Kevin Steves
2001-Feb-08 23:55 UTC
Authentication By-Pass Vulnerability in OpenSSH 2.3.1 (devel snapshot) (fwd)
fyi for those running snapshots. the latest portable cvs has the fix and the version is 2.3.2p1. Kevin ---------- Forwarded message ---------- Date: Thu, 08 Feb 2001 18:15:00 -0500 From: Niels Provos <provos at citi.umich.edu> To: security-announce at openbsd.org Subject: Authentication By-Pass Vulnerability in OpenSSH 2.3.1 (devel snapshot) ---------------------------------------------------------------------------- OpenBSD Security Advisory February 8, 2001 Authentication By-Pass Vulnerability in OpenSSH-2.3.1 ---------------------------------------------------------------------------- SYNOPSIS OpenSSH-2.3.1, a development snapshot, only checked if a public key for public key authentication was permitted. In the protocol 2 part of the server, the challenge-response step that ensures that the connecting client is in possession of the corresponding private key has been omitted. As a result, anyone who could obtain the public key listed in the users authorized_keys file could log in as that user without authentication. A fix for this problem was committed on Februrary 8th. The problem was introduced on January 18th. This is a three week time window. ---------------------------------------------------------------------------- AFFECTED SYSTEMS This vulnerability affects only OpenSSH version 2.3.1 with support for protocol 2 enabled. The latest official release OpenSSH 2.3.0 is not affected by this problem. The latest snapshot version OpenSSH 2.3.2 is not affected either. ---------------------------------------------------------------------------- RESOLUTION If you installed the OpenSSH 2.3.1 development snapshot, install the latest snapshot. Currently, the latest snapshot is OpenSSH 2.3.2 which is available via http://www.openssh.com/. ----------------------------------------------------------------------------
Not good, considering the advisory just released! :) http://bass.directhit.com/openssh_snap/ - Rob
Damien Miller
2001-Feb-09 02:30 UTC
Authentication By-Pass Vulnerability in OpenSSH 2.3.1 (devel snapshot) (fwd)
On Fri, 9 Feb 2001, Kevin Steves wrote: fyi I have zeroed out all the broken snapshots to prevent people downloading the vulnerable code. The next snapshot will have the fix included. -d> fyi for those running snapshots. the latest portable cvs has the fix > and the version is 2.3.2p1. > > Kevin > > ---------- Forwarded message ---------- > Date: Thu, 08 Feb 2001 18:15:00 -0500 > From: Niels Provos <provos at citi.umich.edu> > To: security-announce at openbsd.org > Subject: Authentication By-Pass Vulnerability in OpenSSH 2.3.1 (devel > snapshot) > > ---------------------------------------------------------------------------- > > OpenBSD Security Advisory > > February 8, 2001 > > Authentication By-Pass Vulnerability in OpenSSH-2.3.1 > > ---------------------------------------------------------------------------- > > SYNOPSIS > > OpenSSH-2.3.1, a development snapshot, only checked if a public key > for public key authentication was permitted. In the protocol 2 part > of the server, the challenge-response step that ensures that the > connecting client is in possession of the corresponding private key > has been omitted. As a result, anyone who could obtain the public key > listed in the users authorized_keys file could log in as that user > without authentication. > > A fix for this problem was committed on Februrary 8th. The problem > was introduced on January 18th. This is a three week time window. > > ---------------------------------------------------------------------------- > > AFFECTED SYSTEMS > > This vulnerability affects only OpenSSH version 2.3.1 with support for > protocol 2 enabled. The latest official release OpenSSH 2.3.0 is not > affected by this problem. The latest snapshot version OpenSSH 2.3.2 > is not affected either. > > ---------------------------------------------------------------------------- > > RESOLUTION > > If you installed the OpenSSH 2.3.1 development snapshot, install the > latest snapshot. Currently, the latest snapshot is OpenSSH 2.3.2 which > is available via http://www.openssh.com/. > > ---------------------------------------------------------------------------- > > >-- | Damien Miler <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer