Login
Newsletter
Werbung

Sicherheit: Fehler in openssh erlaubt Root-Rechte
Aktuelle Meldungen Distributionen
Name: Fehler in openssh erlaubt Root-Rechte
ID: CSSA-2002-030.0
Distribution: Caldera
Plattformen: Caldera Server 3.1, Caldera Workstation 3.1, Caldera Server 3.1.1, Caldera Workstation 3.1.1
Datum: Fr, 28. Juni 2002, 13:00
Referenzen: Keine Angabe
Applikationen: Portable OpenSSH

Originalnachricht

--GxcwvYAGnODwn7V8
Content-Disposition: inline

To: bugtraq@securityfocus.com announce@lists.caldera.com
security-alerts@linuxsecurity.com

______________________________________________________________________________

Caldera International, Inc. Security Advisory

Subject: Linux: OpenSSH Vulnerabilities in Challenge Response Handling
Advisory number: CSSA-2002-030.0
Issue date: 2002 June 27
Cross reference:
______________________________________________________________________________


1. Problem Description

Several vulnerabilities have been reported in OpenSSH if the
S/KEY or BSD Auth features have been enabled, or if
PAMAuthenticationViaKbdInt has been enabled.


2. Vulnerable Supported Versions

System Package
----------------------------------------------------------------------

OpenLinux 3.1.1 Server prior to and including openssh-3.2.3p1-2
OpenLinux 3.1.1 Workstation prior to and including openssh-3.2.3p1-2
OpenLinux 3.1 Server prior to and including openssh-3.2.3p1-2
OpenLinux 3.1 Workstation prior to and including openssh-3.2.3p1-2


3. Solution

Caldera OpenLinux OpenSSH has neither the S/KEY nor BSD Auth
features compiled in, so it is not vulnerable to the
Challenge/Response vulnerability.

We do have the ChallengeResponseAuthentication option on by
default, however, so to be safe, we recommend that the option
be disabled (set to no) in the /etc/ssh/sshd_config file.

In addition, the sshd_config PAMAuthenticationViaKbdInt option
is disabled by default, so OpenLinux is not vulnerable to the
other alleged vulnerability in a default configuration,
either. However, Caldera recommends that this option also be
disabled (set to no) if it has been enabled by the system
administrator.


4. References

Specific references for this advisory:
http://www.cert.org/advisories/CA-2002-18.html

Caldera security resources:
http://www.caldera.com/support/security/index.html


5. Disclaimer

Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on this website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera products.

______________________________________________________________________________

--GxcwvYAGnODwn7V8
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj0bXuUACgkQbluZssSXDTGrtgCfTd4ZGbDu1G4aeHZUpijxwY9Y
kxQAoLGf0NrR2+53GcS4EXr1fp03kZaW
=/5GD
-----END PGP SIGNATURE-----

--GxcwvYAGnODwn7V8--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung