search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

OpenSSH does not initialize PAM session thereby allowing PAM restrictions to be bypassed

Vulnerability Note VU#797027

Original Release Date: 2001-12-07 | Last Revised: 2001-12-12

Overview

OpenSSH is an implementation of the Secure Shell (SSH) protocol. It can be configured to use Linux Pluggable Authentication Modules (PAM) for added authentication. A vulnerability exists in OpenSSH, and perhaps other implementations of SSH, which can allow to potentially bypass PAM restrictions.

Description

OpenSSH fails to call pam_open_session if no pty (pseudo-terminal driver) is used. This in turn does not activate the security modules specified in /etc/pam.d. It has been pointed out that if you use pam_limits.so to set resource limits, then users could bypass these limits by calling ssh in this manner.

Impact

An attacker can bypass the PAM security modules specified on the target machine.

Solution

Upgrade to OpenSSH 2.9.9p1.

Restrict access to the SSH service

You may wish to disable the SSH access until a patch is available from your vendor.

If you cannot disable the service, you can limit your exposure to these vulnerabilities by using a router or firewall to restrict access to port 22/TCP (SSH). Implement a TCPWRAPPER.

Vendor Information

797027
 
Expand all

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Christian Kraemer discovered this vulnerability.

This document was written by Jason Rafail.

Other Information

CVE IDs: None
Severity Metric: 3.38
Date Public: 2001-06-19
Date First Published: 2001-12-07
Date Last Updated: 2001-12-12 14:39 UTC
Document Revision: 5

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis