CVE-2015-8325
openssh: privilege escalation via user's PAM environment and UseLogin=yes
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable.
La función do_setup_env en session.c en sshd en OpenSSH hasta la versión 7.2p2, cuando la funcionalidad UseLogin está activa y PAM está configurado para leer archivos .pam_environment en directorios home de usuario, permite a usuarios locales obtener privilegios desencadenando un entorno manipulado para el programa /bin/login, según lo demostrado por una variable de entorno LD_PRELOAD.
It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-11-24 CVE Reserved
- 2016-04-15 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
- CWE-863: Incorrect Authorization
CAPEC
References (13)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2016-2588.html | 2022-12-13 | |
| http://rhn.redhat.com/errata/RHSA-2017-0641.html | 2022-12-13 | |
| http://www.debian.org/security/2016/dsa-3550 | 2022-12-13 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1328012 | 2017-03-21 | |
| https://security.gentoo.org/glsa/201612-18 | 2022-12-13 | |
| https://access.redhat.com/security/cve/CVE-2015-8325 | 2017-03-21 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
| Openbsd Search vendor "Openbsd" | Openssh Search vendor "Openbsd" for product "Openssh" | <= 7.2 Search vendor "Openbsd" for product "Openssh" and version " <= 7.2" | p2 |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Core Search vendor "Canonical" for product "Ubuntu Core" | 15.04 Search vendor "Canonical" for product "Ubuntu Core" and version "15.04" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 15.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "15.10" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Touch Search vendor "Canonical" for product "Ubuntu Touch" | 15.04 Search vendor "Canonical" for product "Ubuntu Touch" and version "15.04" | - |
Affected
| ||||||