Portable OpenSSH PAM free() Bug May Let Remote Users Execute Root Code
|
|
SecurityTracker Alert ID: 1007791
|
|
CVE Reference: CAN-2003-0786
, CAN-2003-0787
(Links to External Site)
|
Updated: Dec 1 2003
|
Original Entry Date: Sep 23 2003
|
Impact: Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): Portable Version Only; 3.7p1 and 3.7.1p1
|
Description: A vulnerability was reported in two specific portable versions of OpenSSH in the PAM implementation. A remote user may be able to execute arbitrary code.
It is reported that there are multiple flaws in the new PAM code in portable OpenSSH versions 3.7p1 and 3.7.1p1. In at least one
bug, a remote user can cause arbitrary code to be executed on the target system when the target system is in a non-standard configuration
(with privsep disabled).
The vendor notes that the OpenBSD releases of OpenSSH do not contain this code and, therefore, are not
vulnerable. Also, portable OpenSSH versions prior to 3.6.1p2 are also not affected.
|
Impact: A remote user may be able to execute arbitrary code on the target system wtih root privileges.
|
Solution: The vendor has released a fixed version (3.7.1p2), available at:
http://www.openssh.org/portable.html
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.7.1p
2.tar.gz
As a workaround, the vendor reports that you can disable PAM support ("UsePam no" in sshd_config).
The vendor has
also provided the following warning regarding use of PAM with OpenSSH:
"Due to complexity, inconsistencies in the specification
and differences between vendors' PAM implementations we recommend that PAM be left disabled in sshd_config unless there is a need
for its use. Sites only using public key or simple password authentication usually have little need to enable PAM support."
Please
note that this version contains the four *realloc() bug fixes that Solar Designer discovered in 3.7.1p1 and prior versions. However,
the purpose of the 3.7.1p2 release is to correct the security flaws in the PAM code and not due to the Solar Designer bugs. As
described in a previous alert, Solar Designer considers the *realloc() bugs to have no security impact.
|
Vendor URL: www.openssh.com/txt/sshpam.adv (Links to External Site)
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 23 Sep 2003 09:36:54 -0400
Subject: www.openssh.com/txt/sshpam.adv
|
This document can be found at: http://www.openssh.com/txt/sshpam.adv
1. Versions affected:
Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM code. At least one of these bugs
is remotely exploitable (under a non-standard configuration,
with privsep disabled).
The OpenBSD releases of OpenSSH do not contain this code and
are not vulnerable. Older versions of portable OpenSSH are not
vulnerable.
2. Solution:
Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM
support ("UsePam no" in sshd_config).
Due to complexity, inconsistencies in the specification and
differences between vendors' PAM implementations we recommend
that PAM be left disabled in sshd_config unless there is a need
for its use. Sites only using public key or simple password
authentication usually have little need to enable PAM support.
|
|
