CVE-2014-2532

openssh: AcceptEnv environment restriction bypass flaw

Severity Score

4.9

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.

sshd en OpenSSH anterior a 6.6 no soporta debidamente comodines en líneas AcceptEnv en sshd_config, lo que permite a atacantes remotos evadir restricciones de entorno mediante el uso de una subcadena localizada antes de un caracter de comodín.

It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions.

OpenSSH is OpenBSD's SSH protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-03-17 CVE Reserved
2014-03-18 CVE Published
2024-08-06 CVE Updated
2026-03-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-138: Improper Neutralization of Special Elements
CWE-264: Permissions, Privileges, and Access Controls

CAPEC

References (25)

URL	Tag	Source
http://advisories.mageia.org/MGASA-2014-0143.html	X_refsource_confirm
http://aix.software.ibm.com/aix/efixes/security/openssh_advisory4.asc	X_refsource_confirm
http://marc.info/?l=openbsd-security-announce&m=139492048027313&w=2	Mailing List
http://secunia.com/advisories/57488	Third Party Advisory
http://secunia.com/advisories/57574	Third Party Advisory
http://secunia.com/advisories/59313	Third Party Advisory
http://secunia.com/advisories/59855	Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html	X_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	X_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html	X_refsource_confirm
http://www.securityfocus.com/bid/66355	Vdb Entry
http://www.securitytracker.com/id/1029925	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/91986	Vdb Entry
https://support.apple.com/HT205267	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html	2018-07-19
http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134026.html	2018-07-19
http://lists.fedoraproject.org/pipermail/package-announce/2014-May/133537.html	2018-07-19
http://marc.info/?l=bugtraq&m=141576985122836&w=2	2018-07-19
http://rhn.redhat.com/errata/RHSA-2014-1552.html	2018-07-19
http://www.debian.org/security/2014/dsa-2894	2018-07-19
http://www.mandriva.com/security/advisories?name=MDVSA-2014:068	2018-07-19
http://www.mandriva.com/security/advisories?name=MDVSA-2015:095	2018-07-19
http://www.ubuntu.com/usn/USN-2155-1	2018-07-19
https://access.redhat.com/security/cve/CVE-2014-2532	2014-10-13
https://bugzilla.redhat.com/show_bug.cgi?id=1077843	2014-10-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Oracle Search vendor "Oracle"		Communications User Data Repository Search vendor "Oracle" for product "Communications User Data Repository"				10.0.1 Search vendor "Oracle" for product "Communications User Data Repository" and version "10.0.1"		-		Affected
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				<= 6.5 Search vendor "Openbsd" for product "Openssh" and version " <= 6.5"		-		Affected
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				6.0 Search vendor "Openbsd" for product "Openssh" and version "6.0"		-		Affected
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				6.1 Search vendor "Openbsd" for product "Openssh" and version "6.1"		-		Affected
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				6.2 Search vendor "Openbsd" for product "Openssh" and version "6.2"		-		Affected
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				6.3 Search vendor "Openbsd" for product "Openssh" and version "6.3"		-		Affected
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				6.4 Search vendor "Openbsd" for product "Openssh" and version "6.4"		-		Affected