#VU33998 Input validation error in OpenSSH - CVE-2015-6563

Cybersecurity Help s.r.o.

Published: 2020-08-05

Vulnerability identifier: #VU33998

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-6563

CWE-ID: CWE-20

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
OpenSSH
Server applications / Remote management servers, RDP, SSH

Vendor: OpenSSH

Description

The vulnerability allows a local user to impersonate other users on the system.

The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenSSH: 5.0 - 6.9p1

External links
https://lists.apple.com/archives/security-announce/2015/Oct/msg00005.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-August/165170.html
https://lists.opensuse.org/opensuse-security-announce/2015-09/msg00017.html
https://rhn.redhat.com/errata/RHSA-2016-0741.html
https://seclists.org/fulldisclosure/2015/Aug/54
https://www.openssh.com/txt/release-7.0
https://www.openwall.com/lists/oss-security/2015/08/22/1
https://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
https://www.securityfocus.com/bid/76317
https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html
https://security.gentoo.org/glsa/201512-04
https://security.netapp.com/advisory/ntap-20180201-0002/
https://support.apple.com/HT205375
https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-766

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM FlashSystem models 840 and 900

Multiple vulnerabilities in SAN Volume Controller and Storwize Family

Amazon Linux AMI update for openssh

Input validation error in openssh (Alpine package)

Security restrictions bypass in OpenSSH