There is a vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM). This vulnerability could permit a remote attacker to log in to the system as any user, including potentially root, without using a password.
There is a vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM). Versions 3.7p1 and 3.7.1p1 are affected. Note that the OpenBSD-specific releases are not affected by this issue.
Remote attackers could exploit servers configured with the following parameters:
Note that this affects systems with password authentication disabled but challenge-response authentication still enabled. This does not to affect systems using SSHv2, but many systems are configured to fall back to SSHv1 if SSHv2 is not supported by the client.
A remote attacker could potentially log in to the system as any user, including root, using a null password. The root user can only be logged into if "PermitRootLogin" is enabled.
OpenSSH has announced version 3.7.1p2 to resolve this issue.
This issue can be mitigated by not using PAM. Set "UsePAM no" in sshd_config. To prevent root logins, Set "PermitRootLogin no".
Gentoo Linux Affected
AppGate Network Security AB Not Affected
Apple Computer Inc. Not Affected
Bitvise Not Affected
Check Point Not Affected
Clavister Not Affected
Cray Inc. Not Affected
Debian Not Affected
Ingrian Networks Not Affected
MandrakeSoft Not Affected
Microsoft Corporation Not Affected
Mirapoint Not Affected
NetScreen Not Affected
Network Appliance Not Affected
Openwall GNU/*/Linux Not Affected
Pragma Systems Not Affected
Red Hat Inc. Not Affected
SuSE Inc. Not Affected
Sun Microsystems Inc. Not Affected
WatchGuard Not Affected
Cisco Systems Inc. Unknown
IBM eServer Unknown
Thanks to Petri Heinonen and the OUSPG Team for reporting this vulnerability.
This document was written by Jason A Rafail.
|Date First Published:||2003-09-23|
|Date Last Updated:||2003-09-24 15:35 UTC|