FreeBSD Local Security Checks : FreeBSD Security Advisory (FreeBSD-SA-11:09.pam

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.70763

Categoría: FreeBSD Local Security Checks

Título: FreeBSD Security Advisory (FreeBSD-SA-11:09.pam_ssh.asc)

Resumen: The remote host is missing an update to the system; as announced in the referenced advisory FreeBSD-SA-11:09.pam_ssh.asc

Descripción: Summary:
The remote host is missing an update to the system
as announced in the referenced advisory FreeBSD-SA-11:09.pam_ssh.asc

Vulnerability Insight:
The PAM (Pluggable Authentication Modules) library provides a flexible
framework for user authentication and session setup / teardown. It is
used not only in the base system, but also by a large number of
third-party applications.

Various authentication methods (UNIX, LDAP, Kerberos etc.) are
implemented in modules which are loaded and executed according to
predefined, named policies. These policies are defined in
/etc/pam.conf, /etc/pam.d/, /usr/local/etc/pam.conf or
/usr/local/etc/pam.d/.

The base system includes a module named pam_ssh which, if enabled,
allows users to authenticate themselves by typing in the passphrase of
one of the SSH private keys which are stored in encrypted form in the
their .ssh directory. Authentication is considered successful if at
least one of these keys could be decrypted using the provided
passphrase.

By default, the pam_ssh module rejects SSH private keys with no
passphrase. A nullok option exists to allow these keys.

The OpenSSL library call used to decrypt private keys ignores the
passphrase argument if the key is not encrypted. Because the pam_ssh
module only checks whether the passphrase provided by the user is
null, users with unencrypted SSH private keys may successfully
authenticate themselves by providing a dummy passphrase.

Solution:
Upgrade your system to the appropriate stable release
or security branch dated after the correction date.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Copyright Copyright (C) 2012 E-Soft Inc.

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.70763
Categoría:	FreeBSD Local Security Checks
Título:	FreeBSD Security Advisory (FreeBSD-SA-11:09.pam_ssh.asc)
Resumen:	The remote host is missing an update to the system; as announced in the referenced advisory FreeBSD-SA-11:09.pam_ssh.asc
Descripción:	Summary: The remote host is missing an update to the system as announced in the referenced advisory FreeBSD-SA-11:09.pam_ssh.asc Vulnerability Insight: The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. It is used not only in the base system, but also by a large number of third-party applications. Various authentication methods (UNIX, LDAP, Kerberos etc.) are implemented in modules which are loaded and executed according to predefined, named policies. These policies are defined in /etc/pam.conf, /etc/pam.d/, /usr/local/etc/pam.conf or /usr/local/etc/pam.d/. The base system includes a module named pam_ssh which, if enabled, allows users to authenticate themselves by typing in the passphrase of one of the SSH private keys which are stored in encrypted form in the their .ssh directory. Authentication is considered successful if at least one of these keys could be decrypted using the provided passphrase. By default, the pam_ssh module rejects SSH private keys with no passphrase. A nullok option exists to allow these keys. The OpenSSL library call used to decrypt private keys ignores the passphrase argument if the key is not encrypted. Because the pam_ssh module only checks whether the passphrase provided by the user is null, users with unencrypted SSH private keys may successfully authenticate themselves by providing a dummy passphrase. Solution: Upgrade your system to the appropriate stable release or security branch dated after the correction date. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Copyright	Copyright (C) 2012 E-Soft Inc.