Bug 492153 - (CVE-2009-1273) CVE-2009-1273 pam_ssh: Password prompt varies for existent and non-existent users
CVE-2009-1273 pam_ssh: Password prompt varies for existent and non-existent u...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://bugs.gentoo.org/show_bug.cgi?i...
reported=20090324,public=20090324,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-25 12:39 EDT by Jan Lieskovsky
Modified: 2009-05-04 07:29 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-04 07:29:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
pam_ssh first prompt patch (847 bytes, patch)
2009-03-26 11:07 EDT, Dmitry Butskoy
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2009-03-25 12:39:06 EDT
A security flaw was found in PAM module, providing user authentication based
on SSH keys. A remote attacker could use this flaw to recognize, if some
username/login belongs to set of user accounts, existing on the system,
and subsequently perform dictionary based password guess attack.
Comment 1 Jan Lieskovsky 2009-03-25 12:39:49 EDT
This issue affects all versions of the pam_ssh package, as shipped
with Fedora releases of 9, 10, and devel.
Comment 3 Dmitry Butskoy 2009-03-25 13:47:18 EDT
I can not guess how to reproduce this.

Could you point me to exact pam.d configuration for tests?
Comment 5 Dmitry Butskoy 2009-03-26 11:05:55 EDT
Well,

I've made a patch for the behaviour similar to pam_ldap.

When we detect that it is the first password prompt in the PAM chain, we always use the standard "Password: " prompt, else we use the pam_ssh's prompt if it is needed.
Comment 6 Dmitry Butskoy 2009-03-26 11:07:21 EDT
Created attachment 336821 [details]
pam_ssh first prompt patch

Please, test it in your environments.
Comment 7 Dmitry Butskoy 2009-03-26 11:21:55 EDT
See pam_ssh-1.92-10 at http://kojipkgs.fedoraproject.org/packages/pam_ssh/1.92/
Comment 8 Tomas Hoger 2009-04-09 03:58:07 EDT
CVE-2009-1273:
pam_ssh 1.92 and possibly other versions, as used when PAM is compiled
with USE=ssh, generates different error messages depending on whether
the username is valid or invalid, which makes it easier for remote
attackers to enumerate usernames.
Comment 9 Dmitry Butskoy 2009-04-09 07:24:27 EDT
I cannot put updates (see coment #7)further... Perhaps I have not enough rights for security updates.
Comment 10 Tomas Hoger 2009-04-09 08:45:57 EDT
(In reply to comment #9)
> I cannot put updates (see coment #7)further... Perhaps I have not enough rights
> for security updates.  

Ugh?  Can you clarify what exactly you can't do?  I see some built in koji for each Fedora version, so I can only guess your problem is with bodhi, but it should not have any restriction to prevent you from submitting the updates.
Comment 11 Dmitry Butskoy 2009-04-09 08:52:17 EDT
I can't submit the update for F10 ("security", "testing", bug number, do not karma) -- answers something like "server error".
Comment 12 Fedora Update System 2009-04-09 09:03:32 EDT
pam_ssh-1.92-10.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/pam_ssh-1.92-10.fc10
Comment 13 Fedora Update System 2009-04-09 09:03:36 EDT
pam_ssh-1.92-10.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/pam_ssh-1.92-10.fc9
Comment 14 Tomas Hoger 2009-04-09 09:04:51 EDT
Odd, did work for me just fine...  Can you check these and do changes you wanted to do?  Thank you!
  https://admin.fedoraproject.org/updates/pam_ssh
Comment 15 Dmitry Butskoy 2009-04-09 09:12:17 EDT
Well, perhaps it was some temporary issue...
Comment 16 Tomas Hoger 2009-04-29 02:25:57 EDT
Dmitry, if new packages in testing are working fine, can you change request to stable?  Thank you!
Comment 17 Dmitry Butskoy 2009-04-29 08:33:48 EDT
Done.
Comment 18 Fedora Update System 2009-05-02 12:38:48 EDT
pam_ssh-1.92-10.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2009-05-02 12:42:50 EDT
pam_ssh-1.92-10.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.