Here we go again! According to this latest advisory, the PAMAuthenticationViaKbdInt bug could be a problem IF and ONLY IF it's enabled.
I checked both 7.3 and 7.2, PAMAuthenticationViaKbdInt is disabled by default. This was openssh-3.1p1-3 and openssh-3.1p1-2, respectively. Both sshd man pages verify that 'PAMAuthenticationViaKbdInt no' is the default. Not that I'm the expert or anything, but this appears to be a non-issue for anyone using stock Redhat-supplied openssh, unless you specifically enabled PAMAuthenticationViaKbdInt. Bill Carlson -- Systems Programmer [EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | ---------- Forwarded message ---------- Date: Wed, 26 Jun 2002 21:08:17 +0200 From: Markus Friedl <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Revised OpenSSH Security Advisory (adv.iss) This is the 2nd revision of the Advisory. 1. Versions affected: Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. All versions between 2.3.1 and 3.3 contain a bug in the PAMAuthenticationViaKbdInt code. All versions between 2.9.9 and 3.3 contain a bug in the ChallengeResponseAuthentication code. OpenSSH 3.4 and later are not affected. OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config. OpenSSH 3.3 enables UsePrivilegeSeparation by default. Although some earlier versions are not affected upgrading to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds checks for a class of potential bugs. 2. Impact: This bug can be exploited remotely if ChallengeResponseAuthentication is enabled in sshd_config. Affected are at least systems supporting s/key over SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD as well as other systems supporting s/key with SSH). Exploitablitly of systems using PAMAuthenticationViaKbdInt has not been verified. 3. Short-Term Solution: Disable ChallengeResponseAuthentication in sshd_config. and Disable PAMAuthenticationViaKbdInt in sshd_config. Alternatively you can prevent privilege escalation if you enable UsePrivilegeSeparation in sshd_config. 4. Solution: Upgrade to OpenSSH 3.4 or apply the following patches. 5. Credits: ISS. Appendix: A: Index: auth2-chall.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18 +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000 @@ -256,6 +256,8 @@ authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp > 100) + fatal("input_userauth_info_response: nresp too big %u", nresp); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) B: Index: auth2-pam.c =================================================================== RCS file: /var/cvs/openssh/auth2-pam.c,v retrieving revision 1.12 diff -u -r1.12 auth2-pam.c --- auth2-pam.c 22 Jan 2002 12:43:13 -0000 1.12 +++ auth2-pam.c 26 Jun 2002 10:12:31 -0000 @@ -140,6 +140,15 @@ nresp = packet_get_int(); /* Number of responses. */ debug("got %d responses", nresp); + + if (nresp != context_pam2.num_expected) + fatal("%s: Received incorrect number of responses " + "(expected %u, received %u)", __func__, nresp, + context_pam2.num_expected); + + if (nresp > 100) + fatal("%s: too many replies", __func__); + for (i = 0; i < nresp; i++) { int j = context_pam2.prompts[i]; _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
