OpenSSH: multiple authentication issues (CVE-2015-6563, CVE-2015-6564, CVE-2015-6565)
CVE-2015-6563
The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c.
CVE-2015-6564
Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request.
CVE-2015-6565
sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY devices, which allows local users to cause a denial of service (terminal disruption) or possibly have unspecified other impact by writing to a device, as demonstrated by writing an escape sequence.
References:
http://seclists.org/oss-sec/2015/q3/419
https://cxsecurity.com/cveshow/CVE-2015-6563/
https://cxsecurity.com/cveshow/CVE-2015-6564/
https://cxsecurity.com/cveshow/CVE-2015-6565/
(from redmine: issue id 4578, created on 2015-08-26, closed on 2015-08-27)
- Relations:
- child #4579 (closed)
- child #4580 (closed)
- child #4581 (closed)
- child #4582 (closed)
- Changesets:
- Revision 26c30cf5 by Natanael Copa on 2015-08-26T09:28:34Z:
main/openssh: security fixes from upstream
ref #4578
CVE-2015-6563:
sshd(8): Portable OpenSSH only: Fixed a privilege separation
weakness related to PAM support. Attackers who could successfully
compromise the pre-authentication process for remote code
execution and who had valid credentials on the host could
impersonate other users. Reported by Moritz Jodeit.
CVE-2015-6564:
sshd(8): Portable OpenSSH only: Fixed a use-after-free bug related to
PAM support that was reachable by attackers who could compromise the
pre-authentication process for remote code execution. Also reported by
Moritz Jodeit.
CVE-2015-6565:
sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-
writable. Local attackers may be able to write arbitrary messages
to logged-in users, including terminal escape sequences.
Reported by Nikolay Edigaryev.