Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1252844 - (CVE-2015-6563) CVE-2015-6563 openssh: Privilege separation weakness related to PAM support
CVE-2015-6563 openssh: Privilege separation weakness related to PAM support
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150811,repor...
: Security
Depends On: 1252854 1265807 1281468
Blocks: 1210268 1252864 1278736
  Show dependency treegraph
 
Reported: 2015-08-12 07:10 EDT by Adam Mariš
Modified: 2016-05-11 02:45 EDT (History)
15 users (show)

See Also:
Fixed In Version: openssh 7.0
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way OpenSSH handled PAM authentication when using privilege separation. An attacker with valid credentials on the system and able to fully compromise a non-privileged pre-authentication process using a different flaw could use this flaw to authenticate as other users.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-11 02:45:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1580743 None None None Never
Red Hat Product Errata RHSA-2015:2088 normal SHIPPED_LIVE Moderate: openssh security, bug fix, and enhancement update 2015-11-19 03:38:51 EST
Red Hat Product Errata RHSA-2016:0741 normal SHIPPED_LIVE Moderate: openssh security, bug fix, and enhancement update 2016-05-10 18:29:45 EDT

  None (edit)
Description Adam Mariš 2015-08-12 07:10:35 EDT 
Privilege seaparation weakness related to PAM support allowing the attacker to impersonate other users was found in openssh package. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate other users.

Upstream patch:

https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b

CVE request:

http://seclists.org/oss-sec/2015/q3/319

External References:

http://www.openssh.com/txt/release-7.0
Comment 1 Adam Mariš 2015-08-12 07:26:55 EDT 
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1252854]
Comment 2 Vasyl Kaigorodov 2015-08-13 08:26:05 EDT 
Additional info from CVE request thread (http://seclists.org/oss-sec/2015/q3/343):

```
The vulnerable code for the two privsep issues was introduced with the merge of the FreeBSD PAM code in 2003:

https://github.com/openssh/openssh-portable/commit/4f9f42a9bb6a6aa8f6100d873dc6344f2f9994de
```
Comment 3 Fedora Update System 2015-08-18 01:19:31 EDT 
openssh-7.0p1-1.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-08-19 04:15:47 EDT 
openssh-6.9p1-5.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Slawomir Czarko 2015-08-25 04:09:16 EDT 
Is this CVE-2015-6563? The patches look the same.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6563
Comment 6 Adam Mariš 2015-08-25 08:44:16 EDT 
CVE assignment:

http://seclists.org/oss-sec/2015/q3/419
Comment 7 Fedora Update System 2015-08-27 19:48:54 EDT 
openssh-6.6.1p1-16.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Tomas Hoger 2015-09-23 11:21:42 EDT 
Further details of this issue can be found in the advisory form the original reporter that was posted to the full-disclosure mailing list:

http://seclists.org/fulldisclosure/2015/Aug/54

The advisory explicitly notes conditions required to exploit this flaw:

- Attacker has to be able to fully compromise non-privileged pre-authentication process via some different flaw.  (Note that the advisory indicates that OpenSSH introduced privilege separate support in version 5.9.  However, privilege separation support was introduced in version 3.2.2 and enabled by default in 3.3.  Version 5.9 introduced support for sandboxing of the privilege separated process.)

- Attacker has to be able to successfully authenticated to SSH on the target system.

When these conditions are met, this flaw could allow attacker to open SSH connection as different system user.
Comment 15 errata-xmlrpc 2015-11-19 03:05:25 EST 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2088 https://rhn.redhat.com/errata/RHSA-2015-2088.html
Comment 18 errata-xmlrpc 2016-05-10 15:29:11 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0741 https://rhn.redhat.com/errata/RHSA-2016-0741.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.