The flaw appears in an open-source implementation of the Pluggable Authentication Modules (PAMs), a technology adopted by Sun Solaris, Linux and BSD systems to let system administrators easily change the way users log into computers. The default login procedure could be changed to a smart-card-based procedure using a PAM, for example.
The project started using open-source versions of the new PAM functions in the latest release of OpenSSH. However, as with a flaw found last week, the current vulnerability affects only versions of OpenSSH that have a security technology known as privilege separation turned off.
"It is unexploitable in the default configuration," said Theo de Raadt, a cofounder of the OpenSSH project. Moreover, he said, the flaw apparently affects only OpenSSH running on Sun Solaris servers.
Privilege separation is a security mechanism that essentially divides programs into two parts: a small component with system privileges that can modify almost any file on the computer, and the rest of the program, which runs with restricted privileges. The mechanism reduces the size of the code that software engineers have to audit carefully, making the program easier to secure.
"It takes a regular bug that could be escalated (by an attack) and protects you from it," de Raadt said.
For that reason, knowledgeable system administrators are not likely to turn off the function. In that case, they wouldn't be affected by the newly discovered flaw.
After the flaw appeared on the popular Slashdot news blog, de Raadt criticised coverage of the issue as much ado about nothing. While acknowledging that the maintainers of OpenSSH had fixed two flaws in two weeks, he stressed that neither flaw affects systems in the default configuration.
"Open-source flaws that affect a handful of systems are getting as much coverage as Microsoft flaws that are affecting millions of systems," he said. It's unknown how many computer systems or network devices that use the OpenSSH code may have turned off privilege separation.
Information on the latest flaw and a link to the latest patch can be found on the OpenSSH Web site.
