Contributed by Dengue on from the pay-attention-to-this dept.
*note*: this article has been updated to more correctly represent the facts
OpenSSH-2.3.1, a development snapshot, only checked if a public key for public key authentication was permitted. In the protocol 2 part of the server, the challenge-response step that ensures that the connecting client is in possession of the corresponding private key has been omitted. As a result, anyone who could obtain the public key listed in the users authorized_keys file could log in as that user without authentication. A fix for this problem was committed on Februrary 8th. The problem was introduced on January 18th. This is a three week time window.
----------------------------------------------------------------------------
OpenBSD Security Advisory
February 8, 2001
Authentication By-Pass Vulnerability in OpenSSH-2.3.1
----------------------------------------------------------------------------
SYNOPSIS
OpenSSH-2.3.1, a development snapshot, only checked if a public key
for public key authentication was permitted. In the protocol 2 part
of the server, the challenge-response step that ensures that the
connecting client is in possession of the corresponding private key
has been omitted. As a result, anyone who could obtain the public key
listed in the users authorized_keys file could log in as that user
without authentication.
A fix for this problem was committed on Februrary 8th. The problem
was introduced on January 18th. This is a three week time window.
----------------------------------------------------------------------------
AFFECTED SYSTEMS
This vulnerability affects only OpenSSH version 2.3.1 with support for
protocol 2 enabled. The latest official release OpenSSH 2.3.0 is not
affected by this problem. The latest snapshot version OpenSSH 2.3.2
is not affected either.
----------------------------------------------------------------------------
RESOLUTION
If you installed the OpenSSH 2.3.1 development snapshot, install the
latest snapshot. Currently, the latest snapshot is OpenSSH 2.3.2 which
is available via http://www.openssh.com/.
----------------------------------------------------------------------------
For Further information:
- OpenSSH Security
- Bindview Security Advisory: Remote vulnerability in SSH daemon crc32 compensation attack detector
- http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm
- http://www.core-sdi.com/advisories/buffer_over_ing.htm
- http://www.core-sdi.com/advisories/ssh-advisory.htm
- http://www.securityfocus.com.com/bid/2347
- http://www.securityfocus.com.com/bid/2222
- http://www.securityfocus.com.com/bid/2117
- http://www.securityfocus.com.com/bid/1949
- http://www.securityfocus.com/bid/1426
- http://www.securityfocus.com/bid/1323
- http://www.securityfocus.com/bid/1006
- http://www.securityfocus.com/bid/843
- http://www.securityfocus.com/bid/660
(Comments are closed)
By proof () proof at xcheese org on http://www.xcheese.org/~proof