SuSE Inc. Information for VU#369347

OpenSSH vulnerabilities in challenge response handling

Status

Affected

Vendor Statement

[F]urther details about the bugs in question have turned up by now, indicating that SuSE Linux products are not affected to the mentioned problem unless the administrator of an openssh installation has actively added the configuration option (PAMAuthenticationViaKbdInt) to the daemon configuration file /etc/ssh/sshd_config to turn this option on. In other words: We are not vulnerable by default.

We have quickly published update packages with the workaround as described in your announcement, but due to incompatibilities and errors in the newer package, we think about downgrading back to our 2.9.9p2 version packages as well as one newer version on one of our newer products. The decision about the downgrade has not been made yet, but we are positive about that we will publish another set of update packages that effectively remove the weakness from the package. After all, the currently offered packages for download from our ftp server (ftp://ftp.suse.com/pub/suse/i386/update/) represent an emergency fix that should be considered incomplete considering the quality standards at SuSE.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

Since the SuSE Linux distributions of OpenSSH is not vulnerable by default, sites with PAMAuthenticationViaKbdInt enabled are encouraged to turn it off until final complete packages are availlable.

If you have feedback, comments, or additional information about this vulnerability, please send us email.