Date: Fri, 21 Aug 2015 23:00:53 -0400 (EDT) From: cve-assign@...re.org To: moritz@...efrostsecurity.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request - OpenSSH 6.9 PAM privilege separation vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> http://www.openssh.com/txt/release-7.0 >> Attackers who could successfully compromise the pre-authentication >> process for remote code execution As far as we know, what this means is that the attacker has the ability to execute arbitrary code (or, specific unintended pieces of code) with the uid of the sshd account. During a normal pre-authentication phase, some code runs with this uid, and other code runs as root. The phrase "pre-authentication process" is potentially ambiguous, i.e., it could mean either "the sequence of steps that occur during the pre-authentication phase" or "the UNIX process that is intentionally running with the sshd uid." We don't understand why "for remote code execution" was mentioned. A case where a local attacker, who has access only to the sshd uid, can exploit a bug in the monitor component seems completely relevant for purposes of CVE. In other words, we think the CVE IDs below apply to two types of threat models: either there is a security-relevant bug in the code that runs with the sshd uid, or the attacker happens to have access to the sshd uid for a reason unrelated to the OpenSSH source code (e.g., administrative error). In the former case, there would be a separate CVE ID for any such bug. >> * sshd(8): Portable OpenSSH only: Fixed a privilege separation >> weakness related to PAM support. Attackers who could successfully >> compromise the pre-authentication process for remote code >> execution and who had valid credentials on the host could >> impersonate other users. Reported by Moritz Jodeit. > The user impersonation issue was fixed by the following commit: > https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b Use CVE-2015-6563. >> * sshd(8): Portable OpenSSH only: Fixed a use-after-free bug >> related to PAM support that was reachable by attackers who could >> compromise the pre-authentication process for remote code >> execution. Also reported by Moritz Jodeit. > While the use-after-free is fixed by this commit: > https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7 Use CVE-2015-6564. >> * sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world- >> writable. Local attackers may be able to write arbitrary messages >> to logged-in users, including terminal escape sequences. >> Reported by Nikolay Edigaryev. Use CVE-2015-6565. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJV1+TiAAoJEL54rhJi8gl5M7MP/2IiKQy3YYNi2JQjEhNf41CN TgzXBjq2xz5XNnfSWz8CMccQxdT45702taBlVARNLoW05OXVAhgmM9p092exI3ta qw2d09p0esViZRsilFeU7A42tJl76z3Vbir0pwDoppTq559lMDG3n+fihL79xNjB dMwhCRBHp0oDyC3GrX4hcX9e3HIh8aZA06xmzJ/Xo+ps1axEuy9BIbJKU0g1NTSa qse7ajDjKhLYMGviX0oWWbnlJpcjMvPy6xkr0Q8v3A/92yMRDAISNw8WK6ip7kTZ OpnN/gRuYZ4CTKwBKcbVgoBNL/7jXZeC+CLd1oq+FVSVnzSjiFky6Y3rOJtUSbHf uBSoppryvxmE+jaw//lOdGImb4dY2esVBy8qFu2ci5K2Cgit29IOIjAVv8mx6BPt HqUBjB3rCb8GHY7Cyvg6GZPahDqBVl3d4oee7JTyr87kcuAli9vHM5+U2WKpWXSD n6WyOEkTbNdM0REbzALu6NLnGEh0H45QhT3CKoEnjaVxMD51oD9mZrg9Khyde2OI KzAwapFAynwV10HqRg/5QPZGifxzcOrU+fGLAMZXr4PHzlxv8KgpbPCWLmQzYgJW PYkdIrNGCyxrsBDPfUNMSh0sHvZ1HLezM6QSWkbuszfV9VspmU0Vq9uEG0d+N6bd 3+3rTSkfJ7wy/Ji21uwb =LGPo -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.