Bug 1328012 (CVE-2015-8325)
| Summary: | CVE-2015-8325 openssh: privilege escalation via user's PAM environment and UseLogin=yes | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | carnil, gnaik, jjelen, mattias.ellert, mgrepl, nitthoma, plautrba, rajurraju400, sardella, security-response-team, slawomir, szidek, tmraz, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-21 10:06:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1328013, 1328431, 1329191, 1405374 | ||
| Bug Blocks: | 1323912, 1328015, 1386080 | ||
|
Description
Andrej Nemec
2016-04-18 08:48:25 UTC
Created openssh tracking bugs for this issue: Affects: fedora-all [bug 1328013] The impact is minimal. 1. The user_readenv is off by default in pam_env module. 2. UseLogin is set to no by default and in general there is not much sense in setting it to yes. The question is whether the 'UseLogin yes' should be supported at all. To extend what was mentioned in comment 2, the following conditions need to be met to exploit this issue: 1) sshd must be configured to use UseLogin=yes 2) PAM configuration for sshd must enable reading of users' ~/.pam_environment files This is non-default and very unlikely configuration of sshd on Red Hat Enterprise Linux. - The default sshd configuration uses UseLogin=no. - In Red Hat Enterprise Linux 6 and 7, configurations with UseLogin=yes do not work without setting SELinux to permissive mode or disabling it. - While the default sshd PAM configuration use pam_env module, it's only used to read system configuration files. Reading of users' ~/.pam_environment is not enabled by default. - PAM versions in Red Hat Enterprise Linux 5 and earlier do not support reading of users' environment settings and hence this issue can not be exploited on those versions. Created gsi-openssh tracking bugs for this issue: Affects: fedora-all [bug 1328431] openssh-7.2p2-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. openssh-7.2p2-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. may I know the openssl versions which are affected ? (In reply to venkatr07 from comment #15) > may I know the openssl versions which are affected ? Hello, Bugzilla is not a support tool, please contact secalert if you have any questions about this issue. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2588 https://rhn.redhat.com/errata/RHSA-2016-2588.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:0641 https://rhn.redhat.com/errata/RHSA-2017-0641.html |