Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 2 Sep 2016 15:52:06 +1000 (AEST)
From: Damien Miller <djm@...drot.org>
To: oss-security@...ts.openwall.com
cc: Solar Designer <solar@...nwall.com>
Subject: Re: CVE request - OpenSSH 6.9 PAM privilege separation
 vulnerabilities

On Thu, 13 Aug 2015, Moritz Jodeit wrote:

> On 12.08.2015 22:48, Solar Designer wrote:
> > Thank you!
> > 
> > Are systems with "keyboard interactive" and "challenge-response"
> > authentication disabled (all of PAMAuthenticationViaKbdInt,
> > KbdInteractiveAuthentication, and ChallengeResponseAuthentication, as
> > applicable to a given sshd version, set to no) affected by these issues
> > as well?  The code appears to be specific to this mode, but it isn't
> > immediately clear whether or not these configuration settings prevent
> > the vulnerable code from being reached in the privsep monitor even when
> > the privsep child is compromised.  If the settings do not currently
> > prevent the code from being reached (I hope they do), then this should
> > be corrected as a hardening measure.
> 
> As long as UsePAM is enabled in the configuration, all the PAM-related
> monitor requests can be send to the monitor. This at least allows
> triggering the use-after-free even if all the settings you mentioned
> are set to "no". Not sure if a full authentication is possible in this
> case though.

Solar just reminded me of this branch of this old thread, prompting
me to tighten up OpenSSH's privilege separation monitor process:

https://anongit.mindrot.org/openssh.git/commit/?id=775f8a23f235
https://anongit.mindrot.org/openssh.git/commit/?id=7fd0ea8a1db4
https://anongit.mindrot.org/openssh.git/commit/?id=b38b95f5bcc5

(there'll be another one for GSSAPI once I can find someone to test it)

Together these more rigorously and explicitly enforce the expected
request flow in the monitor process.

Thanks for the reminder :)

-d

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ