Vulnerability Note VU#602204
OpenSSH PAM challenge authentication failure
There is a vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM). This vulnerability could permit a remote attacker to log in to the system as any user, including potentially root, without using a password.
There is a vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM). Versions 3.7p1 and 3.7.1p1 are affected. Note that the OpenBSD-specific releases are not affected by this issue.
Remote attackers could exploit servers configured with the following parameters:
Note that this affects systems with password authentication disabled but challenge-response authentication still enabled. This does not to affect systems using SSHv2, but many systems are configured to fall back to SSHv1 if SSHv2 is not supported by the client.
A remote attacker could potentially log in to the system as any user, including root, using a null password. The root user can only be logged into if "PermitRootLogin" is enabled.
OpenSSH has announced version 3.7.1p2 to resolve this issue.
This issue can be mitigated by not using PAM. Set "UsePAM no" in sshd_config. To prevent root logins, Set "PermitRootLogin no".
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Gentoo Linux||Affected||-||24 Sep 2003|
|OpenSSH||Affected||22 Sep 2003||23 Sep 2003|
|AppGate Network Security AB||Not Affected||-||23 Sep 2003|
|Apple Computer Inc.||Not Affected||-||23 Sep 2003|
|Bitvise||Not Affected||-||23 Sep 2003|
|Check Point||Not Affected||-||24 Sep 2003|
|Clavister||Not Affected||-||24 Sep 2003|
|Cray Inc.||Not Affected||-||23 Sep 2003|
|Debian||Not Affected||-||23 Sep 2003|
|Ingrian Networks||Not Affected||-||23 Sep 2003|
|MandrakeSoft||Not Affected||-||23 Sep 2003|
|Microsoft Corporation||Not Affected||-||23 Sep 2003|
|Mirapoint||Not Affected||-||23 Sep 2003|
|NetScreen||Not Affected||-||23 Sep 2003|
|Network Appliance||Not Affected||-||23 Sep 2003|
CVSS Metrics (Learn More)
Thanks to Petri Heinonen and the OUSPG Team for reporting this vulnerability.
This document was written by Jason A Rafail.
- CVE IDs: CAN-2003-0786
- Date Public: 23 Sep 2003
- Date First Published: 23 Sep 2003
- Date Last Updated: 24 Sep 2003
- Severity Metric: 6.58
- Document Revision: 23
If you have feedback, comments, or additional information about this vulnerability, please send us email.