Re: CVE request - OpenSSH 6.9 PAM privilege separation vulnerabilities

[Damien Miller <djm () mindrot org>]

On Thu, 13 Aug 2015, Moritz Jodeit wrote:

> On 12.08.2015 22:48, Solar Designer wrote:
> > Thank you!
> >
> > Are systems with "keyboard interactive" and "challenge-response"
> > authentication disabled (all of PAMAuthenticationViaKbdInt,
> > KbdInteractiveAuthentication, and ChallengeResponseAuthentication, as
> > applicable to a given sshd version, set to no) affected by these issues
> > as well?  The code appears to be specific to this mode, but it isn't
> > immediately clear whether or not these configuration settings prevent
> > the vulnerable code from being reached in the privsep monitor even when
> > the privsep child is compromised.  If the settings do not currently
> > prevent the code from being reached (I hope they do), then this should
> > be corrected as a hardening measure.
>
> As long as UsePAM is enabled in the configuration, all the PAM-related
> monitor requests can be send to the monitor. This at least allows
> triggering the use-after-free even if all the settings you mentioned
> are set to "no". Not sure if a full authentication is possible in this
> case though.

Solar just reminded me of this branch of this old thread, prompting
me to tighten up OpenSSH's privilege separation monitor process:

https://anongit.mindrot.org/openssh.git/commit/?id=775f8a23f235
https://anongit.mindrot.org/openssh.git/commit/?id=7fd0ea8a1db4
https://anongit.mindrot.org/openssh.git/commit/?id=b38b95f5bcc5

(there'll be another one for GSSAPI once I can find someone to test it)

Together these more rigorously and explicitly enforce the expected
request flow in the monitor process.

Thanks for the reminder :)

-d