search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

OpenSSH does not initialize PAM session thereby allowing PAM restrictions to be bypassed

Vulnerability Note VU#797027

Original Release Date: 2001-12-07 | Last Revised: 2001-12-12

Overview

OpenSSH is an implementation of the Secure Shell (SSH) protocol. It can be configured to use Linux Pluggable Authentication Modules (PAM) for added authentication. A vulnerability exists in OpenSSH, and perhaps other implementations of SSH, which can allow to potentially bypass PAM restrictions.

Description

OpenSSH fails to call pam_open_session if no pty (pseudo-terminal driver) is used. This in turn does not activate the security modules specified in /etc/pam.d. It has been pointed out that if you use pam_limits.so to set resource limits, then users could bypass these limits by calling ssh in this manner.

Impact

An attacker can bypass the PAM security modules specified on the target machine.

Solution

Upgrade to OpenSSH 2.9.9p1.

Restrict access to the SSH service

You may wish to disable the SSH access until a patch is available from your vendor.

If you cannot disable the service, you can limit your exposure to these vulnerabilities by using a router or firewall to restrict access to port 22/TCP (SSH). Implement a TCPWRAPPER.

Vendor Information

797027
 
Expand all

OpenSSH Affected

Updated:  December 07, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F-Secure Not Affected

Updated:  December 11, 2001

Status

Not Affected

Vendor Statement

The F-Secure SSH versions 2.x - 3.x calls pam_open_session regardless whether pty is requested or not.

The F-Secure SSH versions 1.x don't implement PAM authentication.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SSH Communications Security Not Affected

Notified:  December 07, 2001 Updated: December 12, 2001

Status

Not Affected

Vendor Statement

I can confirm that we are not vulnerable this due to different PAM implementation style.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Christian Kraemer discovered this vulnerability.

This document was written by Jason Rafail.

Other Information

CVE IDs: None
Severity Metric: 3.38
Date Public: 2001-06-19
Date First Published: 2001-12-07
Date Last Updated: 2001-12-12 14:39 UTC
Document Revision: 5

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis