|
|
Subscribe / Log in / New account

SCO Group alert CSSA-2002-030.0 (OpenSSH)



From:
    	      security@caldera.com


To:
    	      bugtraq@securityfocus.com, announce@lists.caldera.com,
 security-alerts@linuxsecurity.com


Subject:
    	      Security Update: [CSSA-2002-030.0] Linux: OpenSSH Vulnerabilities in Challenge Response Handling


Date:
    	      Thu, 27 Jun 2002 11:52:21 -0700



To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com

______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		Linux: OpenSSH Vulnerabilities in Challenge Response Handling
Advisory number: 	CSSA-2002-030.0
Issue date: 		2002 June 27
Cross reference:
______________________________________________________________________________


1. Problem Description

	Several vulnerabilities have been reported  in OpenSSH if  the
	S/KEY  or BSD  Auth  features    have  been  enabled, or    if
	PAMAuthenticationViaKbdInt has been enabled.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to and including openssh-3.2.3p1-2
	OpenLinux 3.1.1 Workstation	prior to and including openssh-3.2.3p1-2
	OpenLinux 3.1 Server		prior to and including openssh-3.2.3p1-2
	OpenLinux 3.1 Workstation	prior to and including openssh-3.2.3p1-2


3. Solution

	Caldera  OpenLinux OpenSSH has  neither the S/KEY nor BSD Auth
	features   compiled in,  so   it  is  not  vulnerable   to the
	Challenge/Response vulnerability.

	We do have  the  ChallengeResponseAuthentication option  on by
	default, however, so to be safe, we  recommend that the option
	be disabled (set to no) in the /etc/ssh/sshd_config file.

	In addition, the sshd_config PAMAuthenticationViaKbdInt option
	is disabled by default, so  OpenLinux is not vulnerable to the
	other   alleged   vulnerability in   a default  configuration,
	either. However, Caldera  recommends that this  option also be
	disabled (set to   no) if it  has been  enabled by the  system
	administrator.


4. References

	Specific references for this advisory:
		http://www.cert.org/advisories/CA-2002-18.html

	Caldera security resources:
		http://www.caldera.com/support/security/index.html


5. Disclaimer

	Caldera International, Inc. is not  responsible for the misuse
	of any  of the information  we provide on this  website and/or
	through our security advisories.  Our advisories are a service
	to our customers intended to  promote secure installation  and
	use of Caldera products.

______________________________________________________________________________
to post comments

Is there <i>any</i> Linux distributor who is vulnerable?

Posted Jun 27, 2002 23:54 UTC (Thu) by JoeBuck (subscriber, #2330) [Link] (2 responses)

Is there any Linux distributor that ships an openssh binary that is vulnerable to this hole? It appears that the answer may well be "no".

Is there <i>any</i> Linux distributor who is vulnerable?

Posted Jun 28, 2002 14:04 UTC (Fri) by beejaybee (guest, #1581) [Link] (1 responses)

Oh dear. You have the question the wrong way round - is there _any_ linux distribution which isn't vulnerable, or at least has been vulnerable in the very recent past.

Obviously you don't read the security alerts, so:

You are SERIOUSLY vulnerable if you are running ANY version of OpenSSH prior to v3.1 - irrespective of the configuration - for a number of reasons; exploits for the exposed vulnerabilities have been around for a while now, and systems are frequently scanned for evidence of them.

With OpenSSH v3.1, v3.2 & v3.3 you are vulnerable UNLESS you have disabled challenge response authentication, i.e. to be safe you MUST have

ChallengeResponseAuthentication no

in sshd_config.

With OpenSSH v3.1, v3.2 & v3.3 you are vulnerable if you have PAM authentication enabled, i.e. to be safe you MUST NOT have

PAMAuthenticationViaKbdInt yes

in sshd_config.

Don't forget to restart sshd (the required incantation is probably "/etc/rc.d/init.d/sshd restart" if you change sshd_config.

Upgrading to OpenSSH v3.4 is desirable, since disabling services may result in lack of required functionality.

Please don't bury your head in the sand - configure safely or upgrade NOW!

Is there <i>any</i> Linux distributor who is vulnerable?

Posted Jun 28, 2002 18:19 UTC (Fri) by JoeBuck (subscriber, #2330) [Link]

You clearly misunderstand my point. Debian, Red Hat, Caldera and others were not vulnerable at all to the challenge-response authentication bug, because they did not enable that feature. Same for BSDAuth. That's why I questioned whether they were vulnerable at all; my head is not in the sand. Based on the initial description, it appeared that the vulnerabilities were only in options that the Linux distributors had not enabled.

Similarly, Debian potato has so old a version of ssh that it is not vulnerable either. However, it turns out that the woody version is vulnerable to the PAM/kbdint problem, though there is no known exploit for that one.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds