CERTVU:602204OpenSSH PAM challenge authentication failure
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
90.2%
Overview
There is a vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM). This vulnerability could permit a remote attacker to log in to the system as any user, including potentially root, without using a password.
Description
There is a vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM). Versions 3.7p1 and 3.7.1p1 are affected. Note that the OpenBSD-specific releases are not affected by this issue.
Remote attackers could exploit servers configured with the following parameters:
* OpenSSH 3.7.1p1 (portable)
* Any platform
* compiled with --with-pam
* PrivilegeSeparation disabled
* Protocol version 1 enabled (default)
* ChallengeResponse enabled (default)
Note that this affects systems with password authentication disabled but challenge-response authentication still enabled. This does not to affect systems using SSHv2, but many systems are configured to fall back to SSHv1 if SSHv2 is not supported by the client.
Impact
A remote attacker could potentially log in to the system as any user, including root, using a null password. The root user can only be logged into if “PermitRootLogin” is enabled.
Solution
OpenSSH has announced version 3.7.1p2 to resolve this issue.
This issue can be mitigated by not using PAM. Set “UsePAM no” in sshd_config. To prevent root logins, Set “PermitRootLogin no”.
Vendor Information
602204
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Gentoo Linux __ Affected
Updated: September 24, 2003
Status
Affected
Vendor Statement
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
`- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-14
PACKAGE : openssh
SUMMARY : multiple vulnerabilities in new PAM code DATE : 2003-09-23 20:25 UTC
EXPLOIT : remote VERSIONS AFFECTED : <openssh-3.7.1_p2
FIXED VERSION : >=openssh-3.7.1_p2 CVE :
- - - ---------------------------------------------------------------------
quote from advisory:
“Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM code. At least one of these bugs
is remotely exploitable (under a non-standard configuration,
with privsep disabled).”
read the full advisory at:
<http://www.openssh.com/txt/sshpam.adv>
SOLUTION
It is recommended that all Gentoo Linux users who are running
net-misc/openssh upgrade to openssh-3.7.1_p2 as follows:
emerge sync
emerge openssh
emerge clean
- - - ---------------------------------------------------------------------
[email protected] - GnuPG key is available at <http://dev.gentoo.org/~aliz>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/cKxBfT7nyhUpoZMRAmw0AJ92FPN0+E9Sm30c8B8rjF31/gQ7UwCcCWmi
ZSsCQAtKpTlq4M/KTdfMQ5M=
=mEO/
-----END PGP SIGNATURE-----
`
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
OpenSSH Affected
Notified: September 22, 2003 Updated: September 23, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
AppGate Network Security AB __ Not Affected
Updated: September 23, 2003
Status
Not Affected
Vendor Statement
The OpenSSH used in AppGate has pam disabled so AppGate is not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
Apple Computer Inc. __ Not Affected
Updated: September 23, 2003
Status
Not Affected
Vendor Statement
Apple: Not Vulnerable. Mac OS X is configured in a manner that is not susceptible to this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
Bitvise __ Not Affected
Updated: September 23, 2003
Status
Not Affected
Vendor Statement
Our WinSSHD server is based on different architecture and shares no codebase with OpenSSH; it is thus not vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
Check Point __ Not Affected
Updated: September 24, 2003
Status
Not Affected
Vendor Statement
No versions of Check Point products are affected by this advisory.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
Clavister __ Not Affected
Updated: September 24, 2003
Status
Not Affected
Vendor Statement
Not Affected:
No Clavister products implement the SSH protocol.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
Cray Inc. __ Not Affected
Updated: September 23, 2003
Status
Not Affected
Vendor Statement
Cray Inc. does support OpenSSH, however is not currently supporting OpenSSH 3.7. Even so, Cray does not compile with the “–with-pam” option and defaults to PrivilegeSeparation enabled. So Cray Inc. is not vulnerable to this.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
Debian __ Not Affected
Updated: September 23, 2003
Status
Not Affected
Vendor Statement
The packages in the current Debian release (Debian 3.0/woody) are not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
Ingrian Networks __ Not Affected
Updated: September 23, 2003
Status
Not Affected
Vendor Statement
Ingrian networks products are not vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
MandrakeSoft __ Not Affected
Updated: September 23, 2003
Status
Not Affected
Vendor Statement
MandrakeSoft patched 3.6.1 for updates, so none of our products are vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
Microsoft Corporation __ Not Affected
Updated: September 23, 2003
Status
Not Affected
Vendor Statement
The particular program in question is not used in any Microsoft products.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
Mirapoint __ Not Affected
Updated: September 23, 2003
Status
Not Affected
Vendor Statement
Mirapoint is not vulnerable to this.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
NetScreen Not Affected
Updated: September 23, 2003
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
Network Appliance __ Not Affected
Updated: September 23, 2003
Status
Not Affected
Vendor Statement
NetApp products are not vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
Openwall GNU/*/Linux __ Not Affected
Updated: September 24, 2003
Status
Not Affected
Vendor Statement
This doesn’t affect Openwall GNU/*/Linux, – we haven’t updated to a version of OpenSSH/portable with the newer FreeBSD-derived PAM code.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
Pragma Systems __ Not Affected
Updated: September 23, 2003
Status
Not Affected
Vendor Statement
Since we do not support the PAM authentication this issue does not apply to our server.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
Red Hat Inc. __ Not Affected
Updated: September 23, 2003
Status
Not Affected
Vendor Statement
Red Hat Linux and Red Hat Enterprise Linux contain versions of OpenSSH prior to version 3.7 and are therefore not vulnerable to these issues.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
SuSE Inc. Not Affected
Updated: September 23, 2003
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
Sun Microsystems Inc. __ Not Affected
Updated: September 24, 2003
Status
Not Affected
Vendor Statement
Sun is not vulnerable to this. We have never shipped with this release.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
WatchGuard __ Not Affected
Updated: September 24, 2003
Status
Not Affected
Vendor Statement
WatchGuard Products are not vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
Cisco Systems Inc. Unknown
Updated: September 23, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
IBM eServer __ Unknown
Updated: September 23, 2003
Status
Unknown
Vendor Statement
IBM eServer Platform Response
For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to
https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID=3D
In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to and follow the steps for registration.
All questions should be refered to [email protected].
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602204 Feedback>).
View all 23 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://marc.theaimsgroup.com/?l=openbsd-misc&m=106432248311634&w=2
- <http://www.openssh.com/txt/sshpam.adv>
Acknowledgements
Thanks to Petri Heinonen and the OUSPG Team for reporting this vulnerability.
This document was written by Jason A Rafail.
Other Information
| CVE IDs: | CVE-2003-0786 |
|---|---|
| Severity Metric: | 6.58 Date Public: |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
90.2%