Bug 1252861 (CVE-2015-6565)

Summary: CVE-2015-6565 openssh: Incorrectly set TTYs to be world-writable
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: carnil, jaeshin, jjelen, mattias.ellert, mgrepl, plautrba, rhbugs, santony, sardella, security-response-team, szidek, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh 7.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-23 12:58:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1252862    
Bug Blocks: 1252864    

Description Adam Mariš 2015-08-12 11:54:35 UTC 
Bug was found in OpenSSH 6.8 and 6.9. Incorrectly set TTYs to be world-writable allow local attackers to be able to write arbitrary messages to logged-in users, including terminal escape sequences.

Upstream patch:

https://anongit.mindrot.org/openssh.git/commit/?id=6f941396b6835ad18018845f515b0c4fe20be21a
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshpty.c.diff?r1=1.29&r2=1.30&f=h

CVE request:

http://seclists.org/oss-sec/2015/q3/327

External References:

http://www.openssh.com/txt/release-7.0
Comment 1 Adam Mariš 2015-08-12 11:55:10 UTC 
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1252862]
Comment 2 Fedora Update System 2015-08-18 05:19:34 UTC 
openssh-7.0p1-1.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2015-08-19 08:15:45 UTC 
openssh-6.9p1-5.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Adam Mariš 2015-08-25 12:45:49 UTC 
CVE assignment:

http://seclists.org/oss-sec/2015/q3/419
Comment 5 Adam Mariš 2015-09-03 08:25:46 UTC 
Interesting observation of how to exploit this vulnerability for code execution as the targeted user:

http://seclists.org/oss-sec/2015/q3/482
Comment 8 Tomas Hoger 2015-09-23 12:58:14 UTC 
This issue was introduced in the following upstream commit:

https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=a5883d4eccb94b16c355987f58f86a7dee17a0c2
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshpty.c.diff?r1=1.28&r2=1.29&f=h

That commit intentionally changed TTY permissions for systems without the tty group from S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH (622) to 600, but also unintentionally changed permissions for systems with the tty group from S_IRUSR | S_IWUSR | S_IWGRP (620) to 622.

The openssh versions as shipped Red Hat Enterprise Linux 7 and earlier did not include the above incorrect change and hence were not affected by this issue.

Statement:

This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 5, 6, and 7.