OpenSSH vulnerability CVE-2015-8325

2016-05-17T01:41:00
ID F5:K20911042
Type f5
Reporter f5
Modified 2017-12-21T08:29:00

Description

F5 Product Development has assigned ID 590840 (BIG-IP), ID 591516 (BIG-IQ), and ID 591518 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, BIG-IP iHealth may list Heuristic H20911042 on the Diagnostics > Identified > Low screen.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature
---|---|---|---|---
BIG-IP LTM | 13.0.0
12.0.0 - 12.1.2
11.0.0 - 11.6.2
10.1.0 - 10.2.4 | 13.1.0
12.1.3 | Low | OpenSSH, PAM
BIG-IP AAM | 13.0.0
12.0.0 - 12.1.2
11.0.0 - 11.6.2
10.1.0 - 10.2.4 | 13.1.0
12.1.3 | Low | OpenSSH, PAM
BIG-IP AFM | 13.0.0
12.0.0 - 12.1.2
11.0.0 - 11.6.2
10.1.0 - 10.2.4 | 13.1.0
12.1.3 | Low | OpenSSH, PAM
BIG-IP Analytics | 13.0.0
12.0.0 - 12.1.2
11.0.0 - 11.6.2
10.1.0 - 10.2.4 | 13.1.0
12.1.3 | Low | OpenSSH, PAM
BIG-IP APM | 13.0.0
12.0.0 - 12.1.2
11.0.0 - 11.6.2
10.1.0 - 10.2.4 | 13.1.0
12.1.3 | Low | OpenSSH, PAM
BIG-IP ASM | 13.0.0
12.0.0 - 12.1.2
11.0.0 - 11.6.2
10.1.0 - 10.2.4 | 13.1.0
12.1.3 | Low | OpenSSH, PAM
BIG-IP DNS | 13.0.0
12.0.0 - 12.1.2 | 13.1.0
12.1.3 | Low | OpenSSH, PAM
BIG-IP Edge Gateway | 11.0.0 - 11.3.0
10.1.0 - 10.2.4 | None | Low | OpenSSH, PAM
BIG-IP GTM | 11.0.0 - 11.6.2
10.1.0 - 10.2.4 | None | Low | OpenSSH, PAM
BIG-IP Link Controller | 13.0.0
12.0.0 - 12.1.2
11.0.0 - 11.6.2
10.1.0 - 10.2.4 | 13.1.0
12.1.3 | Low | OpenSSH, PAM
BIG-IP PEM | 13.0.0
12.0.0 - 12.1.2
11.3.0 - 11.6.2 | 13.1.0
12.1.3 | Low | OpenSSH, PAM
BIG-IP PSM | 11.0.0 - 11.4.1
10.1.0 - 10.2.4 | None | Low | OpenSSH, PAM
BIG-IP WebAccelerator | 11.0.0 - 11.3.0
10.1.0 - 10.2.4 | None | Low | OpenSSH, PAM
BIG-IP WOM | 11.0.0 - 11.3.0
10.1.0 - 10.2.4 | None | Low | OpenSSH, PAM
ARX | None | 6.0.0 - 6.4.0 | Not vulnerable | None
Enterprise Manager | 3.0.0 - 3.1.1 | None | Low | OpenSSH, PAM
FirePass | None | 7.0.0
6.0.0 - 6.1.0 | Not vulnerable | None
BIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Low | OpenSSH, PAM
BIG-IQ Device | 4.2.0 - 4.5.0 | None | Low | OpenSSH, PAM
BIG-IQ Security | 4.0.0 - 4.5.0 | None | Low | OpenSSH, PAM
BIG-IQ ADC | 4.5.0 | None | Low | OpenSSH, PAM
BIG-IQ Centralized Management | 4.6.0 | None | Low | OpenSSH, PAM
BIG-IQ Cloud and Orchestration | 1.0.0 | None | Low | OpenSSH, PAM
LineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None
F5 WebSafe | None | 1.0.0 | Not vulnerable | None
Traffix SDC | None | 4.0.0 - 4.4.0
3.3.2 - 3.5.1 | Not vulnerable | None

Note: The system must meet the following conditions before anybody can exploit this issue:

  • You must configure the sshd to use UseLogin=yes.
  • You must configure a pluggable authentication module (PAM) for sshd so the system can read the user's ~/.pam environment files.

This previously described configuration is not the default configuration, and is a very unlikely sshd configuration on Red Hat Enterprise Linux.

Note the following:

  • The default sshd configuration uses UseLogin=no.
  • In Red Hat Enterprise Linux 6 and 7, configurations with UseLogin=yes do not work if you do not set SELinux to permissive mode, or disable SELinux.
  • While the default sshd PAM configuration uses the pam_env module, the system uses the module only to read system configuration files. The system does not, by default, enable you to read the user's ~/.pam_environment.
  • In Red Hat Enterprise Linux 5 and earlier PAM versions, you cannot read user's environment settings, and you cannot exploit this issue on those versions.

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

BIG-IP

BIG-IP is not vulnerable to this issue in default configurations. F5 recommends that you do not modify the PAM configuration to enable the UseLogin feature.

BIG-IQ/Enterprise Manager

The BIG-IQ/Enterprise Manager systems are not vulnerable to this issue in default configurations. F5 recommends that you do not modify the PAM configuration to enable the UseLogin feature in the BIG-IQ/Enterprise Manager configurations.