lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8ECF0983E0787940A3B56C1179D3E4588F5B07B625@SSHEX02.ad.ssh.com>
Date: Mon, 3 Dec 2012 19:17:45 +0200
From: <Samuel.Lavitt@....com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Re: SSH.com Communications SSH Tectia
 Authentication Bypass Remote Zeroday Exploit (king cope)

High/Critical severity remote authentication bypass in Tectia SSH Server - Workaround

SUMMARY
On Sunday December 2, 2012, a remote authentication bypass vulnerability was disclosed which affects the current Unix/Linux versions of Tectia SSH Server. This does not affect client. Windows and zOS servers are not affected. Servers that have "old-style" password authentication already disabled are not affected. Password authentication through keyboard-interactive authentication is safe.
This vulnerability exploits a bug in the SSH USERAUTH CHANGE REQUEST function. This vulnerability has been confirmed by internal testing.
A workaround is to disable "old-style" password authentication on affected versions. The bug only affects “old-style” password authentication. Keyboard-interactive, GSSAPI, and public key authentication methods are not affected.

AFFECTED PRODUCTS AND VERSIONS
SSH Tectia Server 6.0.4 to 6.0.20
SSH Tectia Server 6.1.0 to 6.1.12
SSH Tectia Server 6.2.0 to 6.2.5
SSH Tectia Server 6.3.0 to 6.3.2
All products are only the Unix/Linux versions (not Windows or zOS)

CURRENT SITUATION
Effective workaround exists. Updated versions providing a permanent fix to this issue are in testing and are expected to be released within the next 24-48 hours.

WORKAROUND
An immediate workaround is to disable “old-style” password authentication by editing the /etc/ssh2/ssh-server-config.xml configuration file. Comment out the line (all of them if multiple) containing <auth-password /> In XML, comment syntax is <!-- … -->, i.e., change the line to:
<!-- <auth-password /> -->
WE STRONGLY ADVISE MAKING THIS CHANGE IMMEDIATELY, AT LEAST ON ALL EXTERNAL FACING SERVERS.

Note: it is also good to make sure you have keyboard-interactive enabled so that you don't completely prevent password authentication, i.e., that the following is in the server configuration file:
<auth-keyboard-interactive>
<submethod-password />
</auth-keyboard-interactive>

SSH Communications Security would like to credit "king cope", isowarez.isowarez.isowarez@...glemail.com, with this discovery, as that was the first report we received of this issue.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ