Security restrictions bypass in OpenSSH

Published: 2015-08-24 | Updated: 2020-08-05

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2015-6563
CWE-ID	CWE-20
Exploitation vector	Local
Public exploit	N/A
Vulnerable software	OpenSSH Server applications / Remote management servers, RDP, SSH
Vendor	OpenSSH

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Input validation error

EUVDB-ID: #VU33998

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-6563

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to impersonate other users on the system.

The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

OpenSSH: 5.0 - 6.9p1

CPE2.3

External links

https://lists.apple.com/archives/security-announce/2015/Oct/msg00005.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-August/165170.html
https://lists.opensuse.org/opensuse-security-announce/2015-09/msg00017.html
https://rhn.redhat.com/errata/RHSA-2016-0741.html
https://seclists.org/fulldisclosure/2015/Aug/54
https://www.openssh.com/txt/release-7.0
https://www.openwall.com/lists/oss-security/2015/08/22/1
https://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
https://www.securityfocus.com/bid/76317
https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html
https://security.gentoo.org/glsa/201512-04
https://security.netapp.com/advisory/ntap-20180201-0002/
https://support.apple.com/HT205375
https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-766

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.