search menu icon-carat-right cmu-wordmark

CERT Coordination Center

OpenSSH PAM challenge authentication failure

Vulnerability Note VU#602204

Original Release Date: 2003-09-23 | Last Revised: 2003-09-24

Overview

There is a vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM). This vulnerability could permit a remote attacker to log in to the system as any user, including potentially root, without using a password.

Description

There is a vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM). Versions 3.7p1 and 3.7.1p1 are affected. Note that the OpenBSD-specific releases are not affected by this issue.

Remote attackers could exploit servers configured with the following parameters:

    • OpenSSH 3.7.1p1 (portable)
    • Any platform
    • compiled with --with-pam
    • PrivilegeSeparation disabled
    • Protocol version 1 enabled (default)
    • ChallengeResponse enabled (default)

Note that this affects systems with password authentication disabled but challenge-response authentication still enabled. This does not to affect systems using SSHv2, but many systems are configured to fall back to SSHv1 if SSHv2 is not supported by the client.

Impact

A remote attacker could potentially log in to the system as any user, including root, using a null password. The root user can only be logged into if "PermitRootLogin" is enabled.

Solution

OpenSSH has announced version 3.7.1p2 to resolve this issue.

This issue can be mitigated by not using PAM. Set "UsePAM no" in sshd_config. To prevent root logins, Set "PermitRootLogin no".

Vendor Information

602204
 
Affected   Unknown   Unaffected

Gentoo Linux

Updated:  September 24, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-14
- - - ---------------------------------------------------------------------

PACKAGE : openssh
SUMMARY : multiple vulnerabilities in new PAM code

DATE : 2003-09-23 20:25 UTC
EXPLOIT : remote

VERSIONS AFFECTED : <openssh-3.7.1_p2
FIXED VERSION : >=openssh-3.7.1_p2

CVE :

- - - ---------------------------------------------------------------------

quote from advisory:

"Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM code. At least one of these bugs
is remotely exploitable (under a non-standard configuration,
with privsep disabled)."

read the full advisory at:
http://www.openssh.com/txt/sshpam.adv

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-misc/openssh upgrade to openssh-3.7.1_p2 as follows:

emerge sync
emerge openssh
emerge clean

- - - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at
http://dev.gentoo.org/~aliz
- - - ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/cKxBfT7nyhUpoZMRAmw0AJ92FPN0+E9Sm30c8B8rjF31/gQ7UwCcCWmi
ZSsCQAtKpTlq4M/KTdfMQ5M=
=mEO/
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSH

Notified:  September 22, 2003 Updated:  September 23, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AppGate Network Security AB

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

The OpenSSH used in AppGate has pam disabled so AppGate is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc.

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

Apple: Not Vulnerable. Mac OS X is configured in a manner that is not susceptible to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Bitvise

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

Our WinSSHD server is based on different architecture and shares no codebase with OpenSSH; it is thus not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Check Point

Updated:  September 24, 2003

Status

  Not Vulnerable

Vendor Statement

No versions of Check Point products are affected by this advisory.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Clavister

Updated:  September 24, 2003

Status

  Not Vulnerable

Vendor Statement

Not Affected:

No Clavister products implement the SSH protocol.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

Cray Inc. does support OpenSSH, however is not currently supporting OpenSSH 3.7. Even so, Cray does not compile with the "--with-pam" option and defaults to PrivilegeSeparation enabled. So Cray Inc. is not vulnerable to this.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

The packages in the current Debian release (Debian 3.0/woody) are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

Ingrian networks products are not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

MandrakeSoft patched 3.6.1 for updates, so none of our products are vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

The particular program in question is not used in any Microsoft products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mirapoint

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

Mirapoint is not vulnerable to this.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetScreen

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Appliance

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

NetApp products are not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Updated:  September 24, 2003

Status

  Not Vulnerable

Vendor Statement

This doesn't affect Openwall GNU/*/Linux, -- we haven't updated to a version of OpenSSH/portable with the newer FreeBSD-derived PAM code.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Pragma Systems

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

Since we do not support the PAM authentication this issue does not apply to our server.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

Red Hat Linux and Red Hat Enterprise Linux contain versions of OpenSSH prior to version 3.7 and are therefore not vulnerable to these issues.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Updated:  September 23, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Updated:  September 24, 2003

Status

  Not Vulnerable

Vendor Statement

Sun is not vulnerable to this. We have never shipped with this release.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

WatchGuard

Updated:  September 24, 2003

Status

  Not Vulnerable

Vendor Statement

WatchGuard Products are not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems Inc.

Updated:  September 23, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM eServer

Updated:  September 23, 2003

Status

  Unknown

Vendor Statement

IBM eServer Platform Response

For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to


In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to and follow the steps for registration.

All questions should be refered to servsec@us.ibm.com.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 23 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Petri Heinonen and the OUSPG Team for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

CVE IDs: CVE-2003-0786
Severity Metric: 6.58
Date Public: 2003-09-23
Date First Published: 2003-09-23
Date Last Updated: 2003-09-24 15:35 UTC
Document Revision: 23

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.