Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Aug 2015 19:44:20 +0300
From: Solar Designer <solar@...nwall.com>
To: djm@...drot.org, Moritz Jodeit <moritz@...efrostsecurity.de>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request - OpenSSH 6.9 PAM privilege separation vulnerabilities

On Thu, Aug 13, 2015 at 12:20:04AM +0200, Moritz Jodeit wrote:
> On 12.08.2015 22:48, Solar Designer wrote:
> > Are systems with "keyboard interactive" and "challenge-response"
> > authentication disabled (all of PAMAuthenticationViaKbdInt,
> > KbdInteractiveAuthentication, and ChallengeResponseAuthentication, as
> > applicable to a given sshd version, set to no) affected by these issues
> > as well?  The code appears to be specific to this mode, but it isn't
> > immediately clear whether or not these configuration settings prevent
> > the vulnerable code from being reached in the privsep monitor even when
> > the privsep child is compromised.  If the settings do not currently
> > prevent the code from being reached (I hope they do), then this should
> > be corrected as a hardening measure.
> 
> As long as UsePAM is enabled in the configuration, all the PAM-related
> monitor requests can be send to the monitor. This at least allows
> triggering the use-after-free even if all the settings you mentioned
> are set to "no". Not sure if a full authentication is possible in this
> case though.

Damien, are you reading this?  Looks like there's a hardening change for
you(?) to implement.  Please comment.  Thanks!

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ