Date: Thu, 13 Aug 2015 19:44:20 +0300 From: Solar Designer <solar@...nwall.com> To: djm@...drot.org, Moritz Jodeit <moritz@...efrostsecurity.de> Cc: oss-security@...ts.openwall.com Subject: Re: CVE request - OpenSSH 6.9 PAM privilege separation vulnerabilities On Thu, Aug 13, 2015 at 12:20:04AM +0200, Moritz Jodeit wrote: > On 12.08.2015 22:48, Solar Designer wrote: > > Are systems with "keyboard interactive" and "challenge-response" > > authentication disabled (all of PAMAuthenticationViaKbdInt, > > KbdInteractiveAuthentication, and ChallengeResponseAuthentication, as > > applicable to a given sshd version, set to no) affected by these issues > > as well? The code appears to be specific to this mode, but it isn't > > immediately clear whether or not these configuration settings prevent > > the vulnerable code from being reached in the privsep monitor even when > > the privsep child is compromised. If the settings do not currently > > prevent the code from being reached (I hope they do), then this should > > be corrected as a hardening measure. > > As long as UsePAM is enabled in the configuration, all the PAM-related > monitor requests can be send to the monitor. This at least allows > triggering the use-after-free even if all the settings you mentioned > are set to "no". Not sure if a full authentication is possible in this > case though. Damien, are you reading this? Looks like there's a hardening change for you(?) to implement. Please comment. Thanks! Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ