N-158: CERT: Portable OpenSSH server PAM Vulnerability Privacy and Legal Notice

CIAC INFORMATION BULLETIN

N-158: CERT: Portable OpenSSH server PAM Vulnerability

[Vulnerability Note VU#209807]

 September 30, 2003 18:00 GMT
[REVISED 1 Oct 2003]
PROBLEM: A vulnerability in the Portable OpenSSH server that may corrupt the PAM conversion stack.
PLATFORM: OpenSSH 3.7.1p1 (portable)
IRIX 6.5.22
DAMAGE: The complete impact of this vulnerability is not yet known, but may lead to privilege escalation, or a denial of service.
SOLUTION: Change the config file or apply upgrades.
(Note--changing the config file for CIAC N-157 CERT/CC Vulnerability Note OpenSSH PAM challenge authentication failure, fixes this.)
Download and install appropriate files from appropriate vendor.
VULNERABILITY
ASSESSMENT:		 The risk is MEDIUM. The complete impact of this vulnerability is not yet known, but may lead to privilege escalation, or a denial of service.
LINKS:  
  CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-158.shtml
  ORIGINAL BULLETIN: http://www.kb.cert.org/vuls/id/209807
  ADDITIONAL LINKS: SGI Security Advisory 20030904-01-P
   http://www.sgi.com/support/security/advisories.html 
REVISION HISTORY:
10/1/03 - Updated PLATFORM section; added link for SGI Security Advisory 20030904-01-P.


[***** Start Vulnerability Note VU#209807 *****]

Vulnerability Note VU#209807

Portable OpenSSH server PAM conversion stack corruption

Overview

There is a vulnerability in the Portable OpenSSH server that may corrupt the PAM conversion stack. 

I. Description

The Portable OpenSSH server contains a vulnerability that may permit an attacker to corrupt the PAM 
conversion stack. Versions 3.7p1 and 3.7.1p1 are affected. Note that the OpenBSD-specific releases 
are not affected by this issue. 

II. Impact

The complete impact of this vulnerability is not yet known, but may lead to privilege escalation, or 
a denial of service.

III. Solution

OpenSSH has announced version 3.7.1p2 to resolve this issue. 

This issue can be mitigated by not using PAM. Set "UsePAM no" in sshd_config. 

Systems Affected

Vendor Status Date Updated 
OpenSSH Vulnerable 24-Sep-2003 

References

http://marc.theaimsgroup.com/?l=openbsd-misc&m=106432248311634&w=2
http://www.openssh.com/txt/sshpam.adv 

Credit

Thanks to OpenSSH for reporting this vulnerability. 

This document was written by Jason A Rafail. 

Other Information

Date Public 09/23/2003 
Date First Published 09/24/2003 11:06:09 AM 
Date Last Updated 09/24/2003 
CERT Advisory   
CVE Name CAN-2003-0787 
Metric 1.50 
Document Revision 2 

[***** End Vulnerability Note VU#209807 *****]
CIAC wishes to acknowledge the contributions of Cert Coordination Center for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]