[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:15.openssh

From: FreeBSD Security Advisories (security-advisories_at_freebsd.org)
Date: 10/05/03

  • Next message: Dan Langille: "[FreeBSD-Announce] BSDCan 2004 announcement"
    Date: Sun, 5 Oct 2003 10:15:42 -0700 (PDT)
    To: FreeBSD Security Advisories <security-advisories@freebsd.org>

    Hash: SHA1

    FreeBSD-SA-03:15.openssh Security Advisory
                                                              The FreeBSD Project

    Topic: OpenSSH PAM challenge/authentication error

    Category: core
    Module: openssh
    Announced: 2003-10-05
    Credits: The OpenSSH Project <openssh@openssh.org>
    Affects: FreeBSD releases 4.6.2-RELEASE and later
                    FreeBSD 4-STABLE prior to the correction date
                    openssh port prior to openssh-3.6.1_4
                    openssh-portable port prior to openssh-portable-3.6.1p2_5
    Corrected: 2003-09-24 21:06:28 UTC (RELENG_5_1, 5.1-RELEASE-p7)
                    2003-09-24 18:25:31 UTC (RELENG_4, 4.9-PRERELEASE)
                    2003-09-24 21:06:22 UTC (RELENG_4_8, 4.8-RELEASE-p9)
                    2003-09-24 21:06:15 UTC (RELENG_4_7, 4.7-RELEASE-p19)
                    2003-09-24 21:05:59 UTC (RELENG_4_6, 4.6.2-RELEASE-p22)
                    2003-10-03 20:55:14 UTC (openssh-3.6.1_5)
                    2003-09-26 02:42:39 UTC (openssh-portable-3.6.1p2_5)
    FreeBSD only: NO

    For general information regarding FreeBSD Security Advisories,
    including descriptions of the fields above, security branches, and the
    following sections, please visit

    I. Background

    OpenSSH is a free version of the SSH protocol suite of network
    connectivity tools. OpenSSH encrypts all traffic (including
    passwords) to effectively eliminate eavesdropping, connection
    hijacking, and other network-level attacks. Additionally, OpenSSH
    provides a myriad of secure tunneling capabilities, as well as a
    variety of authentication methods.

    The SSH protocol exists in two versions, hereafter named simply `ssh1'
    and `ssh2'. The ssh1 protocol is a legacy protocol for which there
    exists no formal specification, while the ssh2 protocol is the product
    of the IETF SECSH working group and is defined by a series of IETF
    draft standards.

    The ssh2 protocol supports a wide range of authentication
    mechanisms, including a generic challenge / response mechanism, called
    `keyboard-interactive' or `kbdint', which can be adapted to serve any
    authentication scheme in which the server and client exchange a
    arbitrarily long series of challenges and responses. In particular,
    this mechanism is used in OpenSSH to support PAM authentication.

    The ssh1 protocol, on the other hand, supports a much narrower range
    of authentication mechanisms. Its challenge / response mechanisms,
    called `TIS', allows for only one challenge from the server and one
    response from the client. OpenSSH contains interface code which
    allows kbdint authentication back-ends to be used for ssh1 TIS
    authentication, provided they only emit one challenge and expect only
    one response.

    Finally, recent versions of OpenSSH implement a mechanism called
    `privilege separation' in which the task of communicating with the
    client is delegated to an unprivileged child process, while the
    privileged parent process performs the actual authentication and
    double-checks every important decision taken by its unprivileged

    II. Problem Description

    1) Insufficient checking in the ssh1 challenge / response interface
       code, combined with a peculiarity of the PAM kbdint back-end,
       causes OpenSSH to ignore a negative result from PAM (but not from
       any other kbdint back-end).

    2) A variable used by the PAM conversation function to store
       challenges and the associated client responses is incorrectly
       interpreted as an array of pointers to structures instead of a
       pointer to an array of structures.

    3) When challenge / response authentication is used with protocol
       version 1, and a legitimate user interrupts challenge / response
       authentication but successfully authenticates through some other
       mechanism (such as password authentication), the server fails to
       reclaim resources allocated by the challenge / response mechanism,
       including the child process used for PAM authentication. When a
       certain number of leaked processes is reached, the master server
       process will refuse subsequent client connections.

    III. Impact

    1) If privilege separation is disabled, no additional checks are
       performed and an ssh1 client will be successfully authenticated
       even if its response to PAM's challenge is patently wrong. On the
       other hand, if privilege separation is enabled (which it is by
       default), the monitor process will notice the discrepancy, refuse
       to proceed, and kill the faulty child process.

    2) If more than one challenge is issued in a single call to the PAM
       conversation function, stack corruption will result. The most
       likely outcome will be a segmentation fault leading to termination
       of the process, but there is a possibility that an attacker may
       succeed in executing arbitrary code in a privileged process.

       Note that none of the PAM modules provided in the FreeBSD base
       system ever issue more than one challenge in a single call to the
       conversation function; nor, to our knowledge, do any third-party
       modules provided in the FreeBSD ports collection.

    3) Legitimate users may cause a denial-of-service condition in which
       the SSH server refuses client connections until it is restarted.
       Note that this vulnerability is not exploitable by attackers who do
       not have a valid account on the target system.

    IV. Workaround

    Do both of the following:

    1) Make sure that privilege separation is enabled. This is the
       default; look for `UsePrivilegeSeparation' in /etc/ssh/sshd_config
       or /usr/local/etc/ssh/sshd_config as appropriate and make sure that
       any occurrence of that keyword is commented out and/or followed by
       the keyword `yes'. The stock version of this file is safe to use.

    2) Make sure that the PAM configuration for OpenSSH does not reference
       any modules which pass more than one challenge in a single call to
       the conversation function. In FreeBSD 4.x, the PAM configuration
       for OpenSSH consists of the lines in /etc/pam.conf which begin with
       `sshd'; in FreeBSD 5.x, it is located in /etc/pam.d/sshd. The
       stock versions of these files are safe to use.

       The following PAM modules from the FreeBSD ports collection are
       known to be safe with regard to problem 2) above:

        - pam_mysql.so (security/pam-mysql)
        - pam_pgsql.so (security/pam-pgsql)
        - pam_alreadyloggedin.so (security/pam_alreadyloggedin)
        - pam_ldap.so (security/pam_ldap)
        - pam_pop3.so (security/pam_pop3)
        - pam_pwdfile.so (security/pam_pwdfile)
        - pam_smb.so (security/pam_smb)

       pam_krb5.so from ports (security/pam_krb5) is known to use multiple
       prompts with the conversation function if the user's password is
       expired in order to change the user password.

    3) Disable challenge / response authentication, or disable protocol
       version 1.

       To disable challenge / response authentication, add the line:
         ChallengeResponseAuthentication no
       to sshd_config(5) and restart sshd.

       To disable protocol version 1, add the line
         Protocol 2
       to sshd_config(5) and restart sshd.

    V. Solution

    Do one of the following:

    [For OpenSSH included in the base system]

    The following patches have been verified to apply to FreeBSD 4.6, 4.7,
    4.8, and 5.1 systems prior to the correction date.

    Download the appropriate patch and detached PGP signature from the following
    locations, and verify the signature using your PGP utility.

    [FreeBSD 4.6]
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh46.patch
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh46.patch.asc

    [FreeBSD 4.7]
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh47.patch
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh47.patch.asc

    [FreeBSD 4.8]
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch.asc

    [FreeBSD 5.1]
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh48.patch.asc

    [FreeBSD 4.8-STABLE / 4.9-PRERELEASE / 4.9-RC]
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh4s.patch
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:15/openssh4s.patch.asc

    Execute the following commands as root:

    # cd /usr/src
    # patch < /path/to/sshd.patch
    # cd /usr/src/secure/usr.sbin/sshd
    # make obj && make depend && make all install

    Be sure to restart `sshd' after updating.

    # kill `cat /var/run/sshd.pid`
    # /usr/sbin/sshd

    or, in FreeBSD 5.x:

    # /etc/rc.d/sshd restart

    [For the OpenSSH ports]

    Do one of the following:

    1) Upgrade your entire ports collection and rebuild the OpenSSH port.

    2) Deinstall the old package and install a new package obtained from
    the following directory:


    [other platforms]
    Packages are not automatically generated for other platforms at this
    time due to lack of build resources.

    3) Download a new port skeleton for the openssh or openssh-portable
    port from:


    and use it to rebuild the port.

    4) Use the portcheckout utility to automate option (3) above. The
    portcheckout port is available in /usr/ports/devel/portcheckout or the
    package can be obtained from:


    Be sure to restart `sshd' after updating.

    # kill `cat /var/run/sshd.pid`
    # test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start

    VI. Correction details

    The following list contains the revision numbers of each file that was
    corrected in FreeBSD.

    Path Revision
    - -------------------------------------------------------------------------
      ports/security/openssh/Makefile 1.125
      ports/security/openssh/auth-pam.c 1.2
      ports/security/openssh/auth-pam.h 1.2
      ports/security/openssh/auth2-pam.c 1.2
      ports/security/openssh/patch-auth-chall.c 1.1
      ports/security/openssh-portable/Makefile 1.78
      ports/security/openssh-portable/auth2-pam-freebsd.c 1.5
      ports/security/openssh-portable/patch-auth-chall.c 1.1
      ports/security/openssh-portable/patch-auth-pam.c 1.1
      ports/security/openssh-portable/patch-auth-pam.h 1.1
    - -------------------------------------------------------------------------

    Branch Version string
    - -------------------------------------------------------------------------
    RELENG_4 OpenSSH_3.5p1 FreeBSD-20030924
    RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030924
    RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030924
    RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030924
    RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030924
    - -------------------------------------------------------------------------

    To view the version string of the OpenSSH server, execute the
    following command:

      % /usr/sbin/sshd -\?

    or for OpenSSH from the ports collection:

      % /usr/local/sbin/sshd -\?

    The version string is also displayed when a client connects to the

    VII. References

    Version: GnuPG v1.2.3 (FreeBSD)

    -----END PGP SIGNATURE-----
    freebsd-announce@freebsd.org mailing list
    To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

  • Next message: Dan Langille: "[FreeBSD-Announce] BSDCan 2004 announcement"