Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (VPN)  >   OpenSSH Vendors:
(Oracle Issues Fix for Oracle Linux) OpenSSH PAM Privilege Separation Bugs Lets Remote Users Gain Elevated Privileges in Certain Cases
SecurityTracker Alert ID:  1034224
SecurityTracker URL:
CVE Reference:   CVE-2015-6563, CVE-2015-6564   (Links to External Site)
Date:  Nov 24 2015
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.9p1 and prior
Description:   Two vulnerabilities were reported in OpenSSH. A remote user can gain elevated privileges in certain cases.

A remote user that can exploit a separate vulnerability in the unprivileged pre-authentication process to execute arbitrary code can then exploit two separate flaws in sshd(8) to bypass privilege separation controls [CVE-2015-6563, CVE-2015-6564].

Moritz Jodeit of Blue Frost Security GmbH reported these vulnerabilities.

Impact:   A remote user that can exploit an independent vulnerability in the pre-authentication process can bypass the privilege separation controls.
Solution:   Oracle has issued a fix.

The Oracle Linux advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Oracle)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Aug 14 2015 OpenSSH PAM Privilege Separation Bugs Lets Remote Users Gain Elevated Privileges in Certain Cases

 Source Message Contents

Subject:  [El-errata] ELSA-2015-2088 Moderate: Oracle Linux 7 openssh security, bug fix, and enhancement update

Oracle Linux Security Advisory ELSA-2015-2088

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:



Description of changes:

- Use the correct constant for glob limits (#1160377)

- Extend memory limit for remote glob in sftp acc. to stat limit (#1160377)

- Fix vulnerabilities published with openssh-7.0 (#1265807)
  - Privilege separation weakness related to PAM support
  - Use-after-free bug related to PAM support

- Increase limit of files for glob match in sftp to 8192 (#1160377)

- Add GSSAPIKexAlgorithms option for server and client application 

- Security fixes released with openssh-6.9 (CVE-2015-5352) (#1247864)
  - XSECURITY restrictions bypass under certain conditions in ssh(1) 
  - weakness of agent locking (ssh-add -x) to password guessing (#1238238)

- only query each keyboard-interactive device once (CVE-2015-5600) 

- One more typo in manual page documenting TERM variable (#1162683)
- Fix race condition with auditing messages answers (#1240613)

- Fix ldif schema to have correct spacing on newlines (#1184938)
- Add missing values for sshd test mode (#1187597)
- ssh-copy-id: tcsh doesnt work with multiline strings (#1201758)
- Fix memory problems with newkeys and array transfers (#1223218)
- Enhance AllowGroups documentation in man page (#1150007)

- Increase limit of files for glob match in sftp (#1160377)
- Add to /etc/pam.d/sshd (#1204233)
- Show all config values in sshd test mode (#1187597)
- Document required selinux boolean for working ssh-ldap-helper (#1178116)
- Consistent usage of pam_namespace in sshd (#1125110)
- Fix auditing when using combination of ForcedCommand and PTY (#1199112)
- Add sftp option to force mode of created files (#1197989)
- Ability to specify an arbitrary LDAP filter in ldap.conf for 
ssh-ldap-helper (#1201753)
- Provide documentation line for systemd service and socket (#1181591)
- Provide LDIF version of LPK schema (#1184938)
- Document TERM environment variable (#1162683)
- Fix ssh-copy-id on non-sh remote shells (#1201758)
- Do not read RSA1 hostkeys for HostBased authentication in FIPS (#1197666)

El-errata mailing list

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC