Bug 1252844 (CVE-2015-6563)
| Summary: | CVE-2015-6563 openssh: Privilege separation weakness related to PAM support | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | carnil, jaeshin, jjelen, mattias.ellert, mgrepl, mike.r.karras, plautrba, rhbugs, santony, sardella, security-response-team, slawomir, szidek, tmraz, vkaigoro |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openssh 7.0 | Doc Type: | Bug Fix |
| Doc Text: |
A flaw was found in the way OpenSSH handled PAM authentication when using privilege separation. An attacker with valid credentials on the system and able to fully compromise a non-privileged pre-authentication process using a different flaw could use this flaw to authenticate as other users.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-05-11 06:45:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1252854, 1265807, 1281468 | ||
| Bug Blocks: | 1210268, 1252864, 1278736 | ||
|
Description
Adam Mariš
2015-08-12 11:10:35 UTC
Created openssh tracking bugs for this issue: Affects: fedora-all [bug 1252854] Additional info from CVE request thread (http://seclists.org/oss-sec/2015/q3/343): ``` The vulnerable code for the two privsep issues was introduced with the merge of the FreeBSD PAM code in 2003: https://github.com/openssh/openssh-portable/commit/4f9f42a9bb6a6aa8f6100d873dc6344f2f9994de ``` openssh-7.0p1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. openssh-6.9p1-5.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. Is this CVE-2015-6563? The patches look the same. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6563 CVE assignment: http://seclists.org/oss-sec/2015/q3/419 openssh-6.6.1p1-16.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. Further details of this issue can be found in the advisory form the original reporter that was posted to the full-disclosure mailing list: http://seclists.org/fulldisclosure/2015/Aug/54 The advisory explicitly notes conditions required to exploit this flaw: - Attacker has to be able to fully compromise non-privileged pre-authentication process via some different flaw. (Note that the advisory indicates that OpenSSH introduced privilege separate support in version 5.9. However, privilege separation support was introduced in version 3.2.2 and enabled by default in 3.3. Version 5.9 introduced support for sandboxing of the privilege separated process.) - Attacker has to be able to successfully authenticated to SSH on the target system. When these conditions are met, this flaw could allow attacker to open SSH connection as different system user. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2088 https://rhn.redhat.com/errata/RHSA-2015-2088.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0741 https://rhn.redhat.com/errata/RHSA-2016-0741.html |