Alerts This Week
Warning Icon 1 525
Alerts This Week
Warning Icon 1 525

Portable OpenSSH 3.7p1 Critical Advisory: Remote PAM Exploit Threat

Calendar Sep 23, 2003 User Avatar Anthony Pell
1 - 2 min read
General Esm H500
Topics%20covered

Topics Covered

security advisory remote exploit critical threat pam code portable openssh
Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). Vendor updates are in progress.. . . Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). Vendor updates are in progress.

From: Damien Miller
To: This email address is being protected from spambots. You need JavaScript enabled to view it.
Cc: This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it.
Subject: Portable OpenSSH Security Advisory: sshpam.adv

This document can be found at: https://www.openssh.org/txt/sshpam.adv

  1. Versions affected: Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled).

    The OpenBSD releases of OpenSSH do not contain this code and are not vulnerable.

  2. Solution: Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM support ("UsePam no" in sshd_config).

    Due to complexity, inconsistencies in the specification and differences between vendors' PAM implementations we recommend that PAM be left disabled in sshd_config unless there is a need for its use. Sites only using public key or simple password authentication usually have little need to enable PAM support.

Your message here