Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 21 Aug 2015 23:00:53 -0400 (EDT)
From: cve-assign@...re.org
To: moritz@...efrostsecurity.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request - OpenSSH 6.9 PAM privilege separation vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

>> http://www.openssh.com/txt/release-7.0

>> Attackers who could successfully compromise the pre-authentication
>> process for remote code execution

As far as we know, what this means is that the attacker has the
ability to execute arbitrary code (or, specific unintended pieces of
code) with the uid of the sshd account. During a normal
pre-authentication phase, some code runs with this uid, and other code
runs as root. The phrase "pre-authentication process" is potentially
ambiguous, i.e., it could mean either "the sequence of steps that
occur during the pre-authentication phase" or "the UNIX process that
is intentionally running with the sshd uid."

We don't understand why "for remote code execution" was mentioned. A
case where a local attacker, who has access only to the sshd uid, can
exploit a bug in the monitor component seems completely relevant for
purposes of CVE.

In other words, we think the CVE IDs below apply to two types of
threat models: either there is a security-relevant bug in the code
that runs with the sshd uid, or the attacker happens to have access to
the sshd uid for a reason unrelated to the OpenSSH source code (e.g.,
administrative error). In the former case, there would be a separate
CVE ID for any such bug.


>>  * sshd(8): Portable OpenSSH only: Fixed a privilege separation
>>    weakness related to PAM support. Attackers who could successfully
>>    compromise the pre-authentication process for remote code
>>    execution and who had valid credentials on the host could
>>    impersonate other users.  Reported by Moritz Jodeit.

> The user impersonation issue was fixed by the following commit:

> https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b

Use CVE-2015-6563.


>>  * sshd(8): Portable OpenSSH only: Fixed a use-after-free bug
>>    related to PAM support that was reachable by attackers who could
>>    compromise the pre-authentication process for remote code
>>    execution. Also reported by Moritz Jodeit.

> While the use-after-free is fixed by this commit:

> https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7

Use CVE-2015-6564.


>>  * sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-
>>    writable. Local attackers may be able to write arbitrary messages
>>    to logged-in users, including terminal escape sequences.
>>    Reported by Nikolay Edigaryev.

Use CVE-2015-6565.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV1+TiAAoJEL54rhJi8gl5M7MP/2IiKQy3YYNi2JQjEhNf41CN
TgzXBjq2xz5XNnfSWz8CMccQxdT45702taBlVARNLoW05OXVAhgmM9p092exI3ta
qw2d09p0esViZRsilFeU7A42tJl76z3Vbir0pwDoppTq559lMDG3n+fihL79xNjB
dMwhCRBHp0oDyC3GrX4hcX9e3HIh8aZA06xmzJ/Xo+ps1axEuy9BIbJKU0g1NTSa
qse7ajDjKhLYMGviX0oWWbnlJpcjMvPy6xkr0Q8v3A/92yMRDAISNw8WK6ip7kTZ
OpnN/gRuYZ4CTKwBKcbVgoBNL/7jXZeC+CLd1oq+FVSVnzSjiFky6Y3rOJtUSbHf
uBSoppryvxmE+jaw//lOdGImb4dY2esVBy8qFu2ci5K2Cgit29IOIjAVv8mx6BPt
HqUBjB3rCb8GHY7Cyvg6GZPahDqBVl3d4oee7JTyr87kcuAli9vHM5+U2WKpWXSD
n6WyOEkTbNdM0REbzALu6NLnGEh0H45QhT3CKoEnjaVxMD51oD9mZrg9Khyde2OI
KzAwapFAynwV10HqRg/5QPZGifxzcOrU+fGLAMZXr4PHzlxv8KgpbPCWLmQzYgJW
PYkdIrNGCyxrsBDPfUNMSh0sHvZ1HLezM6QSWkbuszfV9VspmU0Vq9uEG0d+N6bd
3+3rTSkfJ7wy/Ji21uwb
=LGPo
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.