Date: Fri, 2 Sep 2016 15:52:06 +1000 (AEST) From: Damien Miller <djm@...drot.org> To: oss-security@...ts.openwall.com cc: Solar Designer <solar@...nwall.com> Subject: Re: CVE request - OpenSSH 6.9 PAM privilege separation vulnerabilities On Thu, 13 Aug 2015, Moritz Jodeit wrote: > On 12.08.2015 22:48, Solar Designer wrote: > > Thank you! > > > > Are systems with "keyboard interactive" and "challenge-response" > > authentication disabled (all of PAMAuthenticationViaKbdInt, > > KbdInteractiveAuthentication, and ChallengeResponseAuthentication, as > > applicable to a given sshd version, set to no) affected by these issues > > as well? The code appears to be specific to this mode, but it isn't > > immediately clear whether or not these configuration settings prevent > > the vulnerable code from being reached in the privsep monitor even when > > the privsep child is compromised. If the settings do not currently > > prevent the code from being reached (I hope they do), then this should > > be corrected as a hardening measure. > > As long as UsePAM is enabled in the configuration, all the PAM-related > monitor requests can be send to the monitor. This at least allows > triggering the use-after-free even if all the settings you mentioned > are set to "no". Not sure if a full authentication is possible in this > case though. Solar just reminded me of this branch of this old thread, prompting me to tighten up OpenSSH's privilege separation monitor process: https://anongit.mindrot.org/openssh.git/commit/?id=775f8a23f235 https://anongit.mindrot.org/openssh.git/commit/?id=7fd0ea8a1db4 https://anongit.mindrot.org/openssh.git/commit/?id=b38b95f5bcc5 (there'll be another one for GSSAPI once I can find someone to test it) Together these more rigorously and explicitly enforce the expected request flow in the monitor process. Thanks for the reminder :) -d
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ