6

In a discussion about the recent OpenSSL information disclosure vulnerability, the subject of OpenSSH being vulnerable came up. While OpenSSH is not vulnerable due to the problem lying in the TLS handshake, it opened discussion for the security of OpenSSH on FreeBSD.

Theo de Raadt had this to say:

... as long as you aren't using FreeBSD or a derivative (hint: Juniper), you are fine. That's the only place I know of an OpenSSH hole.

This coming from someone in his position is worrisome. I don't know if this is a stab at the FreeBSD project, or if he is privy to some inside exploit of the OpenSSH implementation on FreeBSD.

Since the person in question doesn't believe in public disclosure, I am wondering what steps people have taken to mitigate this possibly huge security flaw, if it exists at all.

David Houde
  • 5,464
  • 1
  • 27
  • 22
  • 1
    There is likely something to his words, about ⅔ to ⅓. The proportions may have been blown up, but considering that FreeBSD is not like the other BSDs but split very early, and suffers from NIH a lot, there are lots of differences in the base system. I can believe that the OpenBSD/OpenSSH developers have analysed running it on FreeBSD and found some issue, and I readily believe there were communication difficulties between them, and I have vague ideas why he'd withhold it now. I have no idea what precisely they could have found. – mirabilos Apr 13 '14 at 09:59
  • I just wanted to update that I've done my work trying to hunt down the answer. I've not been able to get a response from Theo, though I've discussed it with many FreeBSD developers. No one seems to know of a vulnerability and best guesses say it might just be him pissed off at FreeBSD's default OpenSSH config. – David Houde Apr 22 '14 at 23:54
  • If you're concerned, check the version of OpenSSH on FreeBSD and the OpenSSH on OpenBSD, diff the two, and analyze the differences. – Scott Arciszewski Apr 12 '14 at 16:45

1 Answers1

1

The Heartbleed bug was a SSL/TLS protocol implementation bug. OpenSSH does not use the SSL protocol in anyway (Although it does use some of the same cryptographic primitives).

So you don't need to worry about Heartbleed causing problems for OpenSSH.

JasperWallace
  • 446
  • 3
  • 5
  • 1
    This question was meant to discuss a possible OpenSSH vulnerability on FreeBSD. The topic came up in a discussion of whether OpenSSH was vulnerable to Heartbleed, but heartbleed is not the topic here. After re-reading the question, I decided to edit it because I can see how it is misleading. I appreciate you taking the time to respond. – David Houde Apr 22 '14 at 23:52