CVE-2015-8325

Description

The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable.

CVSS Metrics

• v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v3.0•HIGH•Score: 7.8CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v2.0•HIGH•Score: 7.2AV:L/AC:L/Au:N/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 0.08%• Percentile: 24%

Techniques & Countermeasures

• CWE-264•Permissions, Privileges, and Access Controls

  Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

• CWE-1262•Improper Access Control for Register Interface

  The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers.

Affected Systems

• canonical•ubuntu_core

  15.04

• canonical•ubuntu_linux

  12.04 | 14.04 | 15.10

• canonical•ubuntu_touch

  15.04

• debian•debian_linux

  7.0 | 8.0

• openbsd•openssh

  ≤ 7.2

References (12)

• http://www.securityfocus.com/bid/86187
• http://www.debian.org/security/2016/dsa-3550
• https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8325.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1328012
• http://rhn.redhat.com/errata/RHSA-2017-0641.html
• http://rhn.redhat.com/errata/RHSA-2016-2588.html
• http://www.securitytracker.com/id/1036487
• https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755
• https://security-tracker.debian.org/tracker/CVE-2015-8325
• https://security.gentoo.org/glsa/201612-18
• https://security.netapp.com/advisory/ntap-20180628-0001/
• https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf