Bug 1252852 (CVE-2015-6564)

Summary: CVE-2015-6564 openssh: Use-after-free bug related to PAM support
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, gnaik, jaeshin, jjelen, mattias.ellert, mgrepl, mike.r.karras, plautrba, rhbugs, santony, sardella, security-response-team, slawomir, szidek, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh 7.0 Doc Type: Bug Fix
Doc Text:
A use-after-free flaw was found in OpenSSH. An attacker able to fully compromise a non-privileged pre-authentication process using a different flaw could possibly cause sshd to crash or execute arbitrary code with root privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-11 06:44:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1252853, 1265807, 1281468    
Bug Blocks: 1210268, 1252864, 1278736    

Description Adam Mariš 2015-08-12 11:25:45 UTC 
Use-after-free bug was found in openssh package. The vulnerability is exploitable by attackers who could compromise the pre-authentication process for remote code execution.

Upstream patch:

https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7

CVE request:

http://seclists.org/oss-sec/2015/q3/319

External References:

http://www.openssh.com/txt/release-7.0
Comment 1 Adam Mariš 2015-08-12 11:26:37 UTC 
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1252853]
Comment 2 Fedora Update System 2015-08-18 05:19:29 UTC 
openssh-7.0p1-1.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2015-08-19 08:15:49 UTC 
openssh-6.9p1-5.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Slawomir Czarko 2015-08-25 08:08:05 UTC 
Is this CVE-2015-6564? The patches look the same.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6564
Comment 5 Adam Mariš 2015-08-25 12:41:49 UTC 
CVE assignment:

http://seclists.org/oss-sec/2015/q3/419
Comment 6 Fedora Update System 2015-08-27 23:48:57 UTC 
openssh-6.6.1p1-16.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Tomas Hoger 2015-09-23 19:49:04 UTC 
Further details of this issue can be found in the advisory form the original reporter that was posted to the full-disclosure mailing list:

http://seclists.org/fulldisclosure/2015/Aug/54

The advisory indicates that the use-after-free can only be triggered if attacker is able to fully compromise non-privileged pre-authentication process using some different flaw.  Reporter also indicates that they were unable to leverage this issue for any practical attack.
Comment 14 errata-xmlrpc 2015-11-19 08:05:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2088 https://rhn.redhat.com/errata/RHSA-2015-2088.html
Comment 17 errata-xmlrpc 2016-05-10 19:29:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0741 https://rhn.redhat.com/errata/RHSA-2016-0741.html