Bug 1252852 (CVE-2015-6564) - CVE-2015-6564 openssh: Use-after-free bug related to PAM support
Summary: CVE-2015-6564 openssh: Use-after-free bug related to PAM support
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-6564
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1252853 1265807 1281468
Blocks: 1210268 1252864 1278736
TreeView+ depends on / blocked
 
Reported: 2015-08-12 11:25 UTC by Adam Mariš
Modified: 2021-02-17 05:01 UTC (History)
15 users (show)

Fixed In Version: openssh 7.0
Doc Type: Bug Fix
Doc Text:
A use-after-free flaw was found in OpenSSH. An attacker able to fully compromise a non-privileged pre-authentication process using a different flaw could possibly cause sshd to crash or execute arbitrary code with root privileges.
Clone Of:
Environment:
Last Closed: 2016-05-11 06:44:26 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1580743 0 None None None Never
Red Hat Product Errata RHSA-2015:2088 0 normal SHIPPED_LIVE Moderate: openssh security, bug fix, and enhancement update 2015-11-19 08:38:51 UTC
Red Hat Product Errata RHSA-2016:0741 0 normal SHIPPED_LIVE Moderate: openssh security, bug fix, and enhancement update 2016-05-10 22:29:45 UTC

Description Adam Mariš 2015-08-12 11:25:45 UTC 
Use-after-free bug was found in openssh package. The vulnerability is exploitable by attackers who could compromise the pre-authentication process for remote code execution.

Upstream patch:

https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7

CVE request:

http://seclists.org/oss-sec/2015/q3/319

External References:

http://www.openssh.com/txt/release-7.0
Comment 1 Adam Mariš 2015-08-12 11:26:37 UTC 
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1252853]
Comment 2 Fedora Update System 2015-08-18 05:19:29 UTC 
openssh-7.0p1-1.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2015-08-19 08:15:49 UTC 
openssh-6.9p1-5.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Slawomir Czarko 2015-08-25 08:08:05 UTC 
Is this CVE-2015-6564? The patches look the same.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6564
Comment 5 Adam Mariš 2015-08-25 12:41:49 UTC 
CVE assignment:

http://seclists.org/oss-sec/2015/q3/419
Comment 6 Fedora Update System 2015-08-27 23:48:57 UTC 
openssh-6.6.1p1-16.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Tomas Hoger 2015-09-23 19:49:04 UTC 
Further details of this issue can be found in the advisory form the original reporter that was posted to the full-disclosure mailing list:

http://seclists.org/fulldisclosure/2015/Aug/54

The advisory indicates that the use-after-free can only be triggered if attacker is able to fully compromise non-privileged pre-authentication process using some different flaw.  Reporter also indicates that they were unable to leverage this issue for any practical attack.
Comment 14 errata-xmlrpc 2015-11-19 08:05:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2088 https://rhn.redhat.com/errata/RHSA-2015-2088.html
Comment 17 errata-xmlrpc 2016-05-10 19:29:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0741 https://rhn.redhat.com/errata/RHSA-2016-0741.html
Note You need to log in before you can comment on or make changes to this bug.