If PAM is configured to read user-specified environment variables and UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login via LD_PRELOAD or similar environment variables set via PAM. Upstream fix: https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Debian advisory: https://www.debian.org/security/2016/dsa-3550
Created openssh tracking bugs for this issue: Affects: fedora-all [bug 1328013]
The impact is minimal. 1. The user_readenv is off by default in pam_env module. 2. UseLogin is set to no by default and in general there is not much sense in setting it to yes. The question is whether the 'UseLogin yes' should be supported at all.
To extend what was mentioned in comment 2, the following conditions need to be met to exploit this issue: 1) sshd must be configured to use UseLogin=yes 2) PAM configuration for sshd must enable reading of users' ~/.pam_environment files This is non-default and very unlikely configuration of sshd on Red Hat Enterprise Linux. - The default sshd configuration uses UseLogin=no. - In Red Hat Enterprise Linux 6 and 7, configurations with UseLogin=yes do not work without setting SELinux to permissive mode or disabling it. - While the default sshd PAM configuration use pam_env module, it's only used to read system configuration files. Reading of users' ~/.pam_environment is not enabled by default. - PAM versions in Red Hat Enterprise Linux 5 and earlier do not support reading of users' environment settings and hence this issue can not be exploited on those versions.
Created gsi-openssh tracking bugs for this issue: Affects: fedora-all [bug 1328431]
openssh-7.2p2-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
openssh-7.2p2-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
may I know the openssl versions which are affected ?
(In reply to venkatr07 from comment #15) > may I know the openssl versions which are affected ? Hello, Bugzilla is not a support tool, please contact secalert if you have any questions about this issue.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2588 https://rhn.redhat.com/errata/RHSA-2016-2588.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:0641 https://rhn.redhat.com/errata/RHSA-2017-0641.html