______________________________________________________________________________
SuSE Security Announcement
Package: Live CD 9.1
Announcement-ID: SuSE-SA:2004:011
Date: Thursday, May 6th 2004 22:30 MEST
Affected products: SUSE LINUX 9.1 Personal Edition Live CD
Vulnerability Type: remote root access
Severity (1-10): 8
SuSE default package: yes
Other affected systems: none
Content of this advisory:
1) security vulnerability resolved: Live CD 9.1
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The freshly released SUSE LINUX 9.1 comes in two variants:
* SUSE LINUX 9.1 Professional (5 CD-ROMs, 2 double sided DVDs, printed
manuals, for Intel i386 32Bit platform and 1 DVD for the AMD 64Bit
platform)
* SUSE LINUX 9.1 Personal (2 CD-ROMs: 1 installable CD-ROM, 1 Live CD-ROM
for running SUSE LINUX on your PC without actually installing the
system.)
This SUSE Security Announcement targets the Live CD that comes with the
SUSE LINUX 9.1 Personal edition. The Live CD can boot and run on any PC
that has a CD-ROM drive, offering a convenient opportunity for users
who want to try out SUSE Linux without any modification to the system
that is installed on the computer. Similar CD-ROM iso images have been
available for download from our ftp server with each release of the
SUSE LINUX home user product for years.
Upon boot, the Live CD will automatically configure a network card if
one has been detected. It requires user interaction for dialup
network access.
A configuration error on the Live CD allows for a passwordless, remote
root login to the system via ssh, if the computer has booted from the
Live CD and if it is connected to a network. Since the CD-ROM is a
read-only medium by definition, there is no solution for this error
that would be persistent over a reboot from the Live CD. Manually
killing all running instances of the secure shell daemon ("killall
sshd" as root) after each boot cures the problem, while still exposing
the vulnerability in the time window between startup and the killing
of the sshd process.
It is a policy for a fresh install of SUSE LINUX products to enable
the user to log on to the system using secure shell (ssh). During the
installation of the system, the user is prompted for a root password.
The Live CD does not install any system on a medium and therefore does
not ask for a root password. By consequence, passwordless logins
should be denied on the system, regardless of whether the account in
question is the super user account or not. The Live CD 9.1 suffers
from this misconfiguration.
Our permanent fix for the vulnerability is to download the iso image
of the fixed Live CD 9.1 from the URL as listed below and to burn it
on a CD-R using a CD-burner and the software that comes with the SUSE
LINUX 9.1 Personal or Professional (cdrecord, k3b). The new image
still runs a secure shell daemon for remote login, but it does not
allow remote logins on a zero-length password account, and it denies
remote root login attempts, independently from the password.
We thank Patrick Kranefeld and Fabian Franz who have reported the
configuration neglectfulness on the SUSE LINUX 9.1 Live CD to SUSE
Security.
Image authenticity verification:
The file LiveCD-9.1-01.iso has a length of 706349056 bytes. If you run
the command "md5sum LiveCD-9.1-01.iso" after you have downloaded the
file, the md5sum command should print the following md5sum:
9f4ed1bc6b3ee582bf593fde75d5db43
This md5 sum is also contained in the file MD5SUMS in the same
directory as the LiveCD-9.1-01.iso file. Its signature (by
security@suse.de) is contained in the file MD5SUMS.sig.
The download location:
ftp://ftp.suse.com/pub/su...-cd-9.1/LiveCD-9.1-01.iso
9f4ed1bc6b3ee582bf593fde75d5db43
A note: Please use a mirror for downloading the SUSE LINUX 9.1 Live
CD. Mirrors close to you can be found at
http://www.suse.com/us/private/download/ftp/int_mirrors.html
Zover ik weet is die LiveCD niet de final/gold versie van SuSE 9.1, maar RC2. Ik heb op Internet gelezen dat daar best een hoop probleempjes mee zijn tijdens het booten. Wacht de final nog even af, en geef dan je oordeel daarover. Anders loop je iets mis dat best heel mooi kan zijn.