#VU251 Incorrect handling of environment files in OpenSSH


Published: 2016-08-02 | Updated: 2016-08-22

Vulnerability identifier: #VU251

Vulnerability risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-8325

CWE-ID: CWE-264

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
OpenSSH
Server applications / Remote management servers, RDP, SSH

Vendor: OpenSSH

Description

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists in portable version of OpenSSH. A local user can execute arbitrary code as root by setting specially crafted environment variables to conduct attacks against the 'bin/login' process on systems, where PAM is configured to read user-specified environment variables and 'sshd_config' is set to 'UseLogin=yes'.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Mitigation
Install the latest version of OpenSSH 7.3.

Vulnerable software versions

OpenSSH: 7.0p1 - 7.2p2

External links
http://www.openssh.com/txt/release-7.3

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell VxRail Appliance
Juniper Junos OS update for OpenSSH
Amazon Linux AMI update for openssh
Slackware Linux update for openssh
Multiple vulnerabilities in OpenSSH for Debian
Multiple vulnerabilities in OpenSSH for Ubuntu
Multiple vulnerabilities in OpenSSH
Debian update for openssh