Date: 06 October 2003
References: ESB-2003.0680 ESB-2003.0687
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0704 -- FreeBSD-SA-03:15.openssh
OpenSSH PAM challenge/authentication error
06 October 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenSSH
Publisher: FreeBSD
Operating System: FreeBSD 4.6.2-RELEASE and later
FreeBSD 4-STABLE prior to correction date
Impact: Denial of Service
Execute Arbitrary Code/Commands
Access Required: Remote
Ref: ESB-2003.0680
AL-2003.16
ESB-2003.0687
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-03:15.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH PAM challenge/authentication error
Category: core
Module: openssh
Announced: 2003-10-05
Credits: The OpenSSH Project <openssh@openssh.org>
Affects: FreeBSD releases 4.6.2-RELEASE and later
FreeBSD 4-STABLE prior to the correction date
openssh port prior to openssh-3.6.1_4
openssh-portable port prior to openssh-portable-3.6.1p2_5
Corrected: 2003-09-24 21:06:28 UTC (RELENG_5_1, 5.1-RELEASE-p7)
2003-09-24 18:25:31 UTC (RELENG_4, 4.9-PRERELEASE)
2003-09-24 21:06:22 UTC (RELENG_4_8, 4.8-RELEASE-p9)
2003-09-24 21:06:15 UTC (RELENG_4_7, 4.7-RELEASE-p19)
2003-09-24 21:05:59 UTC (RELENG_4_6, 4.6.2-RELEASE-p22)
2003-10-03 20:55:14 UTC (openssh-3.6.1_5)
2003-09-26 02:42:39 UTC (openssh-portable-3.6.1p2_5)
FreeBSD only: NO
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
OpenSSH is a free version of the SSH protocol suite of network
connectivity tools. OpenSSH encrypts all traffic (including
passwords) to effectively eliminate eavesdropping, connection
hijacking, and other network-level attacks. Additionally, OpenSSH
provides a myriad of secure tunneling capabilities, as well as a
variety of authentication methods.
The SSH protocol exists in two versions, hereafter named simply `ssh1'
and `ssh2'. The ssh1 protocol is a legacy protocol for which there
exists no formal specification, while the ssh2 protocol is the product
of the IETF SECSH working group and is defined by a series of IETF
draft standards.
The ssh2 protocol supports a wide range of authentication
mechanisms, including a generic challenge / response mechanism, called
`keyboard-interactive' or `kbdint', which can be adapted to serve any
authentication scheme in which the server and client exchange a
arbitrarily long series of challenges and responses. In particular,
this mechanism is used in OpenSSH to support PAM authentication.
The ssh1 protocol, on the other hand, supports a much narrower range
of authentication mechanisms. Its challenge / response mechanisms,
called `TIS', allows for only one challenge from the server and one
response from the client. OpenSSH contains interface code which
allows kbdint authentication back-ends to be used for ssh1 TIS
authentication, provided they only emit one challenge and expect only
one response.
Finally, recent versions of OpenSSH implement a mechanism called
`privilege separation' in which the task of communicating with the
client is delegated to an unprivileged child process, while the
privileged parent process performs the actual authentication and
double-checks every important decision taken by its unprivileged
child.
II. Problem Description
1) Insufficient checking in the ssh1 challenge / response interface
code, combined with a peculiarity of the PAM kbdint back-end,
causes OpenSSH to ignore a negative result from PAM (but not from
any other kbdint back-end).
2) A variable used by the PAM conversation function to store
challenges and the associated client responses is incorrectly
interpreted as an array of pointers to structures instead of a
pointer to an array of structures.
3) When challenge / response authentication is used with protocol
version 1, and a legitimate user interrupts challenge / response
authentication but successfully authenticates through some other
mechanism (such as password authentication), the server fails to
reclaim resources allocated by the challenge / response mechanism,
including the child process used for PAM authentication. When a
certain number of leaked processes is reached, the master server
process will refuse subsequent client connections.
III. Impact
1) If privilege separation is disabled, no additional checks are
performed and an ssh1 client will be successfully authenticated
even if its response to PAM's challenge is patently wrong. On the
other hand, if privilege separation is enabled (which it is by
default), the monitor process will notice the discrepancy, refuse
to proceed, and kill the faulty child process.
2) If more than one challenge is issued in a single call to the PAM
conversation function, stack corruption will result. The most
likely outcome will be a segmentation fault leading to termination
of the process, but there is a possibility that an attacker may
succeed in executing arbitrary code in a privileged process.
Note that none of the PAM modules provided in the FreeBSD base
system ever issue more than one challenge in a single call to the
conversation function; nor, to our knowledge, do any third-party
modules provided in the FreeBSD ports collection.
3) Legitimate users may cause a denial-of-service condition in which
the SSH server refuses client connections until it is restarted.
Note that this vulnerability is not exploitable by attackers who do
not have a valid account on the target system.
IV. Workaround
Do both of the following:
1) Make sure that privilege separation is enabled. This is the
default; look for `UsePrivilegeSeparation' in /etc/ssh/sshd_config
or /usr/local/etc/ssh/sshd_config as appropriate and make sure that
any occurrence of that keyword is commented out and/or followed by
the keyword `yes'. The stock version of this file is safe to use.
2) Make sure that the PAM configuration for OpenSSH does not reference
any modules which pass more than one challenge in a single call to
the conversation function. In FreeBSD 4.x, the PAM configuration
for OpenSSH consists of the lines in /etc/pam.conf which begin with
`sshd'; in FreeBSD 5.x, it is located in /etc/pam.d/sshd. The
stock versions of these files are safe to use.
The following PAM modules from the FreeBSD ports collection are
known to be safe with regard to problem 2) above:
- pam_mysql.so (security/pam-mysql)
- pam_pgsql.so (security/pam-pgsql)
- pam_alreadyloggedin.so (security/pam_alreadyloggedin)
- pam_ldap.so (security/pam_ldap)
- pam_pop3.so (security/pam_pop3)
- pam_pwdfile.so (security/pam_pwdfile)
- pam_smb.so (security/pam_smb)
pam_krb5.so from ports (security/pam_krb5) is known to use multiple
prompts with the conversation function if the user's password is
expired in order to change the user password.
3) Disable challenge / response authentication, or disable protocol
version 1.
To disable challenge / response authentication, add the line:
ChallengeResponseAuthentication no
to sshd_config(5) and restart sshd.
To disable protocol version 1, add the line
Protocol 2
to sshd_config(5) and restart sshd.
V. Solution
Do one of the following:
[For OpenSSH included in the base system]
The following patches have been verified to apply to FreeBSD 4.6, 4.7,
4.8, and 5.1 systems prior to the correction date.
Download the appropriate patch and detached PGP signature from the following
locations, and verify the signature using your PGP utility.
[FreeBSD 4.6]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh46.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh46.patch.asc
[FreeBSD 4.7]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh47.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh47.patch.asc
[FreeBSD 4.8]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch.asc
[FreeBSD 5.1]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch.asc
[FreeBSD 4.8-STABLE / 4.9-PRERELEASE / 4.9-RC]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh4s.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh4s.patch.asc
Execute the following commands as root:
# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/usr.sbin/sshd
# make obj && make depend && make all install
Be sure to restart `sshd' after updating.
# kill `cat /var/run/sshd.pid`
# /usr/sbin/sshd
or, in FreeBSD 5.x:
# /etc/rc.d/sshd restart
[For the OpenSSH ports]
Do one of the following:
1) Upgrade your entire ports collection and rebuild the OpenSSH port.
2) Deinstall the old package and install a new package obtained from
the following directory:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/
[other platforms]
Packages are not automatically generated for other platforms at this
time due to lack of build resources.
3) Download a new port skeleton for the openssh or openssh-portable
port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz
Be sure to restart `sshd' after updating.
# kill `cat /var/run/sshd.pid`
# test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Path Revision
Branch
- - -------------------------------------------------------------------------
RELENG_4
src/crypto/openssh/auth-chall.c 1.2.2.6
src/crypto/openssh/auth.h 1.1.1.1.2.7
src/crypto/openssh/auth1.c 1.3.2.10
src/crypto/openssh/auth2-pam-freebsd.c 1.1.2.8
src/crypto/openssh/ssh_config 1.2.2.9
src/crypto/openssh/ssh_config.5 1.4.2.5
src/crypto/openssh/sshd_config 1.4.2.13
src/crypto/openssh/sshd_config.5 1.5.2.6
src/crypto/openssh/version.h 1.1.1.1.2.13
RELENG_5_1
src/crypto/openssh/auth-chall.c 1.6.2.1
src/crypto/openssh/auth2-pam-freebsd.c 1.11.2.1
src/crypto/openssh/ssh_config 1.21.2.1
src/crypto/openssh/ssh_config.5 1.9.2.1
src/crypto/openssh/sshd_config 1.32.2.1
src/crypto/openssh/sshd_config.5 1.11.2.1
src/crypto/openssh/version.h 1.20.2.3
RELENG_4_8
src/crypto/openssh/auth-chall.c 1.2.2.4.2.2
src/crypto/openssh/auth.h 1.1.1.1.2.6.2.1
src/crypto/openssh/auth1.c 1.3.2.9.2.1
src/crypto/openssh/auth2-pam-freebsd.c 1.1.2.5.2.2
src/crypto/openssh/ssh_config 1.2.2.8.2.1
src/crypto/openssh/ssh_config.5 1.4.2.4.2.1
src/crypto/openssh/sshd_config 1.4.2.12.2.1
src/crypto/openssh/version.h 1.1.1.1.2.10.2.3
RELENG_4_7
src/crypto/openssh/auth-chall.c 1.2.2.3.2.1
src/crypto/openssh/auth.h 1.1.1.1.2.5.2.1
src/crypto/openssh/auth1.c 1.3.2.8.2.1
src/crypto/openssh/auth2-pam-freebsd.c 1.1.2.2.2.2
src/crypto/openssh/ssh_config 1.2.2.6.2.1
src/crypto/openssh/sshd_config 1.4.2.10.2.1
src/crypto/openssh/version.h 1.1.1.1.2.9.2.3
RELENG_4_6
src/crypto/openssh/auth-chall.c 1.2.2.2.2.2
src/crypto/openssh/auth.h 1.1.1.1.2.4.4.2
src/crypto/openssh/auth1.c 1.3.2.7.4.2
src/crypto/openssh/auth2-pam-freebsd.c 1.2.2.4
src/crypto/openssh/ssh_config 1.2.2.4.4.2
src/crypto/openssh/sshd_config 1.4.2.8.2.2
src/crypto/openssh/version.h 1.1.1.1.2.8.2.4
[Ports]
ports/security/openssh/Makefile 1.125
ports/security/openssh/auth-pam.c 1.2
ports/security/openssh/auth-pam.h 1.2
ports/security/openssh/auth2-pam.c 1.2
ports/security/openssh/patch-auth-chall.c 1.1
ports/security/openssh-portable/Makefile 1.78
ports/security/openssh-portable/auth2-pam-freebsd.c 1.5
ports/security/openssh-portable/patch-auth-chall.c 1.1
ports/security/openssh-portable/patch-auth-pam.c 1.1
ports/security/openssh-portable/patch-auth-pam.h 1.1
- - -------------------------------------------------------------------------
Branch Version string
- - -------------------------------------------------------------------------
RELENG_4 OpenSSH_3.5p1 FreeBSD-20030924
RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030924
RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030924
RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030924
RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030924
- - -------------------------------------------------------------------------
To view the version string of the OpenSSH server, execute the
following command:
% /usr/sbin/sshd -\?
or for OpenSSH from the ports collection:
% /usr/local/sbin/sshd -\?
The version string is also displayed when a client connects to the
server.
VII. References
<URL:http://www.openssh.com/txt/sshpam.adv>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/gFCoFdaIBMps37IRApUWAJ9BZoW/uBY1Q0Phr3iQGBq8/I14dgCaAzvc
7gHHrB5lxeBXWIB37CXpM5s=
=DC+H
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBP4C9/Sh9+71yA2DNAQGnhwP/QxAB8QEC3MEg35MJKZCv3CKzopcK2+Xc
ZChpeDCXVgTrdJ9SGTlZPBgaYI/17ngpDPaST2S9h6V/Ar/kI26PbB5Az0s2xzln
na6er/zxOAAXMy6HV+MHR6zbx/iTxpd8KQoJWRh2FBmU0PDXS2eopbYVxKnqmMW3
O6s/FblcGj0=
=clMG
-----END PGP SIGNATURE-----
|