Amazon Linux AMI update for openssh
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2015-5600 CVE-2015-6563 CVE-2015-6564 |
| CWE-ID | CWE-264 CWE-20 CWE-416 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software Subscribe |
Amazon Linux AMI Operating systems & Components / Operating system |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU33288
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-5600
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
openssh-6.6.1p1-22.58.amzn1.i686
openssh-server-6.6.1p1-22.58.amzn1.i686
pam_ssh_agent_auth-0.9.3-9.22.58.amzn1.i686
openssh-keycat-6.6.1p1-22.58.amzn1.i686
openssh-ldap-6.6.1p1-22.58.amzn1.i686
openssh-debuginfo-6.6.1p1-22.58.amzn1.i686
openssh-clients-6.6.1p1-22.58.amzn1.i686
src:
openssh-6.6.1p1-22.58.amzn1.src
x86_64:
openssh-6.6.1p1-22.58.amzn1.x86_64
openssh-clients-6.6.1p1-22.58.amzn1.x86_64
pam_ssh_agent_auth-0.9.3-9.22.58.amzn1.x86_64
openssh-server-6.6.1p1-22.58.amzn1.x86_64
openssh-debuginfo-6.6.1p1-22.58.amzn1.x86_64
openssh-keycat-6.6.1p1-22.58.amzn1.x86_64
openssh-ldap-6.6.1p1-22.58.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2015-625.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU33998
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-6563
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to impersonate other users on the system.
The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
openssh-6.6.1p1-22.58.amzn1.i686
openssh-server-6.6.1p1-22.58.amzn1.i686
pam_ssh_agent_auth-0.9.3-9.22.58.amzn1.i686
openssh-keycat-6.6.1p1-22.58.amzn1.i686
openssh-ldap-6.6.1p1-22.58.amzn1.i686
openssh-debuginfo-6.6.1p1-22.58.amzn1.i686
openssh-clients-6.6.1p1-22.58.amzn1.i686
src:
openssh-6.6.1p1-22.58.amzn1.src
x86_64:
openssh-6.6.1p1-22.58.amzn1.x86_64
openssh-clients-6.6.1p1-22.58.amzn1.x86_64
pam_ssh_agent_auth-0.9.3-9.22.58.amzn1.x86_64
openssh-server-6.6.1p1-22.58.amzn1.x86_64
openssh-debuginfo-6.6.1p1-22.58.amzn1.x86_64
openssh-keycat-6.6.1p1-22.58.amzn1.x86_64
openssh-ldap-6.6.1p1-22.58.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2015-625.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after free
EUVDB-ID: #VU1482
Risk: Low
CVSSv3.1: 8.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID: CVE-2015-6564
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use after free error within the mm_answer_pam_free_ctx() function in monitor.c in sshd daemon on non-OpenBSD platforms. A local unprivileged user can send an unexpected early MONITOR_REQ_PAM_FREE_CTX request and gain root privileges on the system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
openssh-6.6.1p1-22.58.amzn1.i686
openssh-server-6.6.1p1-22.58.amzn1.i686
pam_ssh_agent_auth-0.9.3-9.22.58.amzn1.i686
openssh-keycat-6.6.1p1-22.58.amzn1.i686
openssh-ldap-6.6.1p1-22.58.amzn1.i686
openssh-debuginfo-6.6.1p1-22.58.amzn1.i686
openssh-clients-6.6.1p1-22.58.amzn1.i686
src:
openssh-6.6.1p1-22.58.amzn1.src
x86_64:
openssh-6.6.1p1-22.58.amzn1.x86_64
openssh-clients-6.6.1p1-22.58.amzn1.x86_64
pam_ssh_agent_auth-0.9.3-9.22.58.amzn1.x86_64
openssh-server-6.6.1p1-22.58.amzn1.x86_64
openssh-debuginfo-6.6.1p1-22.58.amzn1.x86_64
openssh-keycat-6.6.1p1-22.58.amzn1.x86_64
openssh-ldap-6.6.1p1-22.58.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2015-625.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
