CERT/CC Vulnerability Note VU#602204

Overview

There is a vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM). This vulnerability could permit a remote attacker to log in to the system as any user, including potentially root, without using a password.

Description

There is a vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM). Versions 3.7p1 and 3.7.1p1 are affected. Note that the OpenBSD-specific releases are not affected by this issue.

Remote attackers could exploit servers configured with the following parameters:

OpenSSH 3.7.1p1 (portable)
Any platform
compiled with --with-pam
PrivilegeSeparation disabled
Protocol version 1 enabled (default)
ChallengeResponse enabled (default)

Note that this affects systems with password authentication disabled but challenge-response authentication still enabled. This does not to affect systems using SSHv2, but many systems are configured to fall back to SSHv1 if SSHv2 is not supported by the client.

Impact

A remote attacker could potentially log in to the system as any user, including root, using a null password. The root user can only be logged into if "PermitRootLogin" is enabled.

Solution

OpenSSH has announced version 3.7.1p2 to resolve this issue.

This issue can be mitigated by not using PAM. Set "UsePAM no" in sshd_config. To prevent root logins, Set "PermitRootLogin no".

Vendor Information

602204

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Gentoo Linux Affected

Updated: September 24, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

- - - --------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200309-14 - - - ---------------------------------------------------------------------
PACKAGE : openssh SUMMARY : multiple vulnerabilities in new PAM code
DATE : 2003-09-23 20:25 UTC EXPLOIT : remote
VERSIONS AFFECTED : <openssh-3.7.1_p2 FIXED VERSION : >=openssh-3.7.1_p2
CVE :
- - - ---------------------------------------------------------------------
quote from advisory:
"Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled)."
read the full advisory at:http://www.openssh.com/txt/sshpam.adv
SOLUTION
It is recommended that all Gentoo Linux users who are running net-misc/openssh upgrade to openssh-3.7.1_p2 as follows:
emerge sync emerge openssh emerge clean
- - - --------------------------------------------------------------------- aliz@gentoo.org - GnuPG key is available athttp://dev.gentoo.org/~aliz- - - --------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/cKxBfT7nyhUpoZMRAmw0AJ92FPN0+E9Sm30c8B8rjF31/gQ7UwCcCWmi ZSsCQAtKpTlq4M/KTdfMQ5M= =mEO/ -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSH Affected

Notified: September 22, 2003 Updated: September 23, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AppGate Network Security AB Not Affected

Updated: September 23, 2003

Status

Not Affected

Vendor Statement

The OpenSSH used in AppGate has pam disabled so AppGate is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc. Not Affected

Updated: September 23, 2003

Status

Not Affected

Vendor Statement

Apple: Not Vulnerable. Mac OS X is configured in a manner that is not susceptible to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Bitvise Not Affected

Updated: September 23, 2003

Status

Not Affected

Vendor Statement

Our WinSSHD server is based on different architecture and shares no codebase with OpenSSH; it is thus not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Check Point Not Affected

Updated: September 24, 2003

Status

Not Affected

Vendor Statement

No versions of Check Point products are affected by this advisory.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Clavister Not Affected

Updated: September 24, 2003

Status

Not Affected

Vendor Statement

Not Affected:

No Clavister products implement the SSH protocol.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc. Not Affected

Updated: September 23, 2003

Status

Not Affected

Vendor Statement

Cray Inc. does support OpenSSH, however is not currently supporting OpenSSH 3.7. Even so, Cray does not compile with the "--with-pam" option and defaults to PrivilegeSeparation enabled. So Cray Inc. is not vulnerable to this.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Not Affected

Updated: September 23, 2003

Status

Not Affected

Vendor Statement

The packages in the current Debian release (Debian 3.0/woody) are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks Not Affected

Updated: September 23, 2003

Status

Not Affected

Vendor Statement

Ingrian networks products are not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft Not Affected

Updated: September 23, 2003

Status

Not Affected

Vendor Statement

MandrakeSoft patched 3.6.1 for updates, so none of our products are vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation Not Affected

Updated: September 23, 2003

Status

Not Affected

Vendor Statement

The particular program in question is not used in any Microsoft products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mirapoint Not Affected

Updated: September 23, 2003

Status

Not Affected

Vendor Statement

Mirapoint is not vulnerable to this.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetScreen Not Affected

Updated: September 23, 2003

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Appliance Not Affected

Updated: September 23, 2003

Status

Not Affected

Vendor Statement

NetApp products are not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux Not Affected

Updated: September 24, 2003

Status

Not Affected

Vendor Statement

This doesn't affect Openwall GNU/*/Linux, -- we haven't updated to a version of OpenSSH/portable with the newer FreeBSD-derived PAM code.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Pragma Systems Not Affected

Updated: September 23, 2003

Status

Not Affected

Vendor Statement

Since we do not support the PAM authentication this issue does not apply to our server.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. Not Affected

Updated: September 23, 2003

Status

Not Affected

Vendor Statement

Red Hat Linux and Red Hat Enterprise Linux contain versions of OpenSSH prior to version 3.7 and are therefore not vulnerable to these issues.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc. Not Affected

Updated: September 23, 2003

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc. Not Affected

Updated: September 24, 2003

Status

Not Affected

Vendor Statement

Sun is not vulnerable to this. We have never shipped with this release.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

WatchGuard Not Affected

Updated: September 24, 2003

Status

Not Affected

Vendor Statement

WatchGuard Products are not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems Inc. Unknown

Updated: September 23, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM eServer Unknown

Updated: September 23, 2003

Status

Unknown

Vendor Statement

IBM eServer Platform Response

For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to

https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID=3D

In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to and follow the steps for registration.

All questions should be refered to servsec@us.ibm.com.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 23 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Petri Heinonen and the OUSPG Team for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

CVE IDs:	CVE-2003-0786
Severity Metric:	6.58
Date Public:	2003-09-23
Date First Published:	2003-09-23
Date Last Updated:	2003-09-24 15:35 UTC
Document Revision:	23

Software Engineering Institute

CERT Coordination Center

OpenSSH PAM challenge authentication failure

Vulnerability Note VU#602204

Overview

Description

Impact

Solution

Vendor Information

Gentoo Linux Affected

Status

Vendor Statement

Vendor Information

Addendum

OpenSSH Affected

Status

Vendor Statement

Vendor Information

Addendum

AppGate Network Security AB Not Affected

Status

Vendor Statement

Vendor Information

Addendum

Apple Computer Inc. Not Affected

Status

Vendor Statement

Vendor Information

Addendum

Bitvise Not Affected

Status

Vendor Statement

Vendor Information

Addendum

Check Point Not Affected

Status

Vendor Statement

Vendor Information

Addendum

Clavister Not Affected

Status

Vendor Statement

Vendor Information

Addendum

Cray Inc. Not Affected

Status

Vendor Statement

Vendor Information

Addendum

Debian Not Affected

Status

Vendor Statement

Vendor Information

Addendum

Ingrian Networks Not Affected

Status

Vendor Statement

Vendor Information

Addendum

MandrakeSoft Not Affected

Status

Vendor Statement

Vendor Information

Addendum

Microsoft Corporation Not Affected

Status

Vendor Statement

Vendor Information

Addendum

Mirapoint Not Affected

Status

Vendor Statement

Vendor Information

Addendum

NetScreen Not Affected

Status

Vendor Statement

Vendor Information

Addendum

Network Appliance Not Affected