|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2003-0190: openssh: timing attacks possible | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Thomas Biege <thomas> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Minor | ||
| Priority: | P3 - Medium | CC: | security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2003-0190: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Thomas Biege
2004-11-18 18:00:04 UTC
<!-- SBZ_reproduce --> - This has nothing to do with ssh. This is a general problem with every application doing authentication stuff, even /bin/login. But since nobody else seems to see this, maybe we should ignore it, too. Thorsten, we know.
BTW, Ubuntu released an advisory for it:
===========================================================
Ubuntu Security Notice USN-34-1 November 30, 2004
openssh information leakage
CAN-2003-0190
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
openssh-server
The problem can be corrected by upgrading the affected package to
version 1:3.8.1p1-11ubuntu3.1. In general, a standard system upgrade is
sufficient to effect the necessary changes.
Details follow:
@Mediaservice.net discovered two information leaks in the OpenSSH
server. When using password authentication, an attacker could
test whether a login name exists by measuring the time between
failed login attempts, i. e. the time after which the "password:"
prompt appears again.
A similar issue affects systems which do not allow root logins over
ssh ("PermitRootLogin no"). By measuring the time between login
attempts an attacker could check whether a given root password is
correct. This allowed determining weak root passwords using a brute
force attack.
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.1.diff.gz
Size/MD5: 145620 71fa539badedbda58b58ef29139fd413
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.1.dsc
Size/MD5: 878 5bdd27605cc38bce0cce01bcf9928808
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1.orig.tar.gz
Size/MD5: 795948 9ce6f2fa5b2931ce2c4c25f3af9ad50d
...
http://www.securityfocus.com/bid/11781/discussion/ http://www.securityfocus.com/bid/7482/discussion/ http://www.securityfocus.com/bid/7467/discussion/ Petr, now since this issue got noticed publically did the OpenSSH folks react in some way? Yes there is some fixes, but not in the final state. Openssh bugzilla: http://bugzilla.mindrot.org/show_bug.cgi?id=975 Mail thread about solving this bug. http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=110392890022163&w=2 The problem fixing following patches: http://bugzilla.mindrot.org/attachment.cgi?id=766 http://bugzilla.mindrot.org/attachment.cgi?id=771 http://bugzilla.mindrot.org/attachment.cgi?id=775 Thomas, could I make security fix for all distros? Good question. We decided it should be updated for SLES8 and SLES9 as well as STABLE. Box can be ignored. Ok? SLES8 is not affected, I prepared fix for 9.1(=sles9) and 9.2 and submit it to stable. I appended 2 small patches (fixing restoring terminal setting after Ctrl+C during password prompt [#43309] and allowing users to see output from failing PAM session modules (openssh bugzilla#890). perfect. SM-Tracker-349 `patchinfo-box9.1und9.1.openssh' -> `/work/src/done/PATCHINFO/patchinfo-box9.1und9.1.openssh' `patchinfo-sles9.openssh' -> `/work/src/done/PATCHINFO/patchinfo-sles9.openssh' fixed packages approved. CVE-2003-0190: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) |