topic Re: another ssh bug - PAM? in Operating System - HP-UX

another ssh bug - PAM?

jmb — Tue, 30 Sep 2003 11:13:31 GMT

Now getting reports of a new vulnerability affecting the PAM code in OpenSSH. Does anyone know if/how this hits HP's versions and fixes?

Thanks!

Re: another ssh bug - PAM?

Steven E. Protter — Tue, 30 Sep 2003 11:24:00 GMT

There has been a recent release of security bug fixes with HP's port of openssh 3.6, which is called secure shell.

HP indicates it deals with recent cert security bullitens.

Here is a link.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

SEP

Re: another ssh bug - PAM?

Zeev Schultz — Tue, 30 Sep 2003 11:31:38 GMT

Its for 3.7/3.7.1. HP version is 3.61.

http://www.openssh.com/txt/sshpam.adv

http://www4.itrc.hp.com/service/cki/secBullArchive.do?admit=-938907319+1064939067860+28353475

Re: another ssh bug - PAM?

Steven E. Protter — Tue, 30 Sep 2003 11:33:18 GMT

I'd also want to stay current on pam itself.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J5849AA

SEP

Re: another ssh bug - PAM?

Alzhy — Tue, 30 Sep 2003 12:27:22 GMT

HP's version is VULNERABLE....

Install Build OpenSSH 3.7.1p2... This addresses both the buffer overflow and PAM issue of Septmber 2003.

HP's officially built SSH is still at 3.6.1p2.... The Connect site has a pre-built 3.7.1.p2 ready for download and build just a few days ago...

As more vulnerabilities would probably be on the horizon, it is better to have your own build environment where you can quickly patch the sources and rebuild... Get gcc 3.3.1, OpenSSH sources and dependencies - Zlib, tcpwrappers and openSSL plus HP's KRNG (strong randomness) package..

HTH.

Re: another ssh bug - PAM?

jmb — Tue, 30 Sep 2003 12:34:35 GMT

Just curious why you say HP's is vulnerable, when the problem hit in 3.7, and Secure Shell's release is 3.6? That appears to be the explanation above...

Re: another ssh bug - PAM?

Alzhy — Tue, 30 Sep 2003 12:45:15 GMT

The buffer overflow applies to all versions up to 3.7.1. 3.7.1p1 solves the buffer overflow. 3.7.1.p2 solves the PAM thingy...

I don't think the SEP2003 HP SSH is patched yet as the sources are based on 3.6.1p2.

Re: another ssh bug - PAM?

Krzysztof Grudzinski — Tue, 30 Sep 2003 16:46:16 GMT

http://www.openssh.com/txt/buffer.adv

The question is if the patch is included.

Another soultion: Upgrade to OpenSSH 3.7.1

Re: another ssh bug - PAM?

Zeev Schultz — Wed, 01 Oct 2003 04:14:00 GMT

Folks,
As it seems to me hp provided includes fix posted on the openssh site. The one called
buffer overflow -

http://www.cert.org/advisories/CA-2003-24.html

Now as to PAM bug, I understood from openssh site that it's about a new pam code introduced in 3.7.

I don't know what portion of PAM code is affected in the OpenSSH version, but I assume (based on previous pam related bugs in the openssh , like this one ie:
http://www.securityfocus.com/bid/5093/discussion/ ) that it will be about those settings in sshd.conf:
ChallengeResponseAuthentication
PasswordAuthentication yes
PAMAuthenticationViaKbdInt

I personally prefer user public key authentication and not to use pam.

Re: another ssh bug - PAM?

jmb — Wed, 01 Oct 2003 17:43:00 GMT

** Another New Alert **

This is from Open SSL: "A bug in OpenSSLs SSL/TLS protocol was also identified which causes OpenSSL to parse a client certificate from an SSL/TLS client when it should reject it as a protocol error."

The deluge continues. HP was pretty good about responding to the first one or two from a couple of weeks ago. Any news from HP about the SSL problem? Does it affect the latest Secure Shell release, and if so, when will it be fixed?

Thanks!