Vulnerability Note VU#602204

OpenSSH PAM challenge authentication failure

Original Release date: 23 Sep 2003 | Last revised: 24 Sep 2003

Overview

There is a vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM). This vulnerability could permit a remote attacker to log in to the system as any user, including potentially root, without using a password.

Description

There is a vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM). Versions 3.7p1 and 3.7.1p1 are affected. Note that the OpenBSD-specific releases are not affected by this issue.

Remote attackers could exploit servers configured with the following parameters:

  • OpenSSH 3.7.1p1 (portable)
  • Any platform
  • compiled with --with-pam
  • PrivilegeSeparation disabled
  • Protocol version 1 enabled (default)
  • ChallengeResponse enabled (default)

Note that this affects systems with password authentication disabled but challenge-response authentication still enabled. This does not to affect systems using SSHv2, but many systems are configured to fall back to SSHv1 if SSHv2 is not supported by the client.

Impact

A remote attacker could potentially log in to the system as any user, including root, using a null password. The root user can only be logged into if "PermitRootLogin" is enabled.

Solution

OpenSSH has announced version 3.7.1p2 to resolve this issue.

This issue can be mitigated by not using PAM. Set "UsePAM no" in sshd_config. To prevent root logins, Set "PermitRootLogin no".

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Gentoo LinuxAffected-24 Sep 2003
OpenSSHAffected22 Sep 200323 Sep 2003
AppGate Network Security ABNot Affected-23 Sep 2003
Apple Computer Inc.Not Affected-23 Sep 2003
BitviseNot Affected-23 Sep 2003
Check PointNot Affected-24 Sep 2003
ClavisterNot Affected-24 Sep 2003
Cray Inc.Not Affected-23 Sep 2003
DebianNot Affected-23 Sep 2003
Ingrian NetworksNot Affected-23 Sep 2003
MandrakeSoftNot Affected-23 Sep 2003
Microsoft CorporationNot Affected-23 Sep 2003
MirapointNot Affected-23 Sep 2003
NetScreenNot Affected-23 Sep 2003
Network ApplianceNot Affected-23 Sep 2003
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Petri Heinonen and the OUSPG Team for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

  • CVE IDs: CAN-2003-0786
  • Date Public: 23 Sep 2003
  • Date First Published: 23 Sep 2003
  • Date Last Updated: 24 Sep 2003
  • Severity Metric: 6.58
  • Document Revision: 23

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.