• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: OpenSSH UseLogin Environment Variable Passing Vulnerability

Severity: HIGH

Description:

OpenSSH is a freely available, open source implementation of the Secure Shell protocol. It is maintained by members of the OpenBSD team.

A problem has been discovered in OpenSSH that could allow local users to gain elevated privileges. OpenSSH allows for certain environment variables to be set when users log in with specific keys. When the server is configured to use 'login' via the UseLogin config flag, these environment variables are set for the 'login' process.

This behaviour could be exploited by a local attacker to load arbitrary shared libraries for 'login' via LD_PRELOAD resulting in the execution of arbitrary code with elevated privileges.

If the UseLogin flag is set, local users can gain root privileges. UseLogin is not enabled by default.

Affected Products:

• Debian Linux 2.2.0
• Debian Linux 2.2.0 68k
• Debian Linux 2.2.0 alpha
• Debian Linux 2.2.0 arm
• Debian Linux 2.2.0 powerpc
• Debian Linux 2.2.0 sparc
• FreeBSD FreeBSD 4.3.0
• FreeBSD FreeBSD 4.4.0
• HP Secure OS software for Linux 1.0.0
• OpenBSD OpenBSD 2.9.0
• OpenBSD OpenSSH 1.2.3
• OpenBSD OpenSSH 2.1.1
• OpenBSD OpenSSH 2.1.1 p1
• OpenBSD OpenSSH 2.3.1
• OpenBSD OpenSSH 2.3.1 p1
• OpenBSD OpenSSH 2.5.2
• OpenBSD OpenSSH 2.5.2 p2
• OpenBSD OpenSSH 2.9.0
• OpenBSD OpenSSH 2.9.0 p1
• OpenBSD OpenSSH 2.9.0 p2
• OpenBSD OpenSSH 3.0.0
• OpenBSD OpenSSH 3.0.0 p1
• OpenBSD OpenSSH 3.0.1
• OpenBSD OpenSSH 3.0.1 p1
• RedHat Linux 7.0.0
• RedHat Linux 7.0.0 alpha
• RedHat Linux 7.0.0 i386
• RedHat Linux 7.1.0 alpha
• RedHat Linux 7.1.0 i386
• RedHat Linux 7.1.0 ia64
• RedHat Linux 7.2.0 i386
• Trustix Secure Linux 1.1.0
• Trustix Secure Linux 1.2.0
• Trustix Secure Linux 1.5.0

References:

• OpenSSH: OpenSSH Project Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.