Bug 1328012 (CVE-2015-8325) - CVE-2015-8325 openssh: privilege escalation via user's PAM environment and UseLogin=yes
Summary: CVE-2015-8325 openssh: privilege escalation via user's PAM environment and Us...
Status: CLOSED ERRATA
Alias: CVE-2015-8325
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160413,repor...
Keywords: Security
Depends On: 1328013 1328431 1329191 1405374
Blocks: 1323912 1328015 1386080
TreeView+ depends on / blocked
 
Reported: 2016-04-18 08:48 UTC by Andrej Nemec
Modified: 2019-06-08 21:07 UTC (History)
14 users (show)

(edit)
It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root.
Clone Of:
(edit)
Last Closed: 2017-03-21 10:06:38 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2588 normal SHIPPED_LIVE Moderate: openssh security, bug fix, and enhancement update 2016-11-03 12:09:45 UTC
Red Hat Product Errata RHSA-2017:0641 normal SHIPPED_LIVE Moderate: openssh security and bug fix update 2017-03-21 12:31:22 UTC

Description Andrej Nemec 2016-04-18 08:48:25 UTC
If PAM is configured to read user-specified environment variables and UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login via LD_PRELOAD or similar environment variables set via PAM.

Upstream fix:

https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755

Debian advisory:

https://www.debian.org/security/2016/dsa-3550

Comment 1 Andrej Nemec 2016-04-18 08:48:51 UTC
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1328013]

Comment 2 Tomas Mraz 2016-04-18 09:01:42 UTC
The impact is minimal.

1. The user_readenv is off by default in pam_env module.
2. UseLogin is set to no by default and in general there is not much sense in setting it to yes.

The question is whether the 'UseLogin yes' should be supported at all.

Comment 3 Tomas Hoger 2016-04-19 11:28:39 UTC
To extend what was mentioned in comment 2, the following conditions need to be met to exploit this issue:

1) sshd must be configured to use UseLogin=yes
2) PAM configuration for sshd must enable reading of users' ~/.pam_environment files

This is non-default and very unlikely configuration of sshd on Red Hat Enterprise Linux.

- The default sshd configuration uses UseLogin=no.
- In Red Hat Enterprise Linux 6 and 7, configurations with UseLogin=yes do not work without setting SELinux to permissive mode or disabling it.
- While the default sshd PAM configuration use pam_env module, it's only used to read system configuration files.  Reading of users' ~/.pam_environment is not enabled by default.
- PAM versions in Red Hat Enterprise Linux 5 and earlier do not support reading of users' environment settings and hence this issue can not be exploited on those versions.

Comment 5 Tomas Hoger 2016-04-19 11:32:06 UTC
Created gsi-openssh tracking bugs for this issue:

Affects: fedora-all [bug 1328431]

Comment 7 Fedora Update System 2016-04-24 20:52:15 UTC
openssh-7.2p2-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2016-05-07 11:58:53 UTC
openssh-7.2p2-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 venkatr07 2016-10-05 09:25:52 UTC
may I know the openssl versions which are affected ?

Comment 16 Andrej Nemec 2016-10-05 11:40:01 UTC
(In reply to venkatr07 from comment #15)
> may I know the openssl versions which are affected ?

Hello,

Bugzilla is not a support tool, please contact secalert@redhat.com if you have any questions about this issue.

Comment 17 errata-xmlrpc 2016-11-03 20:19:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2588 https://rhn.redhat.com/errata/RHSA-2016-2588.html

Comment 21 errata-xmlrpc 2017-03-21 10:01:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0641 https://rhn.redhat.com/errata/RHSA-2017-0641.html


Note You need to log in before you can comment on or make changes to this bug.