Summary: | <sys-auth/pam_ssh-1.97: Information disclosure if pam compiled with USE=ssh (usernames can be verified) (CVE-2009-1273) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Kai Krakow <hurikhan77+bgo> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | pam-bugs+disabled | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | B4 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Kai Krakow
2009-03-24 09:44:22 UTC
CVE-2009-1273 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1273): pam_ssh 1.92 and possibly other versions, as used when PAM is compiled with USE=ssh, generates different error messages depending on whether the username is valid or invalid, which makes it easier for remote attackers to enumerate usernames. Created attachment 194306 [details, diff]
A proposed patch to the brute-force username enumeration vulnerability.
This patch should fix the vulnerability described -- which was also present in the latest version, pam_ssh-1.97.
Comment on attachment 194306 [details, diff] A proposed patch to the brute-force username enumeration vulnerability. Actually, the bug was fixed in version 1.97: > $Id: NEWS,v 1.12 2009/04/11 19:43:44 rosenauer Exp $ > > Version 1.97 > ============ > > SECURITY FIX: pam_ssh used a certain prompt if a user found to exist > to ask for the SSH passphrase explicitely depending on whether the > username was valid or invalid, which made it easier for remote > attackers to enumerate usernames. (CVE-2009-1273) Thanks Mansour, version 1.97 is in tree, if security team wants to handle the bug. Arches, please test and mark stable: =sys-auth/pam_ssh-1.97 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Stable for HPPA. amd64/x86 stable Please do stable 1.97-r1 rather than -r0. Thanks! Re-adding arches as per comment #8 and bug 279538. amd64/x86 stable alpha/arm/ia64/m68k/s390/sh/sparc stable Stable for HPPA. ppc64 done ppc stable glsa: yes This issue has been fixed since Aug 09, 2009. No GLSA will be issued. |