Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Jul 2015 23:07:05 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request for OpenSSH vulnerability -
 authentication limits bypass

Attached patch fixes.

--mancha

On Tue, Jul 21, 2015 at 11:16:35AM +0200, king cope wrote:
> Hello list, solar designer,
> 
> Can you please add a CVE for the mentioned vulnerability in OpenSSH.
> 
> The OpenSSH server normally wouldn't allow successive authentications
> that exceed the MaxAuthTries setting in sshd_config, with this
> vulnerability the allowed login retries can be extended limited only
> by the LoginGraceTime setting, that can be more than 10000 tries
> (depends on the network speed), and even more for local attacks.
> Technically this vulnerability affects OpenSSH. It can be found with
> FreeBSD installations because these use the keyboard-interactive
> authentication mechanism (that is the one affected) in combination
> with pam. I haven't tested skey/bsd auth.  To note that this
> vulnerability looks pretty old, a test against FreeBSD 6.2 (2007
> release date) showed it vulnerable.  Additionally there is no delay
> between the authentication retries, but this is another issue that
> makes this vulnerability more effective.
> 
> CVE please!
> 
> Thank you,
> 
> KC
> 
> Reference: http://seclists.org/fulldisclosure/2015/Jul/92

From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001
From: "djm@...nbsd.org" <djm@...nbsd.org>
Date: Sat, 18 Jul 2015 07:57:14 +0000
Subject: [PATCH] upstream commit

Query each keyboard-interactive device only once per authentication
request regardless of how many times it is listed; ok markus@

Upstream-ID:  d73fafba6e86030436ff673656ec1f33d9ffeda1
Reference-ID: 701a201481b751df5ed85b68de259637

---
 auth2-chall.c | 11 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -83,6 +83,7 @@ struct KbdintAuthctxt
 	void *ctxt;
 	KbdintDevice *device;
 	u_int nreq;
+	u_int devices_done;
 };
 
 #ifdef USE_PAM
@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
 		if (len == 0)
 			break;
 		for (i = 0; devices[i]; i++) {
-			if (!auth2_method_allowed(authctxt,
+			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
+			    !auth2_method_allowed(authctxt,
 			    "keyboard-interactive", devices[i]->name))
 				continue;
-			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
+			if (strncmp(kbdintctxt->devices, devices[i]->name,
+			    len) == 0) {
 				kbdintctxt->device = devices[i];
+				kbdintctxt->devices_done |= 1 << i;
+			}
 		}
 		t = kbdintctxt->devices;
 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ