FreeBSD Local Security Checks : FreeBSD Security Advisory (FreeBSD-SA-11:09.pam

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.70763

Kategorie: FreeBSD Local Security Checks

Titel: FreeBSD Security Advisory (FreeBSD-SA-11:09.pam_ssh.asc)

Zusammenfassung: The remote host is missing an update to the system; as announced in the referenced advisory FreeBSD-SA-11:09.pam_ssh.asc

Beschreibung: Summary:
The remote host is missing an update to the system
as announced in the referenced advisory FreeBSD-SA-11:09.pam_ssh.asc

Vulnerability Insight:
The PAM (Pluggable Authentication Modules) library provides a flexible
framework for user authentication and session setup / teardown. It is
used not only in the base system, but also by a large number of
third-party applications.

Various authentication methods (UNIX, LDAP, Kerberos etc.) are
implemented in modules which are loaded and executed according to
predefined, named policies. These policies are defined in
/etc/pam.conf, /etc/pam.d/, /usr/local/etc/pam.conf or
/usr/local/etc/pam.d/.

The base system includes a module named pam_ssh which, if enabled,
allows users to authenticate themselves by typing in the passphrase of
one of the SSH private keys which are stored in encrypted form in the
their .ssh directory. Authentication is considered successful if at
least one of these keys could be decrypted using the provided
passphrase.

By default, the pam_ssh module rejects SSH private keys with no
passphrase. A nullok option exists to allow these keys.

The OpenSSL library call used to decrypt private keys ignores the
passphrase argument if the key is not encrypted. Because the pam_ssh
module only checks whether the passphrase provided by the user is
null, users with unencrypted SSH private keys may successfully
authenticate themselves by providing a dummy passphrase.

Solution:
Upgrade your system to the appropriate stable release
or security branch dated after the correction date.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Copyright Copyright (C) 2012 E-Soft Inc.

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.70763
Kategorie:	FreeBSD Local Security Checks
Titel:	FreeBSD Security Advisory (FreeBSD-SA-11:09.pam_ssh.asc)
Zusammenfassung:	The remote host is missing an update to the system; as announced in the referenced advisory FreeBSD-SA-11:09.pam_ssh.asc
Beschreibung:	Summary: The remote host is missing an update to the system as announced in the referenced advisory FreeBSD-SA-11:09.pam_ssh.asc Vulnerability Insight: The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. It is used not only in the base system, but also by a large number of third-party applications. Various authentication methods (UNIX, LDAP, Kerberos etc.) are implemented in modules which are loaded and executed according to predefined, named policies. These policies are defined in /etc/pam.conf, /etc/pam.d/, /usr/local/etc/pam.conf or /usr/local/etc/pam.d/. The base system includes a module named pam_ssh which, if enabled, allows users to authenticate themselves by typing in the passphrase of one of the SSH private keys which are stored in encrypted form in the their .ssh directory. Authentication is considered successful if at least one of these keys could be decrypted using the provided passphrase. By default, the pam_ssh module rejects SSH private keys with no passphrase. A nullok option exists to allow these keys. The OpenSSL library call used to decrypt private keys ignores the passphrase argument if the key is not encrypted. Because the pam_ssh module only checks whether the passphrase provided by the user is null, users with unencrypted SSH private keys may successfully authenticate themselves by providing a dummy passphrase. Solution: Upgrade your system to the appropriate stable release or security branch dated after the correction date. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Copyright	Copyright (C) 2012 E-Soft Inc.