SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#602204

OpenSSH PAM challenge authentication failure

Overview

There is a vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM). This vulnerability could permit a remote attacker to log in to the system as any user, including potentially root, without using a password.

I. Description

There is a vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM). Versions 3.7p1 and 3.7.1p1 are affected. Note that the OpenBSD-specific releases are not affected by this issue.

Remote attackers could exploit servers configured with the following parameters:

  • OpenSSH 3.7.1p1 (portable)
  • Any platform
  • compiled with --with-pam
  • PrivilegeSeparation disabled
  • Protocol version 1 enabled (default)
  • ChallengeResponse enabled (default)

Note that this affects systems with password authentication disabled but challenge-response authentication still enabled. This does not to affect systems using SSHv2, but many systems are configured to fall back to SSHv1 if SSHv2 is not supported by the client.

II. Impact

A remote attacker could potentially log in to the system as any user, including root, using a null password. The root user can only be logged into if "PermitRootLogin" is enabled.

III. Solution

OpenSSH has announced version 3.7.1p2 to resolve this issue.

This issue can be mitigated by not using PAM. Set "UsePAM no" in sshd_config. To prevent root logins, Set "PermitRootLogin no".

Systems Affected

VendorStatusDate NotifiedDate Updated
AppGate Network Security ABNot Vulnerable23-Sep-2003
Apple Computer Inc.Not Vulnerable23-Sep-2003
BitviseNot Vulnerable23-Sep-2003
Check PointNot Vulnerable24-Sep-2003
Cisco Systems Inc.Unknown23-Sep-2003
ClavisterNot Vulnerable24-Sep-2003
Cray Inc.Not Vulnerable23-Sep-2003
DebianNot Vulnerable23-Sep-2003
Gentoo LinuxVulnerable24-Sep-2003
IBM eServerUnknown23-Sep-2003
Ingrian NetworksNot Vulnerable23-Sep-2003
MandrakeSoftNot Vulnerable23-Sep-2003
Microsoft CorporationNot Vulnerable23-Sep-2003
MirapointNot Vulnerable23-Sep-2003
NetScreenNot Vulnerable23-Sep-2003
Network ApplianceNot Vulnerable23-Sep-2003
OpenSSHVulnerable23-Sep-2003
Openwall GNU/*/LinuxNot Vulnerable24-Sep-2003
Pragma SystemsNot Vulnerable23-Sep-2003
Red Hat Inc.Not Vulnerable23-Sep-2003
Sun Microsystems Inc.Not Vulnerable24-Sep-2003
SuSE Inc.Not Vulnerable23-Sep-2003
WatchGuardNot Vulnerable24-Sep-2003

References


http://marc.theaimsgroup.com/?l=openbsd-misc&m=106432248311634&w=2
http://www.openssh.com/txt/sshpam.adv

Credit

Thanks to Petri Heinonen and the OUSPG Team for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

Date Public:2003-09-23
Date First Published:2003-09-23
Date Last Updated:2003-09-24
CERT Advisory: 
CVE-ID(s):CAN-2003-0786
NVD-ID(s):CAN-2003-0786
US-CERT Technical Alerts: 
Metric:6.58
Document Revision:23

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader