Security Update: [CSSA-2002-030.0] Linux: OpenSSH Vulnerabilities in Challenge Response Handling

From: securityat_private
Date: Thu Jun 27 2002 - 11:52:21 PDT

Next message: Mikael Olsson: "Does the libc (BIND-4) resolver bug affect MS DNS too?"

Previous message: Joost Pol: "CERT VU #803539"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: bugtraqat_private announceat_private security-alertsat_private

______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		Linux: OpenSSH Vulnerabilities in Challenge Response Handling
Advisory number: 	CSSA-2002-030.0
Issue date: 		2002 June 27
Cross reference:
______________________________________________________________________________


1. Problem Description

	Several vulnerabilities have been reported  in OpenSSH if  the
	S/KEY  or BSD  Auth  features    have  been  enabled, or    if
	PAMAuthenticationViaKbdInt has been enabled.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to and including openssh-3.2.3p1-2
	OpenLinux 3.1.1 Workstation	prior to and including openssh-3.2.3p1-2
	OpenLinux 3.1 Server		prior to and including openssh-3.2.3p1-2
	OpenLinux 3.1 Workstation	prior to and including openssh-3.2.3p1-2


3. Solution

	Caldera  OpenLinux OpenSSH has  neither the S/KEY nor BSD Auth
	features   compiled in,  so   it  is  not  vulnerable   to the
	Challenge/Response vulnerability.

	We do have  the  ChallengeResponseAuthentication option  on by
	default, however, so to be safe, we  recommend that the option
	be disabled (set to no) in the /etc/ssh/sshd_config file.

	In addition, the sshd_config PAMAuthenticationViaKbdInt option
	is disabled by default, so  OpenLinux is not vulnerable to the
	other   alleged   vulnerability in   a default  configuration,
	either. However, Caldera  recommends that this  option also be
	disabled (set to   no) if it  has been  enabled by the  system
	administrator.


4. References

	Specific references for this advisory:
		http://www.cert.org/advisories/CA-2002-18.html

	Caldera security resources:
		http://www.caldera.com/support/security/index.html


5. Disclaimer

	Caldera International, Inc. is not  responsible for the misuse
	of any  of the information  we provide on this  website and/or
	through our security advisories.  Our advisories are a service
	to our customers intended to  promote secure installation  and
	use of Caldera products.

______________________________________________________________________________

application/pgp-signature attachment: stored

Next message: Mikael Olsson: "Does the libc (BIND-4) resolver bug affect MS DNS too?"
Previous message: Joost Pol: "CERT VU #803539"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 05:01:34 PDT