 ) on Tuesday May 08, 2001 @05:53AM (#239631)

    red hat linux - now three and a half days without an exploit!

    --saint
    ----
  • It actually is practical to make a bootdisk and install via ftp (unlike some other OS's that give you the option). Took about 20 minutes on DSL. So why waste your time grabbing an iso? (Yes, the source tree takes a little longer. That's where a CD comes in handy.)

    Trolls throughout history:

  • Actually, the first release to have OpenSSH or "_any_ SSH" was OpenBSD 2.6.

    This errata [openbsd.org] will show that SSH was in there for this release.
  • by account_deleted ( 4530225 ) on Tuesday May 08, 2001 @02:27PM (#239634)
    Comment removed based on user account deletion
  • They sell the CD for $30 with helps them pay for some necessary costs. (They also throw in some stickers or something.) It's much easier to install by FTP than it is to use a CD anyway, wich they recomend if you don't want to purchase their CD.
  • I like that fish better than the Linux penguin. My wife likes the fish a lot also.
  • Wouldn't it be more like a sign saying "I haven't had anything stolen from me in 4 years" or "I haven't been shot in 4 years" ? Leaving exploitable holes in one's code is exactly akin to your two analogies (it's not intentional), but more like doing something careless and having it happen to you.

    ...I am the Raxis.

  • If OpenBSD hasn't had a remote hole in four years then how the hell did somebody break in and deface the site with that gay-looking fish?

  • I always liked the old one (the one loaded down with weapons)... :)
  • And it takes a lot of work to make OpenBSD useful
    Yeah, you know... cd'ing to the ports section of the application you want and typing 'make install clean'. Phew. Hard work.

    which in turn makes it more vulnerable
    Uhm, third-party apps don't make OpenBSD itself more vulnerable. Its not like if you install wuftpd on an OpenBSD box, the internal crypto subsystem would stop working, or it would suddenly drop your kern.securelevel to -1. Its the job of the admin to check out any services they are running for known exploits, perhaps grep the code for insecure functions, and do some active penetration tests (standard overflows, format strings, etc).

    And don't tell me I don't know what I am talking about
    You don't know what you are talking about. :)

    I am a consultant who has installed OpenBSD on over 40 machines in 14 clients of the years
    Great, I have installed OpenBSD on over 200 boxen and converted more than 25 people who used to use other BSD's and other Unicies (Solaris, UnixWare).

    I don't see it doing more than the most basic Internet-facing stuff
    Ho ho ho... I don't know where to begin with this comment. For one, I don't understand how you see this stuff as basic. Have you ever looked at the core code in OpenBSD? I bet you've never written IPSEC code, or a mail server. Whatever you're doing, it's obviously wrong, because you can do anything on an OpenBSD box that you can do with a Linux box, with the exception of stuff like video games, but don't blame that on OpenBSD... blame that on video card companies and gaming companies for not porting their software to BSD.

    because the attitude of many of the chief OpenBSD developers turns off others who might work on the project
    I've talked with Theo on many occasions, whether it be a question about OpenBSD, or about drivers or donations, and he has been more than helpful, and has even included smiley faces in his email. Maybe youre the one coming off as an asshole?

    ---------------
  • What they mean is it has been four years since a remote root exploit was discovered in the default install of the currently released version. If you run extra services or an old version, that doesn't necessarily hold.

    As for their honesty, take the local root exploit in the default install recently discovered as an example. The problem was a format string error, and it had been noted and fixed in CVS before the exploit was discovered, however it was not considered a security problem, so no patch was issued. Upon discovery of the problem a patch was immediately issued. Anyone who updated immediately wasn't vulnerable. However, because a hole was discovered in the current release, they considered it a local root exploit and updated the claim accordingly.

    If they had issued a patch before any vulnerability was discovered, they would not have considered it a blemish on the record. The claim is valid, and the iterpretation is sensible, although perhaps it is not the best possible interpretation.

  • yeah, but the exploit affects openssh 2.2. openbsd 2.8 shipped with 2.3. and openbsd 2.8 came out quite a while before that advisory. so if you running a reasonably current version, you would have been safe.
  • the cd image is copyright theo. you can make your own iso with your own packages and distribute that for free, but the disk layout used by the official cd is copyrighted.

  • ... There are only no exploits in the default install. There have been a number of OpenBSD exploits.

  • The point is that this was fixed in OpenBSD before the advisory was released.
  • The problem is they say "default install". If you use the "default install" with OpenBSD, you have a big fat useless server with no services running. There have been multible exploits in services that are installed, but not started, by default.

    Lets keep it in mind that Theo et al are also a little slow to come forward with exploits. Most of the time they don't even make the openbsd.org page.


    -EvilMonkeyNinja
    a.k.a. Joseph Nicholas Yarbrough
    Security Grunt by Day
    Programmer by Night
  • ok. here goes.

    @#$@

    1)OpenSSH shiped with OpenBSD 2.7 is vulnerable to a remote root exploit.
    2)Sendmail is vulnerable to several exploits.
    3)To call me ignorant only shows your low knowledge. Perhaps you should learn a little more about Redhat. Kitchen sink is a quite good approach. I don't think you understand anything. Any real network admin has distro disks for servers. So what if it takes you 20 minutes to make he auto install disk... it's totally worth it when you have a *REAL* job and *REAL* deadlines. (Not some 3l33t college kid who takes 12 hours to build his machine.
    4)You are resorted to re-peating ignorate falcities at this point. Read up bitch so you don't embarass yourself. You so called "Network OS" is a wonderfull OS. I use it and love it. It is not worthy of any more flames than linux is. (windows perhaps) (definaly hurd)

    So this is a big fuck you just for you. Some blue balled teen... with nuttin to do.

    Maybe we can learn to get along a bit and stop being such an ignorant zealot. It's bullshit. All OSes have strengths and weaknesses. (Like most Linux distros auto install) I'm sick of arguing what is better. Get a job... and get a life.

    out.
    -EvilMonkeyNinja
    a.k.a. Joseph Nicholas Yarbrough
    Security Grunt by Day
    Programmer by Night
  • so? whats the difference between a slackware netinstall and a openbsd netinstall? slackware supports a curses interface. Just about the same functionality.

    Also, the sendmail exploit is not linux only. I have confimed the exploit on linux, open/net/freebsd and show very promising results on bsdi. I do not believe this is a known vulnerability.

    I think we are confused as to what "auto installed" means. I mean a custom set of pkg sets for slackware or a redhat install disk. What the hell are you talking about? :)

    So, I needed to build a firewall. I did a netinstall of slackware, enabled IPMasq, and added about 10 rules, and poof I was done. That bare bones install was pretty damn nice.

    I think people are far to zealotous about thier OS of choice. Also, so-called wierd custom versions are the best you can have. If you have a farm of webservers with others added regularly, it is easiest and fastest to spend an hour or two to create a custom install disk or package list. make a package or two (optimized for processor) of all the critical stuff.
    -EvilMonkeyNinja
    a.k.a. Joseph Nicholas Yarbrough
    Security Grunt by Day
    Programmer by Night
  • When the OpenBSD project claim so-and-so years without a root exploit in the default install, they seem to be speaking as engineers, not scientists. No code can really be said to be totally free of exploits, only to be free of discovered exploits

    Besides that, OpenBSD is not the easiest system to config and maintain, especially as compared to something with a pretty gui like NT. Is that a security weakness? No. Should network admins have the skills to work with OpenBSD? Probably. Is it possible that your average admin would be too limited by having to configure everything through vi to properly secure a host? Yes.
  • not to be a troll or anything (I run OpenBSD on a few of my boxes), but OpenBSD is still affected by a large amount of root holes. A Linux box with OpenBSD's inetd.conf could be kept secure for years :) . Seriously, OpenBSD has done a great job of cleaning up security, but some big bugs still get through (in particular i remember the ftpd one-byte buffer overflow and the recent hole with glob(), and IPSec too). They may not be default, but basically all sites run more than the base system.
  • is this something that can be proven to the openbsd team. if so have you made it known. As well did you make any modifications to the default install to perform this root exploit. If so you just violated the 4 year "default install" claim.

GREAT MOMENTS IN HISTORY (#7): April 2, 1751 Issac Newton becomes discouraged when he falls up a flight of stairs.

Working...