SSH Communications Security Information for VU#737451

SSH Secure Shell sshd2 does not adequately authenticate logins to accounts with encrypted password fields containing two or fewer characters

Status

Affected

Vendor Statement

According to SSH Communications Security's advisory:

A potential remote root exploit has been discovered in SSH Secure Shell 3.0.0, for Unix only, concerning accounts with password fields consisting of two or fewer characters. Unauthorized users could potentially log in to these accounts using any password, including an empty password. This affects SSH Secure Shell 3.0.0. This is a problem with password authentication to the sshd2 daemon. The SSH Secure Shell client binaries (located by default in /usr/local/bin) are not affected. As SSH Secure Shell for Workstations on Unix only also includes a limited sshd2 server daemon, workstations are also vulnerable if the sshd2 daemon is running. SSH Secure Shell 3.0.1 fixes this problem for both Server and Workstation versions. Please note that if using a form of authentication other than password, AND password authentication is disabled, you are NOT VULNERABLE to this potential flaw.

A potential remote root exploit has been discovered in SSH Secure Shell 2.3 and 2.4, for HPUX in Trusted (TCB) Mode only, concerning accounts with password fields consisting of two or fewer characters. Unauthorized users could potentially log in to these accounts using any password, including an empty password. This affects SSH Secure Shell 2.3 and 2.4. This is a problem with password authentication to the sshd2 daemon. The SSH Secure Shell client binaries (located by default in /usr/local/bin) are not affected. As SSH Secure Shell for Workstations, on HPUX in Trusted (TCB) Mode only, also includes a limited sshd2 server daemon, workstations are also vulnerable if the sshd2 daemon is running.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

At the time of this writing, no Unix or Linux distributions are known to ship with SSH Secure Shell installed. However, certain distrubutions do utilize accounts with encrypted password fields that contain two or fewer characters. If SSH Secure Shell is installed on such a distribution (or encrypted password fields have been modified to contain two or fewer characters), and the distibution uses crypt() for password encryption, and SSH Secure Shell is configured to use password authentication, then the system will be vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us email.