There is a vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM). This vulnerability could permit a remote attacker to log in to the system as any user, including potentially root, without using a password.
There is a vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM). Versions 3.7p1 and 3.7.1p1 are affected. Note that the OpenBSD-specific releases are not affected by this issue.
Remote attackers could exploit servers configured with the following parameters:
Note that this affects systems with password authentication disabled but challenge-response authentication still enabled. This does not to affect systems using SSHv2, but many systems are configured to fall back to SSHv1 if SSHv2 is not supported by the client.
A remote attacker could potentially log in to the system as any user, including root, using a null password. The root user can only be logged into if "PermitRootLogin" is enabled.
OpenSSH has announced version 3.7.1p2 to resolve this issue.
This issue can be mitigated by not using PAM. Set "UsePAM no" in sshd_config. To prevent root logins, Set "PermitRootLogin no".
Thanks to Petri Heinonen and the OUSPG Team for reporting this vulnerability.
This document was written by Jason A Rafail.
|Date First Published:||2003-09-23|
|Date Last Updated:||2003-09-24 15:35 UTC|