Bug#786987: evidence

To: Micah Anderson <micah@debian.org>, 786987@bugs.debian.org
Subject: Bug#786987: evidence
From: Colin Watson <cjwatson@debian.org>
Date: Thu, 4 Jun 2015 16:22:01 +0100
Message-id: <[🔎] 20150604152201.GU10485@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 786987@bugs.debian.org
In-reply-to: <[🔎] 87sia7v8w6.fsf@muck.riseup.net>
References: <[🔎] 87sia7v8w6.fsf@muck.riseup.net>

On Thu, Jun 04, 2015 at 10:35:37AM -0400, Micah Anderson wrote:
> . it is used as a selector in NSA's XKEYSCORE queries in conjunction
>  with the metadata database of potentially exploitable services
>  (BLEAKINQUIRY) by the NSA group "S31176" for targeted exploit and
>  compromise[1][2]

This is a somewhat more compelling argument; I'll think about it.

> . it is used by annoying "security" scanners, such as Nessus to
>  incorrectly identify vulnerable versions <-- I would normally argue
>  that version strings are a terrible way of finding an actual
>  vulnerability, in fact I *regularly* have to argue with people who run
>  these "security" scanners against our network and then bring us a
>  report to show me how many "vulnerable" services we have because the
>  version numbers in their outdated database don't take into account
>  Debian Security fixes... but this is precisely why I am bringing this
>  up, because I have to regularly argue with people about these version
>  strings. They are wrong, of course, but I don't want to have to deal
>  with that pointless argument. If there was no version string, I
>  wouldn't have to do that anymore.

But that's exactly why DebianBanner was introduced: so that it's
*possible* for such scanners to distinguish fixed versions, given
knowledge of our security updates, and to give you a reasonable argument
for the security folks in your organisation to leave you alone once
you've applied updates.

Upstream's non-configurable default is to include the OpenSSH version in
the banner (e.g. "OpenSSH_6.8p1").  DebianBanner merely makes this more
fine-grained.  You're asking for something quite different here, which
is https://bugzilla.mindrot.org/show_bug.cgi?id=764; but that's WONTFIX
upstream for good reason, because it's still necessary to use the
version for protocol compatibility tweaks.  The most recent version of
itself that OpenSSH needs to distinguish in this manner is as recent as
6.6p1, to deal with a key exchange bug in its implementation of ED25519,
and something different comes along here every couple of years or so;
this is not an archaic thing that can safely be discarded.

As such, the best that we can do without causing real and significant
interoperability problems is to advertise "SSH-2.0-OpenSSH_6.7p1" rather
than "SSH-2.0-OpenSSH_6.7p1 Debian-5" in our banner.  You'll still have
to argue with people about these version strings; in fact, if you're
having to do so right now, disabling DebianBanner will almost certainly
cause you to have to do so more often.

> . its used in CTF (capture the flag) events, in order to know what OS is
> running on a system that only has ssh running, and what version of ssh
> is running so that you can look at exploits that could be used to
> compromise the system for a flag.

Yeah, though dealing with this seems like a drop in the ocean compared
to things like TCP stack fingerprinting that are much harder to address.

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Bug#786987: evidence
  - From: Daniel Kahn Gillmor <dkg@debian.org>

References:
- Bug#786987: evidence
  - From: Micah Anderson <micah@debian.org>

Prev by Date: Bug#786987: evidence
Next by Date: Bug#786987: evidence
Previous by thread: Bug#786987: evidence
Next by thread: Bug#786987: evidence
Index(es):
- Date
- Thread