Sun Microsystems Inc. Information for VU#369347

OpenSSH vulnerabilities in challenge response handling

Status

Affected

Vendor Statement

The version of OpenSSH that is in Solaris 9 is not believed to be vulnerable if the default configuration is used. If sshd_config(4) has been updated so that BOTH of the following entries are present then it is vulnerable.

    PAMAuthenticationViaKBDInt yes
    KbdInteractiveAuthentication yes


Note that in the default sshd_config(4) PAMAuthenticationViaKBDInt is listed but KbdInteractiveAuthentication is not (the compiled in default for KbdInteractiveAuthentication is no).

Sun is in the process of producing a patch for Solaris 9. Older Solaris releases are not vulnerable since they do not include OpenSSH as part of the Solaris distribution - hosts that added OpenSSH as part of their own site configurations should check the official OpenSSH advisory for details.

The patch that Sun produces to fix this issue will not contain the new OpenSSH Privsep support as it is not yet stable enough on Solaris due to interactions with PAM and BSM auditing, this may appear in a future release - Sun is working with the OpenSSH developers on the PAM problems and once a working OpenSSH with PAM and BSM is available we will re-evaluate our position on Privsep.

Sun will publish a Sun Security Bulletin and a Sun Alert for this issue. The Sun Alert will be available from:

The patch will be available from:

Sun Security Bulletins are available from:
    http://sunsolve.sun.com/security

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Vendor References

    None

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.