Bugtraq mailing list archives
Security Update: [CSSA-2002-030.0] Linux: OpenSSH Vulnerabilities in Challenge Response Handling
From: security () caldera com
Date: Thu, 27 Jun 2002 11:52:21 -0700
To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux: OpenSSH Vulnerabilities in Challenge Response Handling Advisory number: CSSA-2002-030.0 Issue date: 2002 June 27 Cross reference: ______________________________________________________________________________ 1. Problem Description Several vulnerabilities have been reported in OpenSSH if the S/KEY or BSD Auth features have been enabled, or if PAMAuthenticationViaKbdInt has been enabled. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to and including openssh-3.2.3p1-2 OpenLinux 3.1.1 Workstation prior to and including openssh-3.2.3p1-2 OpenLinux 3.1 Server prior to and including openssh-3.2.3p1-2 OpenLinux 3.1 Workstation prior to and including openssh-3.2.3p1-2 3. Solution Caldera OpenLinux OpenSSH has neither the S/KEY nor BSD Auth features compiled in, so it is not vulnerable to the Challenge/Response vulnerability. We do have the ChallengeResponseAuthentication option on by default, however, so to be safe, we recommend that the option be disabled (set to no) in the /etc/ssh/sshd_config file. In addition, the sshd_config PAMAuthenticationViaKbdInt option is disabled by default, so OpenLinux is not vulnerable to the other alleged vulnerability in a default configuration, either. However, Caldera recommends that this option also be disabled (set to no) if it has been enabled by the system administrator. 4. References Specific references for this advisory: http://www.cert.org/advisories/CA-2002-18.html Caldera security resources: http://www.caldera.com/support/security/index.html 5. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera products. ______________________________________________________________________________
Attachment:
_bin
Description:
Current thread:
- Security Update: [CSSA-2002-030.0] Linux: OpenSSH Vulnerabilities in Challenge Response Handling security (Jun 28)