Date: Sun, 5 Oct 2003 10:15:42 -0700 (PDT)
From: FreeBSD Security Advisories <security-advisories@freebsd.org.>
To: Bugtraq <bugtraq@securityfocus.com.>
Subject: FreeBSD Security Advisory FreeBSD-SA-03:15.openssh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FreeBSD-SA-03:15.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH PAM challenge/authentication error
Category: core
Module: openssh
Announced: 2003-10-05
Credits: The OpenSSH Project <openssh@openssh.org.>
Affects: FreeBSD releases 4.6.2-RELEASE and later
FreeBSD 4-STABLE prior to the correction date
openssh port prior to openssh-3.6.1_4
openssh-portable port prior to openssh-portable-3.6.1p2_5
Corrected: 2003-09-24 21:06:28 UTC (RELENG_5_1, 5.1-RELEASE-p7)
2003-09-24 18:25:31 UTC (RELENG_4, 4.9-PRERELEASE)
2003-09-24 21:06:22 UTC (RELENG_4_8, 4.8-RELEASE-p9)
2003-09-24 21:06:15 UTC (RELENG_4_7, 4.7-RELEASE-p19)
2003-09-24 21:05:59 UTC (RELENG_4_6, 4.6.2-RELEASE-p22)
2003-10-03 20:55:14 UTC (openssh-3.6.1_5)
2003-09-26 02:42:39 UTC (openssh-portable-3.6.1p2_5)
FreeBSD only: NO
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
OpenSSH is a free version of the SSH protocol suite of network
connectivity tools. OpenSSH encrypts all traffic (including
passwords) to effectively eliminate eavesdropping, connection
hijacking, and other network-level attacks. Additionally, OpenSSH
provides a myriad of secure tunneling capabilities, as well as a
variety of authentication methods.
The SSH protocol exists in two versions, hereafter named simply `ssh1'
and `ssh2'. The ssh1 protocol is a legacy protocol for which there
exists no formal specification, while the ssh2 protocol is the product
of the IETF SECSH working group and is defined by a series of IETF
draft standards.
The ssh2 protocol supports a wide range of authentication
mechanisms, including a generic challenge / response mechanism, called
`keyboard-interactive' or `kbdint', which can be adapted to serve any
authentication scheme in which the server and client exchange a
arbitrarily long series of challenges and responses. In particular,
this mechanism is used in OpenSSH to support PAM authentication.
The ssh1 protocol, on the other hand, supports a much narrower range
of authentication mechanisms. Its challenge / response mechanisms,
called `TIS', allows for only one challenge from the server and one
response from the client. OpenSSH contains interface code which
allows kbdint authentication back-ends to be used for ssh1 TIS
authentication, provided they only emit one challenge and expect only
one response.
Finally, recent versions of OpenSSH implement a mechanism called
`privilege separation' in which the task of communicating with the
client is delegated to an unprivileged child process, while the
privileged parent process performs the actual authentication and
double-checks every important decision taken by its unprivileged
child.
II. Problem Description
1) Insufficient checking in the ssh1 challenge / response interface
code, combined with a peculiarity of the PAM kbdint back-end,
causes OpenSSH to ignore a negative result from PAM (but not from
any other kbdint back-end).
2) A variable used by the PAM conversation function to store
challenges and the associated client responses is incorrectly
interpreted as an array of pointers to structures instead of a
pointer to an array of structures.
3) When challenge / response authentication is used with protocol
version 1, and a legitimate user interrupts challenge / response
authentication but successfully authenticates through some other
mechanism (such as password authentication), the server fails to
reclaim resources allocated by the challenge / response mechanism,
including the child process used for PAM authentication. When a
certain number of leaked processes is reached, the master server
process will refuse subsequent client connections.
III. Impact
1) If privilege separation is disabled, no additional checks are
performed and an ssh1 client will be successfully authenticated
even if its response to PAM's challenge is patently wrong. On the
other hand, if privilege separation is enabled (which it is by
default), the monitor process will notice the discrepancy, refuse
to proceed, and kill the faulty child process.
2) If more than one challenge is issued in a single call to the PAM
conversation function, stack corruption will result. The most
likely outcome will be a segmentation fault leading to termination
of the process, but there is a possibility that an attacker may
succeed in executing arbitrary code in a privileged process.
Note that none of the PAM modules provided in the FreeBSD base
system ever issue more than one challenge in a single call to the
conversation function; nor, to our knowledge, do any third-party
modules provided in the FreeBSD ports collection.
3) Legitimate users may cause a denial-of-service condition in which
the SSH server refuses client connections until it is restarted.
Note that this vulnerability is not exploitable by attackers who do
not have a valid account on the target system.
IV. Workaround
Do both of the following:
1) Make sure that privilege separation is enabled. This is the
default; look for `UsePrivilegeSeparation' in /etc/ssh/sshd_config
or /usr/local/etc/ssh/sshd_config as appropriate and make sure that
any occurrence of that keyword is commented out and/or followed by
the keyword `yes'. The stock version of this file is safe to use.
2) Make sure that the PAM configuration for OpenSSH does not reference
any modules which pass more than one challenge in a single call to
the conversation function. In FreeBSD 4.x, the PAM configuration
for OpenSSH consists of the lines in /etc/pam.conf which begin with
`sshd'; in FreeBSD 5.x, it is located in /etc/pam.d/sshd. The
stock versions of these files are safe to use.
The following PAM modules from the FreeBSD ports collection are
known to be safe with regard to problem 2) above:
- pam_mysql.so (security/pam-mysql)
- pam_pgsql.so (security/pam-pgsql)
- pam_alreadyloggedin.so (security/pam_alreadyloggedin)
- pam_ldap.so (security/pam_ldap)
- pam_pop3.so (security/pam_pop3)
- pam_pwdfile.so (security/pam_pwdfile)
- pam_smb.so (security/pam_smb)
pam_krb5.so from ports (security/pam_krb5) is known to use multiple
prompts with the conversation function if the user's password is
expired in order to change the user password.
3) Disable challenge / response authentication, or disable protocol
version 1.
To disable challenge / response authentication, add the line:
ChallengeResponseAuthentication no
to sshd_config(5) and restart sshd.
To disable protocol version 1, add the line
Protocol 2
to sshd_config(5) and restart sshd.
V. Solution
Do one of the following:
[For OpenSSH included in the base system]
The following patches have been verified to apply to FreeBSD 4.6, 4.7,
4.8, and 5.1 systems prior to the correction date.
Download the appropriate patch and detached PGP signature from the following
locations, and verify the signature using your PGP utility.
[FreeBSD 4.6]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh46.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh46.patch.asc
[FreeBSD 4.7]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh47.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh47.patch.asc
[FreeBSD 4.8]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch.asc
[FreeBSD 5.1]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch.asc
[FreeBSD 4.8-STABLE / 4.9-PRERELEASE / 4.9-RC]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh4s.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh4s.patch.asc
Execute the following commands as root:
# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/usr.sbin/sshd
# make obj && make depend && make all install
Be sure to restart `sshd' after updating.
# kill `cat /var/run/sshd.pid`
# /usr/sbin/sshd
or, in FreeBSD 5.x:
# /etc/rc.d/sshd restart
[For the OpenSSH ports]
Do one of the following:
1) Upgrade your entire ports collection and rebuild the OpenSSH port.
2) Deinstall the old package and install a new package obtained from
the following directory:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/
[other platforms]
Packages are not automatically generated for other platforms at this
time due to lack of build resources.
3) Download a new port skeleton for the openssh or openssh-portable
port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz
Be sure to restart `sshd' after updating.
# kill `cat /var/run/sshd.pid`
# test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Path Revision
Branch
- -------------------------------------------------------------------------
RELENG_4
src/crypto/openssh/auth-chall.c 1.2.2.6
src/crypto/openssh/auth.h 1.1.1.1.2.7
src/crypto/openssh/auth1.c 1.3.2.10
src/crypto/openssh/auth2-pam-freebsd.c 1.1.2.8
src/crypto/openssh/ssh_config 1.2.2.9
src/crypto/openssh/ssh_config.5 1.4.2.5
src/crypto/openssh/sshd_config 1.4.2.13
src/crypto/openssh/sshd_config.5 1.5.2.6
src/crypto/openssh/version.h 1.1.1.1.2.13
RELENG_5_1
src/crypto/openssh/auth-chall.c 1.6.2.1
src/crypto/openssh/auth2-pam-freebsd.c 1.11.2.1
src/crypto/openssh/ssh_config 1.21.2.1
src/crypto/openssh/ssh_config.5 1.9.2.1
src/crypto/openssh/sshd_config 1.32.2.1
src/crypto/openssh/sshd_config.5 1.11.2.1
src/crypto/openssh/version.h 1.20.2.3
RELENG_4_8
src/crypto/openssh/auth-chall.c 1.2.2.4.2.2
src/crypto/openssh/auth.h 1.1.1.1.2.6.2.1
src/crypto/openssh/auth1.c 1.3.2.9.2.1
src/crypto/openssh/auth2-pam-freebsd.c 1.1.2.5.2.2
src/crypto/openssh/ssh_config 1.2.2.8.2.1
src/crypto/openssh/ssh_config.5 1.4.2.4.2.1
src/crypto/openssh/sshd_config 1.4.2.12.2.1
src/crypto/openssh/version.h 1.1.1.1.2.10.2.3
RELENG_4_7
src/crypto/openssh/auth-chall.c 1.2.2.3.2.1
src/crypto/openssh/auth.h 1.1.1.1.2.5.2.1
src/crypto/openssh/auth1.c 1.3.2.8.2.1
src/crypto/openssh/auth2-pam-freebsd.c 1.1.2.2.2.2
src/crypto/openssh/ssh_config 1.2.2.6.2.1
src/crypto/openssh/sshd_config 1.4.2.10.2.1
src/crypto/openssh/version.h 1.1.1.1.2.9.2.3
RELENG_4_6
src/crypto/openssh/auth-chall.c 1.2.2.2.2.2
src/crypto/openssh/auth.h 1.1.1.1.2.4.4.2
src/crypto/openssh/auth1.c 1.3.2.7.4.2
src/crypto/openssh/auth2-pam-freebsd.c 1.2.2.4
src/crypto/openssh/ssh_config 1.2.2.4.4.2
src/crypto/openssh/sshd_config 1.4.2.8.2.2
src/crypto/openssh/version.h 1.1.1.1.2.8.2.4
[Ports]
ports/security/openssh/Makefile 1.125
ports/security/openssh/auth-pam.c 1.2
ports/security/openssh/auth-pam.h 1.2
ports/security/openssh/auth2-pam.c 1.2
ports/security/openssh/patch-auth-chall.c 1.1
ports/security/openssh-portable/Makefile 1.78
ports/security/openssh-portable/auth2-pam-freebsd.c 1.5
ports/security/openssh-portable/patch-auth-chall.c 1.1
ports/security/openssh-portable/patch-auth-pam.c 1.1
ports/security/openssh-portable/patch-auth-pam.h 1.1
- -------------------------------------------------------------------------
Branch Version string
- -------------------------------------------------------------------------
RELENG_4 OpenSSH_3.5p1 FreeBSD-20030924
RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030924
RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030924
RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030924
RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030924
- -------------------------------------------------------------------------
To view the version string of the OpenSSH server, execute the
following command:
% /usr/sbin/sshd -\?
or for OpenSSH from the ports collection:
% /usr/local/sbin/sshd -\?
The version string is also displayed when a client connects to the
server.
VII. References
<URL:http://www.openssh.com/txt/sshpam.adv>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/gFCoFdaIBMps37IRApUWAJ9BZoW/uBY1Q0Phr3iQGBq8/I14dgCaAzvc
7gHHrB5lxeBXWIB37CXpM5s=
=DC+H
-----END PGP SIGNATURE-----