1328012 – (CVE-2015-8325) CVE-2015-8325 openssh: privilege escalation via user's PAM environment and UseLogin=yes

Bug 1328012 (CVE-2015-8325) - CVE-2015-8325 openssh: privilege escalation via user's PAM environment and UseLogin=yes

Summary: CVE-2015-8325 openssh: privilege escalation via user's PAM environment and Us...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-8325
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1328013 1328431 1329191 1405374
Blocks:	1323912 1328015 1386080
TreeView+	depends on / blocked

Reported:	2016-04-18 08:48 UTC by Andrej Nemec
Modified:	2020-04-15 14:27 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root.
Clone Of:
Environment:
Last Closed:	2017-03-21 10:06:38 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2588	0	normal	SHIPPED_LIVE	Moderate: openssh security, bug fix, and enhancement update	2016-11-03 12:09:45 UTC
Red Hat Product Errata	RHSA-2017:0641	0	normal	SHIPPED_LIVE	Moderate: openssh security and bug fix update	2017-03-21 12:31:22 UTC

Description Andrej Nemec 2016-04-18 08:48:25 UTC

If PAM is configured to read user-specified environment variables and UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login via LD_PRELOAD or similar environment variables set via PAM.

Upstream fix:

https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755

Debian advisory:

https://www.debian.org/security/2016/dsa-3550

Comment 1 Andrej Nemec 2016-04-18 08:48:51 UTC

Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1328013]

Comment 2 Tomas Mraz 2016-04-18 09:01:42 UTC

The impact is minimal.

1. The user_readenv is off by default in pam_env module.
2. UseLogin is set to no by default and in general there is not much sense in setting it to yes.

The question is whether the 'UseLogin yes' should be supported at all.

Comment 3 Tomas Hoger 2016-04-19 11:28:39 UTC

To extend what was mentioned in comment 2, the following conditions need to be met to exploit this issue:

1) sshd must be configured to use UseLogin=yes
2) PAM configuration for sshd must enable reading of users' ~/.pam_environment files

This is non-default and very unlikely configuration of sshd on Red Hat Enterprise Linux.

- The default sshd configuration uses UseLogin=no.
- In Red Hat Enterprise Linux 6 and 7, configurations with UseLogin=yes do not work without setting SELinux to permissive mode or disabling it.
- While the default sshd PAM configuration use pam_env module, it's only used to read system configuration files.  Reading of users' ~/.pam_environment is not enabled by default.
- PAM versions in Red Hat Enterprise Linux 5 and earlier do not support reading of users' environment settings and hence this issue can not be exploited on those versions.

Comment 5 Tomas Hoger 2016-04-19 11:32:06 UTC

Created gsi-openssh tracking bugs for this issue:

Affects: fedora-all [bug 1328431]

Comment 7 Fedora Update System 2016-04-24 20:52:15 UTC

openssh-7.2p2-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2016-05-07 11:58:53 UTC

openssh-7.2p2-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 venkatr07 2016-10-05 09:25:52 UTC

may I know the openssl versions which are affected ?

Comment 16 Andrej Nemec 2016-10-05 11:40:01 UTC

(In reply to venkatr07 from comment #15)
> may I know the openssl versions which are affected ?

Hello,

Bugzilla is not a support tool, please contact secalert if you have any questions about this issue.

Comment 17 errata-xmlrpc 2016-11-03 20:19:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2588 https://rhn.redhat.com/errata/RHSA-2016-2588.html

Comment 21 errata-xmlrpc 2017-03-21 10:01:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0641 https://rhn.redhat.com/errata/RHSA-2017-0641.html

Note You need to log in before you can comment on or make changes to this bug.