Vulnerability Note VU#797027

OpenSSH does not initialize PAM session thereby allowing PAM restrictions to be bypassed

Overview

OpenSSH is an implementation of the Secure Shell (SSH) protocol. It can be configured to use Linux Pluggable Authentication Modules (PAM) for added authentication. A vulnerability exists in OpenSSH, and perhaps other implementations of SSH, which can allow to potentially bypass PAM restrictions.

I. Description

OpenSSH fails to call pam_open_session if no pty (pseudo-terminal driver) is used. This in turn does not activate the security modules specified in /etc/pam.d. It has been pointed out that if you use pam_limits.so to set resource limits, then users could bypass these limits by calling ssh in this manner.

II. Impact

An attacker can bypass the PAM security modules specified on the target machine.

III. Solution

Upgrade to OpenSSH 2.9.9p1.

Restrict access to the SSH service

You may wish to disable the SSH access until a patch is available from your vendor.

If you cannot disable the service, you can limit your exposure to these vulnerabilities by using a router or firewall to restrict access to port 22/TCP (SSH). Implement a TCPWRAPPER.

Systems Affected

Vendor	Status	Date Notified
F-Secure	Not Vulnerable	11-Dec-2001
OpenSSH	Vulnerable	7-Dec-2001
SSH Communications Security	Not Vulnerable	12-Dec-2001

References

http://www.securityfocus.com/bid/2917
http://archives.neohapsis.com/archives/bugtraq/2001-06/0303.html
http://marc.theaimsgroup.com/?l=bugtraq&m=99324968918628&w=2

Credit

Christian Kraemer discovered this vulnerability.

This document was written by Jason Rafail.

Other Information

Date Public:	2001-06-19
Date First Published:	2001-12-07
Date Last Updated:	2001-12-12
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Severity Metric:	3.37
Document Revision:	5

If you have feedback, comments, or additional information about this vulnerability, please send us email.