drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Fehler in openssh erlaubt Root-Rechte
Name: |
Fehler in openssh erlaubt Root-Rechte
|
|
ID: |
CSSA-2002-030.0 |
|
Distribution: |
Caldera |
|
Plattformen: |
Caldera Server 3.1, Caldera Workstation 3.1, Caldera Server 3.1.1, Caldera Workstation 3.1.1 |
|
Datum: |
Fr, 28. Juni 2002, 13:00 |
|
Referenzen: |
Keine Angabe |
|
Applikationen: |
Portable OpenSSH |
|
Originalnachricht |
--GxcwvYAGnODwn7V8 Content-Disposition: inline
To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Linux: OpenSSH Vulnerabilities in Challenge Response Handling Advisory number: CSSA-2002-030.0 Issue date: 2002 June 27 Cross reference: ______________________________________________________________________________
1. Problem Description
Several vulnerabilities have been reported in OpenSSH if the S/KEY or BSD Auth features have been enabled, or if PAMAuthenticationViaKbdInt has been enabled.
2. Vulnerable Supported Versions
System Package ----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to and including openssh-3.2.3p1-2 OpenLinux 3.1.1 Workstation prior to and including openssh-3.2.3p1-2 OpenLinux 3.1 Server prior to and including openssh-3.2.3p1-2 OpenLinux 3.1 Workstation prior to and including openssh-3.2.3p1-2
3. Solution
Caldera OpenLinux OpenSSH has neither the S/KEY nor BSD Auth features compiled in, so it is not vulnerable to the Challenge/Response vulnerability.
We do have the ChallengeResponseAuthentication option on by default, however, so to be safe, we recommend that the option be disabled (set to no) in the /etc/ssh/sshd_config file.
In addition, the sshd_config PAMAuthenticationViaKbdInt option is disabled by default, so OpenLinux is not vulnerable to the other alleged vulnerability in a default configuration, either. However, Caldera recommends that this option also be disabled (set to no) if it has been enabled by the system administrator.
4. References
Specific references for this advisory: http://www.cert.org/advisories/CA-2002-18.html
Caldera security resources: http://www.caldera.com/support/security/index.html
5. Disclaimer
Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera products.
______________________________________________________________________________
--GxcwvYAGnODwn7V8 Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (SCO_SV) Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj0bXuUACgkQbluZssSXDTGrtgCfTd4ZGbDu1G4aeHZUpijxwY9Y kxQAoLGf0NrR2+53GcS4EXr1fp03kZaW =/5GD -----END PGP SIGNATURE-----
--GxcwvYAGnODwn7V8--
|
|
|
|