Bug 1252852 - (CVE-2015-6564) CVE-2015-6564 openssh: Use-after-free bug related to PAM support
CVE-2015-6564 openssh: Use-after-free bug related to PAM support
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150811,repor...
: Security
Depends On: 1252853 1265807 1281468
Blocks: 1210268 1252864 1278736
  Show dependency treegraph
 
Reported: 2015-08-12 07:25 EDT by Adam Mariš
Modified: 2016-05-11 02:44 EDT (History)
15 users (show)

See Also:
Fixed In Version: openssh 7.0
Doc Type: Bug Fix
Doc Text:
A use-after-free flaw was found in OpenSSH. An attacker able to fully compromise a non-privileged pre-authentication process using a different flaw could possibly cause sshd to crash or execute arbitrary code with root privileges.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-11 02:44:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1580743 None None None Never

  None (edit)
Description Adam Mariš 2015-08-12 07:25:45 EDT
Use-after-free bug was found in openssh package. The vulnerability is exploitable by attackers who could compromise the pre-authentication process for remote code execution.

Upstream patch:

https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7

CVE request:

http://seclists.org/oss-sec/2015/q3/319

External References:

http://www.openssh.com/txt/release-7.0
Comment 1 Adam Mariš 2015-08-12 07:26:37 EDT
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1252853]
Comment 2 Fedora Update System 2015-08-18 01:19:29 EDT
openssh-7.0p1-1.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2015-08-19 04:15:49 EDT
openssh-6.9p1-5.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Slawomir Czarko 2015-08-25 04:08:05 EDT
Is this CVE-2015-6564? The patches look the same.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6564
Comment 5 Adam Mariš 2015-08-25 08:41:49 EDT
CVE assignment:

http://seclists.org/oss-sec/2015/q3/419
Comment 6 Fedora Update System 2015-08-27 19:48:57 EDT
openssh-6.6.1p1-16.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Tomas Hoger 2015-09-23 15:49:04 EDT
Further details of this issue can be found in the advisory form the original reporter that was posted to the full-disclosure mailing list:

http://seclists.org/fulldisclosure/2015/Aug/54

The advisory indicates that the use-after-free can only be triggered if attacker is able to fully compromise non-privileged pre-authentication process using some different flaw.  Reporter also indicates that they were unable to leverage this issue for any practical attack.
Comment 14 errata-xmlrpc 2015-11-19 03:05:35 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2088 https://rhn.redhat.com/errata/RHSA-2015-2088.html
Comment 17 errata-xmlrpc 2016-05-10 15:29:19 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0741 https://rhn.redhat.com/errata/RHSA-2016-0741.html

Note You need to log in before you can comment on or make changes to this bug.