OpenSSH vulnerability CVE-2023-48795 impact on PAM
Article ID: 278614
Updated On:
Products
Issue/Introduction
Per documentation page Third-Party License Acknowledgements PAM uses an OpenSSH version that is affected by this vulnerability. What is the impact on PAM?
Environment
PAM 4.2.X
Resolution
The recent report of an OpenSSH vulnerability, CVE-2023-48795 is applicable to supported versions of PAM (4.2.x), however, the severity of this CVE is moderate (5.9) due to its limited impact. A fix is available in OpenSSH 9.6 released mid Dec 2023. IMS Symantec PAM has scheduled an update of the OpenSSH module to the remediated version (9.6) or newer in a future release of PAM. As you can see from the openSSH release notes, their risk assessment of the exploitability is low.
"While cryptographically novel, the security impact of this attack is fortunately very limited as it only allows deletion of consecutive messages, and deleting most messages at this stage of the protocol prevents user authentication from proceeding and results in a stuck connection."
Additionally, Red Hat noted some mitigations :- "As an alternate less invasive countermeasure, the affected cipher modes chacha20-poly1305 and any encrypt-then-mac variants (generic EtM) may be (temporarily) disabled. Some cipher modes, in particular AES-GCM, are not affected and can still be used without changes.
You can disable the following ciphers and HMACs as a workaround........
1. chacha20-poly1305
2. hmac-sha2-512-etm
3. hmac-sha2-256-etm
4. hmac-sha1-etm
5. hmac-md5-etm"
KEX/Ciphers/Hash in Symantec PAM can be edited in Configuration>Security>
Feedback
