freebsd security - Sep 2003 - OpenSSH: multiple vulnerabilities in the new PAM code

This affects only 3.7p1 and 3.7.1p1.  The advice to leave
PAM disabled is far from heartening, nor is the semi-lame
blaming the PAM spec for implementation bugs.

I happen to like OPIE for remote access.



Subject: Portable OpenSSH Security Advisory: sshpam.adv

This document can be found at:  http://www.openssh.com/txt/sshpam.adv

1. Versions affected:

         Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
         vulnerabilities in the new PAM code. At least one of these bugs
         is remotely exploitable (under a non-standard configuration,
         with privsep disabled).

         The OpenBSD releases of OpenSSH do not contain this code and
         are not vulnerable. Older versions of portable OpenSSH are not
         vulnerable.

2. Solution:

         Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM
         support ("UsePam no" in sshd_config).

         Due to complexity, inconsistencies in the specification and
         differences between vendors' PAM implementations we recommend
         that PAM be left disabled in sshd_config unless there is a need
         for its use. Sites only using public key or simple password
         authentication usually have little need to enable PAM

Oh jee, here we go again. Hey, at least patched 3.5p1 on FreeBSD 4.8/4.9 are not
effected :)

-hc

-- 
Haesu C.
TowardEX Technologies, Inc.
Consulting, colocation, web hosting, network design and implementation
http://www.towardex.com | haesu@towardex.com
Cell: (978)394-2867     | Office: (978)263-3399 Ext. 174
Fax: (978)263-0033      | POC: HAESU-ARIN

On Tue, Sep 23, 2003 at 07:48:45AM -0700, Michael Sierchio
wrote:
> This affects only 3.7p1 and 3.7.1p1.  The advice to leave
> PAM disabled is far from heartening, nor is the semi-lame
> blaming the PAM spec for implementation bugs.
> 
> I happen to like OPIE for remote access.
> 
> 
> 
> Subject: Portable OpenSSH Security Advisory: sshpam.adv
> 
> This document can be found at:  http://www.openssh.com/txt/sshpam.adv
> 
> 1. Versions affected:
> 
>         Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
>         vulnerabilities in the new PAM code. At least one of these bugs
>         is remotely exploitable (under a non-standard configuration,
>         with privsep disabled).
> 
>         The OpenBSD releases of OpenSSH do not contain this code and
>         are not vulnerable. Older versions of portable OpenSSH are not
>         vulnerable.
> 
> 2. Solution:
> 
>         Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM
>         support ("UsePam no" in sshd_config).
> 
>         Due to complexity, inconsistencies in the specification and
>         differences between vendors' PAM implementations we recommend
>         that PAM be left disabled in sshd_config unless there is a need
>         for its use. Sites only using public key or simple password
>         authentication usually have little need to enable PAM
> 
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"

Michael Sierchio <kudzu@tenebras.com> writes:
> This affects only 3.7p1 and 3.7.1p1.  The advice to leave
> PAM disabled is far from heartening, nor is the semi-lame
> blaming the PAM spec for implementation bugs.
They have their axe to grind.

The PAM spec is not to be blamed; although the spec is remarkably
unclear on some points related to the offending code, the fault for
the bug is entirely mine.

In the meantime, it is important to point out that privilege
separation (which is on by default in FreeBSD) prevents exploitation
of the first bug, and that there is no known way to exploit the second
bug.

It is also important to point out that the second bug is not directly
PAM-related.  The a bug is in a common portion of the ssh1 kbdint
code; it just so happens that the PAM code is the only kbdint device
which triggers it.  And it just so happens that I wrote those few
lines as well :(

DES
-- 
Dag-Erling Sm?rgrav - des@des.no

At 11:44 AM 26/09/2003, Colin Percival wrote:
>At 11:38 26/09/2003 -0400, Mike Tancsa wrote:
>>In the mean time, I take it the same build instructions apply ?
>
>   Almost.  des bumped the version numbers in the config files, so you 
> might want to mergemaster.  (Or not; it seems rather pointless to me.)
Thanks, I figured that since the only diff was an added comment in 
sshd_config I would not bother to do so.

         ---Mike