ALAS-2015-625 --- openssh, pam_ssh_agent_authID: oval:org.secpod.oval:def:1200025 | Date: (C)2016-01-04 (M)2024-02-19 |
Class: PATCH | Family: unix |
A flaw was found in the way OpenSSH handled PAM authentication when using privilege separation. An attacker with valid credentials on the system and able to fully compromise a non-privileged pre-authentication process using a different flaw could use this flaw to authenticate as other users.It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks.A use-after-free flaw was found in OpenSSH. An attacker able to fully compromise a non-privileged pre-authentication process using a different flaw could possibly cause sshd to crash or execute arbitrary code with root privileges.
Platform: |
Amazon Linux AMI |
Product: |
openssh |
pam_ssh_agent_auth |