-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:15.openssh Security Advisory The FreeBSD Project Topic: OpenSSH PAM challenge/authentication error Category: core Module: openssh Announced: 2003-10-05 Credits: The OpenSSH Project Affects: FreeBSD releases 4.6.2-RELEASE and later FreeBSD 4-STABLE prior to the correction date openssh port prior to openssh-3.6.1_4 openssh-portable port prior to openssh-portable-3.6.1p2_5 Corrected: 2003-09-24 21:06:28 UTC (RELENG_5_1, 5.1-RELEASE-p7) 2003-09-24 18:25:31 UTC (RELENG_4, 4.9-PRERELEASE) 2003-09-24 21:06:22 UTC (RELENG_4_8, 4.8-RELEASE-p9) 2003-09-24 21:06:15 UTC (RELENG_4_7, 4.7-RELEASE-p19) 2003-09-24 21:05:59 UTC (RELENG_4_6, 4.6.2-RELEASE-p22) 2003-10-03 20:55:14 UTC (openssh-3.6.1_5) 2003-09-26 02:42:39 UTC (openssh-portable-3.6.1p2_5) FreeBSD only: NO For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is a free version of the SSH protocol suite of network connectivity tools. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods. The SSH protocol exists in two versions, hereafter named simply `ssh1' and `ssh2'. The ssh1 protocol is a legacy protocol for which there exists no formal specification, while the ssh2 protocol is the product of the IETF SECSH working group and is defined by a series of IETF draft standards. The ssh2 protocol supports a wide range of authentication mechanisms, including a generic challenge / response mechanism, called `keyboard-interactive' or `kbdint', which can be adapted to serve any authentication scheme in which the server and client exchange a arbitrarily long series of challenges and responses. In particular, this mechanism is used in OpenSSH to support PAM authentication. The ssh1 protocol, on the other hand, supports a much narrower range of authentication mechanisms. Its challenge / response mechanisms, called `TIS', allows for only one challenge from the server and one response from the client. OpenSSH contains interface code which allows kbdint authentication back-ends to be used for ssh1 TIS authentication, provided they only emit one challenge and expect only one response. Finally, recent versions of OpenSSH implement a mechanism called `privilege separation' in which the task of communicating with the client is delegated to an unprivileged child process, while the privileged parent process performs the actual authentication and double-checks every important decision taken by its unprivileged child. II. Problem Description 1) Insufficient checking in the ssh1 challenge / response interface code, combined with a peculiarity of the PAM kbdint back-end, causes OpenSSH to ignore a negative result from PAM (but not from any other kbdint back-end). 2) A variable used by the PAM conversation function to store challenges and the associated client responses is incorrectly interpreted as an array of pointers to structures instead of a pointer to an array of structures. 3) When challenge / response authentication is used with protocol version 1, and a legitimate user interrupts challenge / response authentication but successfully authenticates through some other mechanism (such as password authentication), the server fails to reclaim resources allocated by the challenge / response mechanism, including the child process used for PAM authentication. When a certain number of leaked processes is reached, the master server process will refuse subsequent client connections. III. Impact 1) If privilege separation is disabled, no additional checks are performed and an ssh1 client will be successfully authenticated even if its response to PAM's challenge is patently wrong. On the other hand, if privilege separation is enabled (which it is by default), the monitor process will notice the discrepancy, refuse to proceed, and kill the faulty child process. 2) If more than one challenge is issued in a single call to the PAM conversation function, stack corruption will result. The most likely outcome will be a segmentation fault leading to termination of the process, but there is a possibility that an attacker may succeed in executing arbitrary code in a privileged process. Note that none of the PAM modules provided in the FreeBSD base system ever issue more than one challenge in a single call to the conversation function; nor, to our knowledge, do any third-party modules provided in the FreeBSD ports collection. 3) Legitimate users may cause a denial-of-service condition in which the SSH server refuses client connections until it is restarted. Note that this vulnerability is not exploitable by attackers who do not have a valid account on the target system. IV. Workaround Do both of the following: 1) Make sure that privilege separation is enabled. This is the default; look for `UsePrivilegeSeparation' in /etc/ssh/sshd_config or /usr/local/etc/ssh/sshd_config as appropriate and make sure that any occurrence of that keyword is commented out and/or followed by the keyword `yes'. The stock version of this file is safe to use. 2) Make sure that the PAM configuration for OpenSSH does not reference any modules which pass more than one challenge in a single call to the conversation function. In FreeBSD 4.x, the PAM configuration for OpenSSH consists of the lines in /etc/pam.conf which begin with `sshd'; in FreeBSD 5.x, it is located in /etc/pam.d/sshd. The stock versions of these files are safe to use. The following PAM modules from the FreeBSD ports collection are known to be safe with regard to problem 2) above: - pam_mysql.so (security/pam-mysql) - pam_pgsql.so (security/pam-pgsql) - pam_alreadyloggedin.so (security/pam_alreadyloggedin) - pam_ldap.so (security/pam_ldap) - pam_pop3.so (security/pam_pop3) - pam_pwdfile.so (security/pam_pwdfile) - pam_smb.so (security/pam_smb) pam_krb5.so from ports (security/pam_krb5) is known to use multiple prompts with the conversation function if the user's password is expired in order to change the user password. 3) Disable challenge / response authentication, or disable protocol version 1. To disable challenge / response authentication, add the line: ChallengeResponseAuthentication no to sshd_config(5) and restart sshd. To disable protocol version 1, add the line Protocol 2 to sshd_config(5) and restart sshd. V. Solution Do one of the following: [For OpenSSH included in the base system] The following patches have been verified to apply to FreeBSD 4.6, 4.7, 4.8, and 5.1 systems prior to the correction date. Download the appropriate patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. [FreeBSD 4.6] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh46.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh46.patch.asc [FreeBSD 4.7] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh47.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh47.patch.asc [FreeBSD 4.8] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch.asc [FreeBSD 5.1] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch.asc [FreeBSD 4.8-STABLE / 4.9-PRERELEASE / 4.9-RC] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh4s.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh4s.patch.asc Execute the following commands as root: # cd /usr/src # patch < /path/to/sshd.patch # cd /usr/src/secure/usr.sbin/sshd # make obj && make depend && make all install Be sure to restart `sshd' after updating. # kill `cat /var/run/sshd.pid` # /usr/sbin/sshd or, in FreeBSD 5.x: # /etc/rc.d/sshd restart [For the OpenSSH ports] Do one of the following: 1) Upgrade your entire ports collection and rebuild the OpenSSH port. 2) Deinstall the old package and install a new package obtained from the following directory: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ [other platforms] Packages are not automatically generated for other platforms at this time due to lack of build resources. 3) Download a new port skeleton for the openssh or openssh-portable port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz Be sure to restart `sshd' after updating. # kill `cat /var/run/sshd.pid` # test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- RELENG_4 src/crypto/openssh/auth-chall.c 1.2.2.6 src/crypto/openssh/auth.h 1.1.1.1.2.7 src/crypto/openssh/auth1.c 1.3.2.10 src/crypto/openssh/auth2-pam-freebsd.c 1.1.2.8 src/crypto/openssh/ssh_config 1.2.2.9 src/crypto/openssh/ssh_config.5 1.4.2.5 src/crypto/openssh/sshd_config 1.4.2.13 src/crypto/openssh/sshd_config.5 1.5.2.6 src/crypto/openssh/version.h 1.1.1.1.2.13 RELENG_5_1 src/crypto/openssh/auth-chall.c 1.6.2.1 src/crypto/openssh/auth2-pam-freebsd.c 1.11.2.1 src/crypto/openssh/ssh_config 1.21.2.1 src/crypto/openssh/ssh_config.5 1.9.2.1 src/crypto/openssh/sshd_config 1.32.2.1 src/crypto/openssh/sshd_config.5 1.11.2.1 src/crypto/openssh/version.h 1.20.2.3 RELENG_4_8 src/crypto/openssh/auth-chall.c 1.2.2.4.2.2 src/crypto/openssh/auth.h 1.1.1.1.2.6.2.1 src/crypto/openssh/auth1.c 1.3.2.9.2.1 src/crypto/openssh/auth2-pam-freebsd.c 1.1.2.5.2.2 src/crypto/openssh/ssh_config 1.2.2.8.2.1 src/crypto/openssh/ssh_config.5 1.4.2.4.2.1 src/crypto/openssh/sshd_config 1.4.2.12.2.1 src/crypto/openssh/version.h 1.1.1.1.2.10.2.3 RELENG_4_7 src/crypto/openssh/auth-chall.c 1.2.2.3.2.1 src/crypto/openssh/auth.h 1.1.1.1.2.5.2.1 src/crypto/openssh/auth1.c 1.3.2.8.2.1 src/crypto/openssh/auth2-pam-freebsd.c 1.1.2.2.2.2 src/crypto/openssh/ssh_config 1.2.2.6.2.1 src/crypto/openssh/sshd_config 1.4.2.10.2.1 src/crypto/openssh/version.h 1.1.1.1.2.9.2.3 RELENG_4_6 src/crypto/openssh/auth-chall.c 1.2.2.2.2.2 src/crypto/openssh/auth.h 1.1.1.1.2.4.4.2 src/crypto/openssh/auth1.c 1.3.2.7.4.2 src/crypto/openssh/auth2-pam-freebsd.c 1.2.2.4 src/crypto/openssh/ssh_config 1.2.2.4.4.2 src/crypto/openssh/sshd_config 1.4.2.8.2.2 src/crypto/openssh/version.h 1.1.1.1.2.8.2.4 [Ports] ports/security/openssh/Makefile 1.125 ports/security/openssh/auth-pam.c 1.2 ports/security/openssh/auth-pam.h 1.2 ports/security/openssh/auth2-pam.c 1.2 ports/security/openssh/patch-auth-chall.c 1.1 ports/security/openssh-portable/Makefile 1.78 ports/security/openssh-portable/auth2-pam-freebsd.c 1.5 ports/security/openssh-portable/patch-auth-chall.c 1.1 ports/security/openssh-portable/patch-auth-pam.c 1.1 ports/security/openssh-portable/patch-auth-pam.h 1.1 - ------------------------------------------------------------------------- Branch Version string - ------------------------------------------------------------------------- RELENG_4 OpenSSH_3.5p1 FreeBSD-20030924 RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030924 RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030924 RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030924 RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030924 - ------------------------------------------------------------------------- To view the version string of the OpenSSH server, execute the following command: % /usr/sbin/sshd -\? or for OpenSSH from the ports collection: % /usr/local/sbin/sshd -\? The version string is also displayed when a client connects to the server. VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/gFCoFdaIBMps37IRApUWAJ9BZoW/uBY1Q0Phr3iQGBq8/I14dgCaAzvc 7gHHrB5lxeBXWIB37CXpM5s= =DC+H -----END PGP SIGNATURE-----